Skip to content

Latest commit

 

History

History

actix-wasm-filter

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
release
release
 
 
src
src
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
envoy.test.sh
envoy.test.sh
 
 
istio.test.sh
istio.test.sh
 
 

README.md

actix-wasm-filter

istio/envoy extension using WASM for Rust to intercept request and response traffic for services using istio ingress. HTTP (L7) extensions.

Based on:

Getting started

  • Generate extension with docker
docker build . -t actix-wasm-filter
  • Copy extension to host using
docker run -v $PWD/release/wasm32-unknown-unknown/:/opt/mount --rm --entrypoint cp actix-wasm-filter /target/wasm32-unknown-unknown/release/actixenvoyfilter.wasm /opt/mount/actixenvoyfilter.wasm
  • Generate checksum for installer
sha256sum release/wasm32-unknown-unknown/actixenvoyfilter.wasm

  • Replace generated checksum in istio actix.filter.yaml

  • Run docker compose with istio envoy with the wasm extension using

docker-compose -f ./release/docker-compose.yaml up --build -d

In order to test execute the following instruction

  • OK curl -H "x-prime-token":"32323" 0.0.0.0:18000
  • FAIL curl -H "x-prime-token":"323232" 0.0.0.0:18000

Shutdown docker compose

docker-compose -f ./release/docker-compose.yaml stop
docker-compose -f ./release/docker-compose.yaml rm

Istio example

It is required to use istio gateway for the traffic because the http filter is applied for gateway. It is possible to apply it for inbound or outbound proxy traffic (envoy) but it should go through the gateway for the filter to work.

  1. Run the Google cloud setup with istio enable
  2. Create namespace for httpbin demo project
kaf release/istio/httbin.gateway.ns.yaml
  1. Install httpbin
kaf https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml -n httpbin-gateway
  1. Configure istio gateway for httpbin project
kaf release/istio/istio.gateway.httpbin.yaml
  1. Export variables to access istio ingress
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
  1. Test the isitio ingress gateway before install the filter. It should get 200 OK
curl -v -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"
  1. Install actix filter
kaf release/istio/filter
  1. Execute the test

HTTP/1.1 403 Forbidden

curl -H "x-prime-token":"3232" -v -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"

HTTP/1.1 200 OK

curl -H "x-prime-token":"32323" -v -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"
  1. Delete prime filter
k delete -f release/istio/filter

Useful commands

  • Connect to docker to browser content using sh
docker run -it --entrypoint sh actix-wasm-filter

The generated file is located in /target/wasm32-unknown-unknown/release with the name actixenvoyfilter.wasm