From fa1c0d1ef315a9bd8e4b5adc6fe04fef271e8104 Mon Sep 17 00:00:00 2001 From: Steve Gargan Date: Thu, 17 Oct 2024 17:45:00 +0100 Subject: [PATCH] feat(translation): allow configuration of hostEnvKeys on WASM extensions exposes the hostEnvKeys configuration for WASM extensons through envoy extension policies. This enables access to env vars that are set on the host envoy processes and is a convenient way to share secret meterial with WASM extensions. Signed-off-by: Steve Gargan --- api/v1alpha1/wasm_types.go | 12 + api/v1alpha1/zz_generated.deepcopy.go | 21 ++ ....envoyproxy.io_envoyextensionpolicies.yaml | 11 + internal/gatewayapi/envoyextensionpolicy.go | 1 + .../testdata/custom-filter-order.out.yaml | 2 + ...extensionpolicy-with-wasm-env-vars.in.yaml | 123 +++++++ ...xtensionpolicy-with-wasm-env-vars.out.yaml | 343 ++++++++++++++++++ ...ensionpolicy-with-wasm-targetrefs.out.yaml | 2 + .../envoyextensionpolicy-with-wasm.out.yaml | 4 + internal/ir/xds.go | 4 + internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/translator/wasm.go | 48 ++- .../en/docs/tasks/extensibility/wasm.md | 143 +++++++- site/content/en/latest/api/extension_types.md | 15 + .../en/v1.1/tasks/extensibility/wasm.md | 143 +++++++- site/content/zh/latest/api/extension_types.md | 15 + 16 files changed, 868 insertions(+), 24 deletions(-) create mode 100644 internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml create mode 100644 internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go index 66c0e1fc84fa..f44142504c81 100644 --- a/api/v1alpha1/wasm_types.go +++ b/api/v1alpha1/wasm_types.go @@ -10,6 +10,14 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) +// WasmEnv defines the environment for the VM of a Wasm extension +type WasmEnv struct { + // HostKeys is a list of keys for environment variables from the host envoy process + // that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. + // +optional + HostKeys []string `json:"hostKeys,omitempty"` +} + // Wasm defines a Wasm extension. // // Note: at the moment, Envoy Gateway does not support configuring Wasm runtime. @@ -52,6 +60,10 @@ type Wasm struct { // Priority defines the location of the Wasm extension in the HTTP filter chain. // If not specified, the Wasm extension will be inserted before the router filter. // Priority *uint32 `json:"priority,omitempty"` + + // Env configures the environment for the Wasm extension + // +optional + Env WasmEnv `json:"env,omitempty"` } // WasmCodeSource defines the source of the Wasm code. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 321a143df9c5..6f7e5d121a73 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -5479,6 +5479,7 @@ func (in *Wasm) DeepCopyInto(out *Wasm) { *out = new(bool) **out = **in } + in.Env.DeepCopyInto(&out.Env) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm. @@ -5521,6 +5522,26 @@ func (in *WasmCodeSource) DeepCopy() *WasmCodeSource { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WasmEnv) DeepCopyInto(out *WasmEnv) { + *out = *in + if in.HostKeys != nil { + in, out := &in.HostKeys, &out.HostKeys + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WasmEnv. +func (in *WasmEnv) DeepCopy() *WasmEnv { + if in == nil { + return nil + } + out := new(WasmEnv) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *XDSTranslatorHooks) DeepCopyInto(out *XDSTranslatorHooks) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 6baa2842c0c5..e6cb298d3a8e 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -1232,6 +1232,17 @@ spec: Config is the configuration for the Wasm extension. This configuration will be passed as a JSON string to the Wasm extension. x-kubernetes-preserve-unknown-fields: true + env: + description: Env configures the environment for the Wasm extension + properties: + hostKeys: + description: |- + HostKeys is a list of keys for environment variables from the host envoy process + that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. + items: + type: string + type: array + type: object failOpen: default: false description: |- diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 9ba561f1b5d8..b0f97314f71f 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -673,6 +673,7 @@ func (t *Translator) buildWasm( Config: config.Config, FailOpen: failOpen, Code: code, + HostKeys: config.Env.HostKeys, } return wasmIR, nil diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index 043eeab1543e..abe506067b7d 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -21,6 +21,7 @@ envoyExtensionPolicies: key1: value1 key2: value2 parameter2: value3 + env: {} name: wasm-filter-1 - code: http: @@ -30,6 +31,7 @@ envoyExtensionPolicies: config: parameter1: value1 parameter2: value2 + env: {} name: wasm-filter-2 status: ancestors: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml new file mode 100644 index 000000000000..c4184d15476d --- /dev/null +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml @@ -0,0 +1,123 @@ +secrets: +- apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: my-pull-secret + data: + .dockerconfigjson: VGhpc0lzTm90QVJlYWxEb2NrZXJDb25maWdKc29u +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/foo" + backendRefs: + - name: service-1 + port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/bar" + backendRefs: + - name: service-1 + port: 8080 +envoyextensionpolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway # This policy should attach httproute-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + wasm: + - name: wasm-filter-1 + code: + type: HTTP + http: + url: https://www.example.com/wasm-filter-1.wasm + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + - name: wasm-filter-2 + rootID: "my-root-id" + code: + type: Image + image: + url: oci://www.example.com/wasm-filter-2:v1.0.0 + pullSecretRef: + name: my-pull-secret + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + - code: + type: Image + image: + url: www.example.com:8080/wasm-filter-3 +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + namespace: default + name: policy-for-http-route # This policy should attach httproute-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + wasm: + - name: wasm-filter-4 + code: + type: HTTP + http: + url: https://www.test.com/wasm-filter-4.wasm + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 + failOpen: true + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml new file mode 100644 index 000000000000..02bc6877a482 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml @@ -0,0 +1,343 @@ +envoyExtensionPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route + namespace: default + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + wasm: + - code: + http: + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 + url: https://www.test.com/wasm-filter-4.wasm + type: HTTP + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + failOpen: true + name: wasm-filter-4 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + wasm: + - code: + http: + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 + url: https://www.example.com/wasm-filter-1.wasm + type: HTTP + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + name: wasm-filter-1 + - code: + image: + pullSecretRef: + group: null + kind: null + name: my-pull-secret + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 + url: oci://www.example.com/wasm-filter-2:v1.0.0 + type: Image + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + name: wasm-filter-2 + rootID: my-root-id + - code: + image: + sha256: null + url: www.example.com:8080/wasm-filter-3 + type: Image + env: {} + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'This policy is being overridden by other envoyExtensionPolicies + for these routes: [default/httproute-1]' + reason: Overridden + status: "True" + type: Overridden + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + wasms: + - config: null + failOpen: true + hostKeys: + - SOME_KEY + - ANOTHER_KEY + httpWasmCode: + originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm + servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 + name: envoyextensionpolicy/default/policy-for-http-route/wasm/0 + wasmName: wasm-filter-4 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + wasms: + - config: null + failOpen: false + hostKeys: + - SOME_KEY + - ANOTHER_KEY + httpWasmCode: + originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm + servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 + name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 + wasmName: wasm-filter-1 + - config: null + failOpen: false + hostKeys: + - SOME_KEY + - ANOTHER_KEY + httpWasmCode: + originalDownloadingURL: oci://www.example.com/wasm-filter-2:v1.0.0 + servingURL: https://envoy-gateway:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 + name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 + rootID: my-root-id + wasmName: wasm-filter-2 + - config: null + failOpen: false + httpWasmCode: + originalDownloadingURL: oci://www.example.com:8080/wasm-filter-3:latest + servingURL: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm + sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee + name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 + wasmName: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 8c65fb9cf65f..a74d3ea9ffbf 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -24,6 +24,7 @@ envoyExtensionPolicies: key1: value1 key2: value2 parameter2: value3 + env: {} name: wasm-filter-1 - code: http: @@ -33,6 +34,7 @@ envoyExtensionPolicies: config: parameter1: value1 parameter2: value2 + env: {} name: wasm-filter-2 status: ancestors: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index 368c32a4055a..32d5ea0f4d10 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -22,6 +22,7 @@ envoyExtensionPolicies: parameter2: key2: key3: value3 + env: {} failOpen: true name: wasm-filter-4 status: @@ -61,6 +62,7 @@ envoyExtensionPolicies: key1: value1 key2: value2 parameter2: value3 + env: {} name: wasm-filter-1 - code: image: @@ -74,6 +76,7 @@ envoyExtensionPolicies: config: parameter1: value1 parameter2: value2 + env: {} name: wasm-filter-2 rootID: my-root-id - code: @@ -81,6 +84,7 @@ envoyExtensionPolicies: sha256: null url: www.example.com:8080/wasm-filter-3 type: Image + env: {} status: ancestors: - ancestorRef: diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 5e26af0f4794..7e8b9b0cb805 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -2621,6 +2621,10 @@ type Wasm struct { // original URL(either an HTTP URL or an OCI image) and serves it through the // local HTTP server. Code *HTTPWasmCode `json:"httpWasmCode,omitempty"` + + // HostKeys is a list of keys for environment variables from the host envoy process + // that should be passed into the Wasm VM. + HostKeys []string `json:"hostKeys,omitempty"` } // HTTPWasmCode holds the information associated with the HTTP Wasm code source. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 85a26447ecb0..7b5c5336ca62 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -3425,6 +3425,11 @@ func (in *Wasm) DeepCopyInto(out *Wasm) { *out = new(HTTPWasmCode) **out = **in } + if in.HostKeys != nil { + in, out := &in.HostKeys, &out.HostKeys + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm. diff --git a/internal/xds/translator/wasm.go b/internal/xds/translator/wasm.go index b8777e3805cb..34b1087d5ccc 100644 --- a/internal/xds/translator/wasm.go +++ b/internal/xds/translator/wasm.go @@ -118,30 +118,38 @@ func wasmConfig(wasm ir.Wasm) (*wasmfilterv3.Wasm, error) { return nil, err } + vmConfig := &wasmv3.VmConfig{ + VmId: wasm.Name, // Do not share VMs across different filters + Runtime: vmRuntimeV8, + Code: &corev3.AsyncDataSource{ + Specifier: &corev3.AsyncDataSource_Remote{ + Remote: &corev3.RemoteDataSource{ + HttpUri: &corev3.HttpUri{ + Uri: wasm.Code.ServingURL, + HttpUpstreamType: &corev3.HttpUri_Cluster{ + Cluster: wasmHTTPServerCluster, + }, + Timeout: &durationpb.Duration{ + Seconds: defaultExtServiceRequestTimeout, + }, + }, + Sha256: wasm.Code.SHA256, + }, + }, + }, + } + + if wasm.HostKeys != nil { + vmConfig.EnvironmentVariables = &wasmv3.EnvironmentVariables{ + HostEnvKeys: wasm.HostKeys, + } + } + filterConfig = &wasmfilterv3.Wasm{ Config: &wasmv3.PluginConfig{ Name: wasm.WasmName, Vm: &wasmv3.PluginConfig_VmConfig{ - VmConfig: &wasmv3.VmConfig{ - VmId: wasm.Name, // Do not share VMs across different filters - Runtime: vmRuntimeV8, - Code: &corev3.AsyncDataSource{ - Specifier: &corev3.AsyncDataSource_Remote{ - Remote: &corev3.RemoteDataSource{ - HttpUri: &corev3.HttpUri{ - Uri: wasm.Code.ServingURL, - HttpUpstreamType: &corev3.HttpUri_Cluster{ - Cluster: wasmHTTPServerCluster, - }, - Timeout: &durationpb.Duration{ - Seconds: defaultExtServiceRequestTimeout, - }, - }, - Sha256: wasm.Code.SHA256, - }, - }, - }, - }, + VmConfig: vmConfig, }, Configuration: configAny, FailOpen: wasm.FailOpen, diff --git a/site/content/en/docs/tasks/extensibility/wasm.md b/site/content/en/docs/tasks/extensibility/wasm.md index 1b1d32f9ecbe..5d2495cf5667 100644 --- a/site/content/en/docs/tasks/extensibility/wasm.md +++ b/site/content/en/docs/tasks/extensibility/wasm.md @@ -90,7 +90,7 @@ spec: Verify the EnvoyExtensionPolicy status: ```shell -kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +kubectl get envoyextensionpolicy/wasm-test -o yaml ``` ### Image Wasm Extension @@ -151,9 +151,148 @@ spec: Verify the EnvoyExtensionPolicy status: ```shell -kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +kubectl get envoyextensionpolicy/wasm-test -o yaml ``` +### Wasm Extension Configuration + +This [EnvoyExtensionPolicy][] configuration fetches the Wasm extension from an OCI image and uses a config block to pass parameters to the extension when it's loaded. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the EnvoyExtensionPolicy status: + +```shell +kubectl get envoyextensionpolicy/wasm-test-o yaml +``` + +### Wasm Extension Configuration through Environment variables + +It is also possible to configure a wasm extension using environment variables from the host envoy process. Keys for the env vars to be shared are defined in a `hostKeys` block. + +This is especially useful for sharing secure data from environment vars on the envoy process set using [valueFrom](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) a Kubernetes secret. + +Note that setting an env var on the envoy process requires a custom [EnvoyProxy](../../api/extension_types#envoyproxy) configuration. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + ### Testing Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 23f69fd832a3..21661ecf23c8 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -4001,6 +4001,7 @@ _Appears in:_ | `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. | | `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. | +| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension | #### WasmCodeSource @@ -4035,6 +4036,20 @@ _Appears in:_ | `Image` | ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
| +#### WasmEnv + + + +WasmEnv defines the environment for the VM of a Wasm extension + +_Appears in:_ +- [Wasm](#wasm) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. | + + #### WithUnderscoresAction _Underlying type:_ _string_ diff --git a/site/content/en/v1.1/tasks/extensibility/wasm.md b/site/content/en/v1.1/tasks/extensibility/wasm.md index 1b1d32f9ecbe..5d2495cf5667 100644 --- a/site/content/en/v1.1/tasks/extensibility/wasm.md +++ b/site/content/en/v1.1/tasks/extensibility/wasm.md @@ -90,7 +90,7 @@ spec: Verify the EnvoyExtensionPolicy status: ```shell -kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +kubectl get envoyextensionpolicy/wasm-test -o yaml ``` ### Image Wasm Extension @@ -151,9 +151,148 @@ spec: Verify the EnvoyExtensionPolicy status: ```shell -kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +kubectl get envoyextensionpolicy/wasm-test -o yaml ``` +### Wasm Extension Configuration + +This [EnvoyExtensionPolicy][] configuration fetches the Wasm extension from an OCI image and uses a config block to pass parameters to the extension when it's loaded. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the EnvoyExtensionPolicy status: + +```shell +kubectl get envoyextensionpolicy/wasm-test-o yaml +``` + +### Wasm Extension Configuration through Environment variables + +It is also possible to configure a wasm extension using environment variables from the host envoy process. Keys for the env vars to be shared are defined in a `hostKeys` block. + +This is especially useful for sharing secure data from environment vars on the envoy process set using [valueFrom](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) a Kubernetes secret. + +Note that setting an env var on the envoy process requires a custom [EnvoyProxy](../../api/extension_types#envoyproxy) configuration. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + ### Testing Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 23f69fd832a3..21661ecf23c8 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -4001,6 +4001,7 @@ _Appears in:_ | `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. | | `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. | +| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension | #### WasmCodeSource @@ -4035,6 +4036,20 @@ _Appears in:_ | `Image` | ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
| +#### WasmEnv + + + +WasmEnv defines the environment for the VM of a Wasm extension + +_Appears in:_ +- [Wasm](#wasm) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. | + + #### WithUnderscoresAction _Underlying type:_ _string_