Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EnvoyExtensionPolicy: WASM config with no sha256 results in non-user-visible error #4379

Open
mt-inside opened this issue Oct 1, 2024 · 1 comment
Open

EnvoyExtensionPolicy: WASM config with no sha256 results in non-user-visible error #4379

mt-inside opened this issue Oct 1, 2024 · 1 comment
Labels
help wanted Extra attention is needed kind/bug Something isn't working

Comments

@mt-inside
Copy link
Contributor

mt-inside commented Oct 1, 2024
edited
Loading

Description:
When loading a WASM blob over http, the docs say of EnvoyExtensionPolicy::spec.wasm.code.http.sha256 "If not specified, Envoy Gateway will not verify the downloaded Wasm code."

However, when I omit that field

  1. The CR is accepted, but
  2. The WASM doesn't load, and the controlplane logs contain the following
2024-10-01T11:39:52.810Z        INFO    xds-translator  runner/runner.go:55     received an update      {"runner": "xds-translator"}
2024-10-01T11:39:52.811Z        ERROR   xds-translator  runner/runner.go:85     failed to translate xds ir      {"runner": "xds-translator", "error": "invalid Wasm.Config: embedded message failed validation | caused by: invalid PluginConfig.VmConfig: embedded message failed validation | caused by: invalid VmConfig.Code: embedded message failed validation | caused by: invalid AsyncDataSource.Remote: embedded message failed validation | caused by: invalid RemoteDataSource.Sha256: value length must be at least 1 runes"}
2024-10-01T11:39:52.811Z        INFO    xds-server      runner/runner.go:140    received an update      {"runner": "xds-server"}
2024-10-01T11:39:52.812Z        ERROR   watchable       message/watchutil.go:56 observed an error       {"runner": "xds-translator", "error": "invalid Wasm.Config: embedded message failed validation | caused by: invalid PluginConfig.VmConfig: embedded message failed validation | caused by: invalid VmConfig.Code: embedded message failed validation | caused by: invalid AsyncDataSource.Remote: embedded message failed validation | caused by: invalid RemoteDataSource.Sha256: value length must be at least 1 runes"}

So it seems like a non-empty sha256 is needed (I confirmed: supplying one fixes the issue). Worse, the docs are mis-leading, and the user-facing statuses say everything's ok.

What do we want to do? I guess either
a) Change the docs, and enforce a non-missing, non-empty sha256 field on the CRD, or
b) Change the code so that it doesn't try to produce RemoteDataSource.Sha256 and provides any other Envoy config necessary to skip sha256 validation
@arkodg
Copy link
Contributor

arkodg commented Oct 1, 2024

cc @zhaohuabing

@arkodg arkodg added kind/bug Something isn't working help wanted Extra attention is needed and removed triage labels Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mt-inside @arkodg