Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wasm configuration types refactor #868

Merged
merged 10 commits into from
Oct 2, 2024

Conversation

eguzki
Copy link
Contributor

@eguzki eguzki commented Sep 23, 2024

What

Kuadrant/wasm-shim#87 introduced a new kuadrant's Wasm configuration. It is based on extensions. It's basically the same, but more extensible, which allows to include auth in the future. The wasm controllers (istio and envoygateway based ones) are updated to generate the new configuration scheme expected by the wasm module.

The scope of this issue is limited to rate limiting. External auth using wasm will be covered in following up tasks.

Example of the new wasm configuration:

---
extensions:
  limitador:
    type: ratelimit
    endpoint: limitador-cluster
    failureMode: deny
policies:
  - name: rlp-ns-A/rlp-name-A
    hostnames:
      - '*.toystore.com'
      - example.com
    rules:
      - conditions:
          - allOf:
              - selector: request.path
                operator: eq
                value: /admin/toy
              - selector: request.method
                operator: eq
                value: POST
              - selector: request.host
                operator: eq
                value: cars.toystore.com
        actions:
          - extension: limitador
            scope: rlp-ns-A/rlp-name-A
            data:
              - static:
                  key: rlp-ns-A/rlp-name-A
                  value: "1"
              - selector:
                  selector: auth.metadata.username

Related work: Kuadrant/wasm-shim#87

TODO:

  • verification steps
  • wasm config schema documentation
  • tests

Verification steps

Setup (Persona: Cluster admin)

make local-env-setup GATEWAYAPI_PROVIDER=envoygateway

Run the operator with a custom wasm build (right now it is not being merged in main)

RELATED_IMAGE_WASMSHIM=oci://quay.io/kuadrant/wasm-shim:external-auth make run

Now follow the guide named Authenticated Rate Limiting for Application Developers and start requesting an instance of Kuadrant. The guide should take you to authenticated rate limiting configuration and the traffic should be rate limiting as expected.

Once you go through all the steps successfully, let's inspect the resources and new configuration.

⚠️ do not cleanup the environment after going through all the steps of the guide.

Verification of kuadrant managed EnvoyGateway resources

EnvoyExtensionPolicy

Check EnvoyExtensionPolicy resource defined by kuadrant

kubectl get envoyextensionpolicy -n gateway-system kuadrant-wasm-for-kuadrant-ingressgateway -o yaml | yq e -P
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
  annotations:
    kuadrant.io/namespace: kuadrant-system
  creationTimestamp: "2024-10-01T16:13:37Z"
  generation: 1
  name: kuadrant-wasm-for-kuadrant-ingressgateway
  namespace: gateway-system
  ownerReferences:
    - apiVersion: gateway.networking.k8s.io/v1
      blockOwnerDeletion: true
      controller: true
      kind: Gateway
      name: kuadrant-ingressgateway
      uid: 44c78246-8334-4e41-b19c-606a2b3d3714
  resourceVersion: "3592"
  uid: 4c0a7ad8-4fbc-4f6f-93b8-d5140086d3d4
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: kuadrant-ingressgateway
  wasm:
    - code:
        image:
          url: oci://quay.io/kuadrant/wasm-shim:external-auth
        type: Image
      config:
        extensions:
          limitador:
            endpoint: kuadrant-rate-limiting-service
            failureMode: allow
            type: ratelimit
        policies:
          - hostnames:
              - api.toystore.com
            name: default/toystore
            rules:
              - actions:
                  - data:
                      - static:
                          key: limit.alice_limit__bfdf2c38
                          value: "1"
                    extension: limitador
                    scope: default/toystore
                conditions:
                  - allOf:
                      - operator: eq
                        selector: request.url_path
                        value: /toy
                      - operator: eq
                        selector: request.method
                        value: GET
                      - operator: eq
                        selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid
                        value: alice
              - actions:
                  - data:
                      - static:
                          key: limit.bob_limit__58541558
                          value: "1"
                    extension: limitador
                    scope: default/toystore
                conditions:
                  - allOf:
                      - operator: eq
                        selector: request.url_path
                        value: /toy
                      - operator: eq
                        selector: request.method
                        value: GET
                      - operator: eq
                        selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid
                        value: bob
      failOpen: false
      name: kuadrant-wasm-shim
      rootID: kuadrant_wasm_shim
status:
  ancestors:
    - ancestorRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: kuadrant-ingressgateway
        namespace: gateway-system
      conditions:
        - lastTransitionTime: "2024-10-01T16:13:39Z"
          message: Policy has been accepted.
          reason: Accepted
          status: "True"
          type: Accepted
      controllerName: gateway.envoyproxy.io/gatewayclass-controller

Few things to highlight:

  • Wasm module defined with a reference to the kuadrant's wasm-shim OCI image oci://quay.io/kuadrant/wasm-shim:external-auth.
  • The wasm configuration follows the new schema based on extensions. There is only one extension for limitador.

Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki eguzki linked an issue Sep 23, 2024 that may be closed by this pull request
Copy link

codecov bot commented Sep 23, 2024

Codecov Report

Attention: Patch coverage is 96.42857% with 2 lines in your changes missing coverage. Please review.

Project coverage is 81.22%. Comparing base (ece13e8) to head (0e45be7).
Report is 207 commits behind head on main.

Files with missing lines Patch % Lines
pkg/rlptools/wasm/types.go 90.47% 2 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #868      +/-   ##
==========================================
+ Coverage   80.20%   81.22%   +1.01%     
==========================================
  Files          64       89      +25     
  Lines        4492     6940    +2448     
==========================================
+ Hits         3603     5637    +2034     
- Misses        600      885     +285     
- Partials      289      418     +129     
Flag Coverage Δ
bare-k8s-integration 6.78% <0.00%> (?)
controllers-integration 72.80% <78.57%> (?)
envoygateway-integration 49.42% <76.78%> (?)
gatewayapi-integration 12.42% <0.00%> (?)
integration ?
istio-integration 53.71% <92.85%> (?)
unit 28.99% <73.21%> (-1.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
api/v1beta1 (u) 84.61% <100.00%> (+13.18%) ⬆️
api/v1beta2 (u) 81.25% <75.17%> (-10.18%) ⬇️
pkg/common (u) 88.13% <ø> (-0.70%) ⬇️
pkg/istio (u) 71.51% <ø> (-2.40%) ⬇️
pkg/log (u) 94.73% <ø> (ø)
pkg/reconcilers (u) ∅ <ø> (∅)
pkg/rlptools (u) 85.39% <ø> (+5.93%) ⬆️
controllers (i) 82.51% <79.91%> (+5.71%) ⬆️
Files with missing lines Coverage Δ
controllers/envoygateway_wasm_controller.go 82.30% <100.00%> (ø)
...llers/rate_limiting_istio_wasmplugin_controller.go 70.87% <100.00%> (ø)
pkg/rlptools/wasm/utils.go 88.64% <100.00%> (ø)
pkg/rlptools/wasm/types.go 64.70% <90.47%> (+14.70%) ⬆️

... and 42 files with indirect coverage changes

@eguzki eguzki force-pushed the 867-wasm-configuration-based-on-extensions branch from 8c7229e to 9547e83 Compare September 23, 2024 16:16
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
Data []DataType `json:"data,omitempty"`
}

// +kubebuilder:validation:Enum:=ratelimit;auth
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made up auth, open for a new magic word

@eguzki eguzki force-pushed the 867-wasm-configuration-based-on-extensions branch from feedb9e to 1092921 Compare October 1, 2024 08:59
@eguzki eguzki force-pushed the 867-wasm-configuration-based-on-extensions branch from 1092921 to a416430 Compare October 1, 2024 15:52
@eguzki eguzki added kind/enhancement New feature or request size/medium labels Oct 1, 2024
@eguzki eguzki self-assigned this Oct 1, 2024
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki eguzki marked this pull request as ready for review October 1, 2024 18:47
Copy link
Member

@didierofrivia didierofrivia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! good job! 🍡

Copy link
Member

@adam-cattermole adam-cattermole left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, verified steps on istio as well

@didierofrivia didierofrivia merged commit c8b5440 into main Oct 2, 2024
31 checks passed
@didierofrivia didierofrivia deleted the 867-wasm-configuration-based-on-extensions branch October 2, 2024 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement New feature or request size/medium
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

Wasm configuration based on extensions
3 participants