wasm configuration types refactor

[eguzki]

What

Kuadrant/wasm-shim#87 introduced a new kuadrant's Wasm configuration. It is based on extensions. It's basically the same, but more extensible, which allows to include auth in the future. The wasm controllers (istio and envoygateway based ones) are updated to generate the new configuration scheme expected by the wasm module.

The scope of this issue is limited to rate limiting. External auth using wasm will be covered in following up tasks.

Example of the new wasm configuration:

---
extensions:
  limitador:
    type: ratelimit
    endpoint: limitador-cluster
    failureMode: deny
policies:
  - name: rlp-ns-A/rlp-name-A
    hostnames:
      - '*.toystore.com'
      - example.com
    rules:
      - conditions:
          - allOf:
              - selector: request.path
                operator: eq
                value: /admin/toy
              - selector: request.method
                operator: eq
                value: POST
              - selector: request.host
                operator: eq
                value: cars.toystore.com
        actions:
          - extension: limitador
            scope: rlp-ns-A/rlp-name-A
            data:
              - static:
                  key: rlp-ns-A/rlp-name-A
                  value: "1"
              - selector:
                  selector: auth.metadata.username

Related work: Kuadrant/wasm-shim#87

TODO:

• verification steps
• wasm config schema documentation
• tests

Verification steps

Setup (Persona: Cluster admin)

make local-env-setup GATEWAYAPI_PROVIDER=envoygateway

Run the operator with a custom wasm build (right now it is not being merged in main)

RELATED_IMAGE_WASMSHIM=oci://quay.io/kuadrant/wasm-shim:external-auth make run

Now follow the guide named Authenticated Rate Limiting for Application Developers and start requesting an instance of Kuadrant. The guide should take you to authenticated rate limiting configuration and the traffic should be rate limiting as expected.

Once you go through all the steps successfully, let's inspect the resources and new configuration.

⚠️ do not cleanup the environment after going through all the steps of the guide.

Verification of kuadrant managed EnvoyGateway resources

EnvoyExtensionPolicy

Check EnvoyExtensionPolicy resource defined by kuadrant

kubectl get envoyextensionpolicy -n gateway-system kuadrant-wasm-for-kuadrant-ingressgateway -o yaml | yq e -P

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
  annotations:
    kuadrant.io/namespace: kuadrant-system
  creationTimestamp: "2024-10-01T16:13:37Z"
  generation: 1
  name: kuadrant-wasm-for-kuadrant-ingressgateway
  namespace: gateway-system
  ownerReferences:
    - apiVersion: gateway.networking.k8s.io/v1
      blockOwnerDeletion: true
      controller: true
      kind: Gateway
      name: kuadrant-ingressgateway
      uid: 44c78246-8334-4e41-b19c-606a2b3d3714
  resourceVersion: "3592"
  uid: 4c0a7ad8-4fbc-4f6f-93b8-d5140086d3d4
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: kuadrant-ingressgateway
  wasm:
    - code:
        image:
          url: oci://quay.io/kuadrant/wasm-shim:external-auth
        type: Image
      config:
        extensions:
          limitador:
            endpoint: kuadrant-rate-limiting-service
            failureMode: allow
            type: ratelimit
        policies:
          - hostnames:
              - api.toystore.com
            name: default/toystore
            rules:
              - actions:
                  - data:
                      - static:
                          key: limit.alice_limit__bfdf2c38
                          value: "1"
                    extension: limitador
                    scope: default/toystore
                conditions:
                  - allOf:
                      - operator: eq
                        selector: request.url_path
                        value: /toy
                      - operator: eq
                        selector: request.method
                        value: GET
                      - operator: eq
                        selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid
                        value: alice
              - actions:
                  - data:
                      - static:
                          key: limit.bob_limit__58541558
                          value: "1"
                    extension: limitador
                    scope: default/toystore
                conditions:
                  - allOf:
                      - operator: eq
                        selector: request.url_path
                        value: /toy
                      - operator: eq
                        selector: request.method
                        value: GET
                      - operator: eq
                        selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid
                        value: bob
      failOpen: false
      name: kuadrant-wasm-shim
      rootID: kuadrant_wasm_shim
status:
  ancestors:
    - ancestorRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: kuadrant-ingressgateway
        namespace: gateway-system
      conditions:
        - lastTransitionTime: "2024-10-01T16:13:39Z"
          message: Policy has been accepted.
          reason: Accepted
          status: "True"
          type: Accepted
      controllerName: gateway.envoyproxy.io/gatewayclass-controller

Few things to highlight:

• Wasm module defined with a reference to the kuadrant's wasm-shim OCI image oci://quay.io/kuadrant/wasm-shim:external-auth.
• The wasm configuration follows the new schema based on extensions. There is only one extension for limitador.

[codecov]

Codecov Report

Attention: Patch coverage is 96.42857% with 2 lines in your changes missing coverage. Please review.

Project coverage is 81.22%. Comparing base (ece13e8) to head (0e45be7).
Report is 207 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/rlptools/wasm/types.go	90.47%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #868      +/-   ##
==========================================
+ Coverage   80.20%   81.22%   +1.01%     
==========================================
  Files          64       89      +25     
  Lines        4492     6940    +2448     
==========================================
+ Hits         3603     5637    +2034     
- Misses        600      885     +285     
- Partials      289      418     +129     

Flag	Coverage Δ
bare-k8s-integration	6.78% <0.00%> (?)
controllers-integration	72.80% <78.57%> (?)
envoygateway-integration	49.42% <76.78%> (?)
gatewayapi-integration	12.42% <0.00%> (?)
integration	?
istio-integration	53.71% <92.85%> (?)
unit	28.99% <73.21%> (-1.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
api/v1beta1 (u)	84.61% <100.00%> (+13.18%)	⬆️
api/v1beta2 (u)	81.25% <75.17%> (-10.18%)	⬇️
pkg/common (u)	88.13% <ø> (-0.70%)	⬇️
pkg/istio (u)	71.51% <ø> (-2.40%)	⬇️
pkg/log (u)	94.73% <ø> (ø)
pkg/reconcilers (u)	∅ <ø> (∅)
pkg/rlptools (u)	85.39% <ø> (+5.93%)	⬆️
controllers (i)	82.51% <79.91%> (+5.71%)	⬆️

Files with missing lines	Coverage Δ
controllers/envoygateway_wasm_controller.go	82.30% <100.00%> (ø)
...llers/rate_limiting_istio_wasmplugin_controller.go	70.87% <100.00%> (ø)
pkg/rlptools/wasm/utils.go	88.64% <100.00%> (ø)
pkg/rlptools/wasm/types.go	64.70% <90.47%> (+14.70%)	⬆️

... and 42 files with indirect coverage changes

[eguzki]

I made up auth, open for a new magic word

[didierofrivia]

LGTM! good job! 🍡

[adam-cattermole]

lgtm, verified steps on istio as well