Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Wasm OCI image #3564

Merged
merged 36 commits into from
Jun 28, 2024
Merged
Show file tree
Hide file tree
Changes from 34 commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
d7e1e63
support Wasm OCI image
zhaohuabing Jun 17, 2024
df6bee1
set up test registry
zhaohuabing Jun 12, 2024
e079dc2
add test for registry authn
zhaohuabing Jun 14, 2024
d16ca5d
fix lint
zhaohuabing Jun 14, 2024
ed5311a
fix e2e
zhaohuabing Jun 14, 2024
689266a
fix e2e
zhaohuabing Jun 14, 2024
409967d
add test for unauthed private image
zhaohuabing Jun 14, 2024
f243f54
fix e2e
zhaohuabing Jun 14, 2024
6ff1ac3
fix e2e
zhaohuabing Jun 15, 2024
6ddc332
fix lint
zhaohuabing Jun 15, 2024
0bc5532
refactor
zhaohuabing Jun 15, 2024
1cfccbb
add max failed attempts limit
zhaohuabing Jun 15, 2024
10ce3b9
remove retries
zhaohuabing Jun 15, 2024
d84a113
clean up e2e tests
zhaohuabing Jun 15, 2024
cad02e1
add e2e test for wrong password
zhaohuabing Jun 17, 2024
0d81b8a
Update api/v1alpha1/authorization_types.go
zhaohuabing Jun 18, 2024
171a937
Update api/v1alpha1/wasm_types.go
zhaohuabing Jun 18, 2024
0b86837
remove unnecessary replace
zhaohuabing Jun 18, 2024
d32d325
Merge remote-tracking branch 'upstream/main' into wasm-oci-image
zhaohuabing Jun 18, 2024
b4917f9
remove set package
zhaohuabing Jun 18, 2024
8a69562
fix gen check
zhaohuabing Jun 18, 2024
fedbe2f
add test for failed attempts
zhaohuabing Jun 20, 2024
d6efea3
address comments
zhaohuabing Jun 20, 2024
3c61c51
address comments
zhaohuabing Jun 20, 2024
2e96e1c
Merge remote-tracking branch 'upstream/main' into wasm-oci-image
zhaohuabing Jun 20, 2024
e8a3fce
minor wording
zhaohuabing Jun 20, 2024
56aea0e
move sha256 inside code source
zhaohuabing Jun 21, 2024
591b49d
address comments
zhaohuabing Jun 21, 2024
9b8e42c
fix e2e
zhaohuabing Jun 21, 2024
9d71021
fix flaky test
zhaohuabing Jun 22, 2024
9a16d9f
change comments
zhaohuabing Jun 25, 2024
94ed656
address comments
zhaohuabing Jun 27, 2024
8ac7991
Merge remote-tracking branch 'upstream/main' into wasm-oci-image
zhaohuabing Jun 27, 2024
0cdc304
address comments
zhaohuabing Jun 27, 2024
138e978
Merge remote-tracking branch 'upstream/main' into wasm-oci-image
zhaohuabing Jun 27, 2024
86016ee
fail the eep translation if the wasm cache failed to start
zhaohuabing Jun 27, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion api/v1alpha1/authorization_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ type Authorization struct {

// AuthorizationRule defines a single authorization rule.
type AuthorizationRule struct {
// Name is a user-friendly name for the rule. It's just for display purposes.
// Name is a user-friendly name for the rule.
// If not specified, Envoy Gateway will generate a unique name for the rule.n
// +optional
Name *string `json:"name,omitempty"`

Expand Down
97 changes: 60 additions & 37 deletions api/v1alpha1/wasm_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,31 +10,27 @@ import (
gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)

// Wasm defines a wasm extension.
// Wasm defines a Wasm extension.
//
// Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
// v8 is used as the VM runtime for the Wasm extensions.
type Wasm struct {
// Name is a unique name for this Wasm extension. It is used to identify the
// Wasm extension if multiple extensions are handled by the same vm_id and root_id.
// It's also used for logging/debugging.
Name string `json:"name"`

// VMID is an ID that will be used along with a hash of the wasm code to
// determine which VM will be used to load the Wasm extension. All extensions
// that have the same vm_id and code will use the same VM.
// If not specified, EG will generate a unique name for the Wasm extension.
//
// Note that sharing a VM between plugins can reduce memory utilization and
// make sharing of data easier, but it may have security implications.
// VMID *string `json:"vmID,omitempty"`
// +optional
Name *string `json:"name,omitempty"`

// RootID is a unique ID for a set of extensions in a VM which will share a
// RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
// If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
// RootID must match the root_id parameter used to register the Context in the Wasm code.
//
// Note: RootID must match the root_id parameter used to register the Context in the Wasm code.
RootID *string `json:"rootID,omitempty"`

// Code is the wasm code for the extension.
// Code is the Wasm code for the extension.
Code WasmCodeSource `json:"code"`

// Config is the configuration for the Wasm extension.
Expand All @@ -58,73 +54,100 @@ type Wasm struct {
// Priority *uint32 `json:"priority,omitempty"`
}

// WasmCodeSource defines the source of the wasm code.
// WasmCodeSource defines the source of the Wasm code.
// +union
//
// +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' ? has(self.http) : !has(self.http)",message="If type is HTTP, http field needs to be set."
// +kubebuilder:validation:XValidation:rule="self.type == 'Image' ? has(self.image) : !has(self.image)",message="If type is Image, image field needs to be set."
type WasmCodeSource struct {
// Type is the type of the source of the wasm code.
// Type is the type of the source of the Wasm code.
// Valid WasmCodeSourceType values are "HTTP" or "Image".
//
// +kubebuilder:validation:Enum=HTTP;Image;ConfigMap
// +unionDiscriminator
Type WasmCodeSourceType `json:"type"`

// HTTP is the HTTP URL containing the wasm code.
// HTTP is the HTTP URL containing the Wasm code.
//
// Note that the HTTP server must be accessible from the Envoy proxy.
// +optional
HTTP *HTTPWasmCodeSource `json:"http,omitempty"`

// Image is the OCI image containing the wasm code.
// Image is the OCI image containing the Wasm code.
//
// Note that the image must be accessible from the Envoy Gateway.
// +optional
Image *ImageWasmCodeSource `json:"image,omitempty"`

// SHA256 checksum that will be used to verify the wasm code.
// PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
// This field is only applicable when the SHA256 field is not set.
//
// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
SHA256 string `json:"sha256"`
// If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
//
// Note: EG does not update the Wasm module every time an Envoy proxy requests
// the Wasm module even if the pull policy is set to Always.
// It only updates the Wasm module when the EnvoyExtension resource version changes.
// +optional
PullPolicy *ImagePullPolicy `json:"pullPolicy,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldnt this be inside Image ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's also used for HTTP code source.

	// PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
	// This field is only applicable when the SHA256 field is not set.
	//
	// If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ is a little confusing to understand

Copy link
Member Author

@zhaohuabing zhaohuabing Jun 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If SHA is not specified, we need to know whether the Wasm code need updating when the EEP changes, regardless its code source is HTTP or OCI registry.

}

// WasmCodeSourceType specifies the types of sources for the wasm code.
// WasmCodeSourceType specifies the types of sources for the Wasm code.
// +kubebuilder:validation:Enum=HTTP;Image
type WasmCodeSourceType string

const (
// HTTPWasmCodeSourceType allows the user to specify the wasm code in an HTTP URL.
// HTTPWasmCodeSourceType allows the user to specify the Wasm code in an HTTP URL.
HTTPWasmCodeSourceType WasmCodeSourceType = "HTTP"

// ImageWasmCodeSourceType allows the user to specify the wasm code in an OCI image.
// ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
ImageWasmCodeSourceType WasmCodeSourceType = "Image"
)

// HTTPWasmCodeSource defines the HTTP URL containing the wasm code.
// HTTPWasmCodeSource defines the HTTP URL containing the Wasm code.
type HTTPWasmCodeSource struct {
// URL is the URL containing the wasm code.
// URL is the URL containing the Wasm code.
// +kubebuilder:validation:Pattern=`^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*`
URL string `json:"url"`

// SHA256 checksum that will be used to verify the Wasm code.
//
// If not specified, Envoy Gateway will not verify the downloaded Wasm code.
// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
// +optional
SHA256 *string `json:"sha256"`
}

// ImageWasmCodeSource defines the OCI image containing the wasm code.
// ImageWasmCodeSource defines the OCI image containing the Wasm code.
type ImageWasmCodeSource struct {
// URL is the URL of the OCI image.
// URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`.
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
URL string `json:"url"`

// PullSecretRef is a reference to the secret containing the credentials to pull the image.
PullSecretRef gwapiv1b1.SecretObjectReference `json:"pullSecret"`
// SHA256 checksum that will be used to verify the OCI image.
//
// It must match the digest of the OCI image.
//
// If not specified, Envoy Gateway will not verify the downloaded OCI image.
// kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
// +optional
SHA256 *string `json:"sha256"`

// PullPolicy is the policy to use when pulling the image.
// If not specified, the default policy is IfNotPresent for images whose tag is not latest,
// and Always for images whose tag is latest.
// PullSecretRef is a reference to the secret containing the credentials to pull the image.
// Only support Kubernetes Secret resource from the same namespace.
// +kubebuilder:validation:XValidation:message="only support Secret kind.",rule="self.kind == 'Secret'"
// +optional
// PullPolicy *PullPolicy `json:"pullPolicy,omitempty"`
PullSecretRef *gwapiv1b1.SecretObjectReference `json:"pullSecretRef,omitempty"`
}

// PullPolicy defines the policy to use when pulling an OIC image.
/* type PullPolicy string
// ImagePullPolicy defines the policy to use when pulling an OIC image.
// +kubebuilder:validation:Enum=IfNotPresent;Always
type ImagePullPolicy string

const (
// PullPolicyIfNotPresent will only pull the image if it does not already exist.
PullPolicyIfNotPresent PullPolicy = "IfNotPresent"
// ImagePullPolicyIfNotPresent will only pull the image if it does not already exist in the EG cache.
ImagePullPolicyIfNotPresent ImagePullPolicy = "IfNotPresent"

// PullPolicyAlways will always pull the image.
PullPolicyAlways PullPolicy = "Always"
)*/
// ImagePullPolicyAlways will pull the image when the EnvoyExtension resource version changes.
// Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module.
ImagePullPolicyAlways ImagePullPolicy = "Always"
)
28 changes: 26 additions & 2 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 6 additions & 3 deletions charts/gateway-helm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,12 @@ To uninstall the chart:
| deployment.ports[1].name | string | `"ratelimit"` | |
| deployment.ports[1].port | int | `18001` | |
| deployment.ports[1].targetPort | int | `18001` | |
| deployment.ports[2].name | string | `"metrics"` | |
| deployment.ports[2].port | int | `19001` | |
| deployment.ports[2].targetPort | int | `19001` | |
| deployment.ports[2].name | string | `"wasm"` | |
| deployment.ports[2].port | int | `18002` | |
| deployment.ports[2].targetPort | int | `18002` | |
| deployment.ports[3].name | string | `"metrics"` | |
| deployment.ports[3].port | int | `19001` | |
| deployment.ports[3].targetPort | int | `19001` | |
| deployment.replicas | int | `1` | |
| global.images.envoyGateway.image | string | `nil` | |
| global.images.envoyGateway.pullPolicy | string | `nil` | |
Expand Down
Loading
Loading