Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: wasm extension #2877

Merged
merged 26 commits into from
Mar 29, 2024
Merged
Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions api/v1alpha1/envoyextensionypolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,13 @@ type EnvoyExtensionPolicySpec struct {
//
// +optional
Priority int32 `json:"priority,omitempty"`

// WASM is a list of Wasm extensions to be loaded by the Gateway.
// Order matters, as the extensions will be loaded in the order they are
// defined in this list.
//
// +optional
WASM []Wasm `json:"wasm,omitempty"`
}

//+kubebuilder:object:root=true
Expand Down
128 changes: 128 additions & 0 deletions api/v1alpha1/wasm_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.

package v1alpha1

import (
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)

// Wasm defines a wasm extension.
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
//
// Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
// v8 is used as the VM runtime for the Wasm extensions.
type Wasm struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we autogenerate name, vm_id and root_id ? and leave it out of the first iteration ?

Copy link
Member Author

@zhaohuabing zhaohuabing Mar 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can generate the name, but the auto-generated name might not be as meaningful as the user-provided name.

For vm_id and root_id, we might want to expose them to the API to allows users to share VM or RootContext.

In the first iteration, I think it's fine to leave them out.

Copy link
Member Author

@zhaohuabing zhaohuabing Mar 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arkodg Envoy requires name to be unique within a VM. Since we have decided to leave vm_id out, EG will use a separate VM for each wasm extension, the name doesn't have to be unique in EnvoyExtensionPolicy. If we add vm_id in the API in the future, then the name should be unique across all wasm extensions with the same vm_id+wasm code combination.

// Name is a unique name for this Wasm extension. It is used to identify the
// Wasm extension if multiple extensions are handled by the same vm_id and root_id.
// It's also used for logging/debugging.
Name string `json:"name"`

// VMID is an ID that will be used along with a hash of the wasm code to
// determine which VM will be used to load the Wasm extension. All extensions
// that have the same vm_id and code will use the same VM.
//
// Note that sharing a VM between plugins can reduce memory utilization and
// make sharing of data easier, but it may have security implications.
// VMID *string `json:"vmID,omitempty"`

// RootID is a unique ID for a set of extensions in a VM which will share a
// RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
// If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
// RootID *string `json:"rootID,omitempty"`

// Code is the wasm code for the extension.
Code WasmCodeSource `json:"code"`

// Config is the configuration for the Wasm extension.
// This configuration will be passed as a JSON string to the Wasm extension.
Config *apiextensionsv1.JSON `json:"config"`
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved

// FailOpen is a switch used to control the behavior when a fatal error occurs
// during the initialization or the execution of the Wasm extension.
// If FailOpen is set to true, the system bypasses the Wasm extension and
// allows the traffic to pass through. Otherwise, if it is set to false or
// not set (defaulting to false), the system blocks the traffic and returns
// an HTTP 5xx error.
//
// +optional
// +kubebuilder:default=false
FailOpen *bool `json:"failOpen,omitempty"`

// Priority defines the location of the Wasm extension in the HTTP filter chain.
// If not specified, the Wasm extension will be inserted before the router filter.
// Priority *uint32 `json:"priority,omitempty"`
}

// WasmCodeSource defines the source of the wasm code.
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
type WasmCodeSource struct {
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
// Type is the type of the source of the wasm code.
// Valid WasmCodeSourceType values are "HTTP" or "Image".
//
// +kubebuilder:validation:Enum=HTTP;Image
// +unionDiscriminator
Type WasmCodeSourceType `json:"type"`

// HTTP is the HTTP URL containing the wasm code.
//
// Note that the HTTP server must be accessible from the Envoy proxy.
// +optional
HTTP *HTTPWasmCodeSource `json:"http,omitempty"`

// Image is the OCI image containing the wasm code.
//
// Note that the image must be accessible from the Envoy Gateway.
// +optional
Image *ImageWasmCodeSource `json:"image,omitempty"`

// SHA256 checksum that will be used to verify the wasm code.
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
// +optional
// SHA256 *string `json:"sha256,omitempty"`
}

// WasmCodeSourceType specifies the types of RateLimiting.
// +kubebuilder:validation:Enum=Global;Local
type WasmCodeSourceType string

const (
// HTTPWasmCodeSourceType allows the rate limits to be applied across all Envoy
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
// proxy instances.
HTTPWasmCodeSourceType WasmCodeSourceType = "HTTP"

// ImageWasmCodeSourceType allows the rate limits to be applied on a per Envoy
// proxy instance basis.
ImageWasmCodeSourceType WasmCodeSourceType = "Image"
)

type HTTPWasmCodeSource struct {
// URL is the URL containing the wasm code.
URL string `json:"url"`
}

// ImageWasmCodeSource defines the OCI image containing the wasm code.
type ImageWasmCodeSource struct {
// URL is the URL of the OCI image.
URL string `json:"url"`

// PullSecret is a reference to the secret containing the credentials to pull the image.
PullSecret gwapiv1b1.SecretObjectReference `json:"pullSecret"`
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved

// PullPolicy is the policy to use when pulling the image.
// If not specified, the default policy is IfNotPresent for images whose tag is not latest,
// and Always for images whose tag is latest.
// +optional
PullPolicy *PullPolicy `json:"pullPolicy,omitempty"`
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
}

// PullPolicy defines the policy to use when pulling an OIC image.
type PullPolicy string

const (
// PullPolicyIfNotPresent will only pull the image if it does not already exist.
PullPolicyIfNotPresent PullPolicy = "IfNotPresent"

// PullPolicyAlways will always pull the image.
PullPolicyAlways PullPolicy = "Always"
)
94 changes: 94 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,130 @@ spec:
'TCPRoute', 'TLSRoute']
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
wasm:
description: WASM is a list of Wasm extensions to be loaded by the
Gateway. Order matters, as the extensions will be loaded in the
order they are defined in this list.
items:
description: "Wasm defines a wasm extension. \n Note: at the moment,
Envoy Gateway does not support configuring Wasm runtime. v8 is
used as the VM runtime for the Wasm extensions."
properties:
code:
description: Code is the wasm code for the extension.
properties:
http:
description: "HTTP is the HTTP URL containing the wasm code.
\n Note that the HTTP server must be accessible from the
Envoy proxy."
properties:
url:
description: URL is the URL containing the wasm code.
type: string
required:
- url
type: object
image:
description: "Image is the OCI image containing the wasm
code. \n Note that the image must be accessible from the
Envoy Gateway."
properties:
pullPolicy:
description: PullPolicy is the policy to use when pulling
the image. If not specified, the default policy is
IfNotPresent for images whose tag is not latest, and
Always for images whose tag is latest.
type: string
pullSecret:
description: PullSecret is a reference to the secret
containing the credentials to pull the image.
properties:
group:
default: ""
description: Group is the group of the referent.
For example, "gateway.networking.k8s.io". When
unspecified or empty string, core API group is
inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example
"Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the
referenced object. When unspecified, the local
namespace is inferred. \n Note that when a namespace
different than the local namespace is specified,
a ReferenceGrant object is required in the referent
namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation
for details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
url:
description: URL is the URL of the OCI image.
type: string
required:
- pullSecret
- url
type: object
type:
allOf:
- enum:
- Global
- Local
- enum:
- HTTP
- Image
description: Type is the type of the source of the wasm
code. Valid WasmCodeSourceType values are "HTTP" or "Image".
type: string
required:
- type
type: object
config:
description: Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the
Wasm extension.
x-kubernetes-preserve-unknown-fields: true
failOpen:
default: false
description: FailOpen is a switch used to control the behavior
when a fatal error occurs during the initialization or the
execution of the Wasm extension. If FailOpen is set to true,
the system bypasses the Wasm extension and allows the traffic
to pass through. Otherwise, if it is set to false or not set
(defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error.
type: boolean
name:
description: Name is a unique name for this Wasm extension.
It is used to identify the Wasm extension if multiple extensions
are handled by the same vm_id and root_id. It's also used
for logging/debugging.
type: string
required:
- code
- config
- name
type: object
type: array
required:
- targetRef
type: object
Expand Down
Loading
Loading