-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(translator): allow configuration of hostEnvKeys on WASM extensions #4470
Conversation
this may solve my #4424 |
internal/ir/xds.go
Outdated
|
||
// HostEnvKeys is a list of keys for environment variables from the host envoy process | ||
// that should be passed into the Wasm VM. | ||
HostEnvKeys []string `json:"hostEnvKeys,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hostEnvKeys
is pretty self explanatory, also brainstorming some more options
vmConfig.envKeys
env.Keys
envKeys
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also linking some past work here from istio https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#VmConfig
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to adding a vmConfig
wrapper for better future-proofing, as additional VM settings may be needed in the future.
Should we also consider supporting explicitly specified key-value pairs?
vmConfig:
env:
hostEnvKeys:
- host_key_1
- host_key_2
customEnvs:
- key: custom_key_1
value: custom_value_1
- key: custom_key_2
value: custom_value_2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @zhaohuabing what value does customEnvs add that cannot be represented via config
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, customEnvs just gives users more flexibility to pass configurations into the Wasm module. It can be handy for the Wasm modules just need some simple key-value pairs as input parameters. It's not a necessity though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hostEnvKeys
is the name that envoy used for this and I figured it would make it easier for someone to join the dots from the envoy config if it matched here.
For a vmConfig wrapper, would this just contain the hostEnvKeys
or the config
block too? happy to add it, but is there value to the extra nesting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I'm a +1 for hostEnvKeys
, it leaves room for customEnvs
. The other way to frame this is env.HostKeys
, which leaves room for env.Custom
.
hey @sgargan, the PR looks great ! thanks for adding docs and test cases added one comment around naming, if we get consensus from @envoyproxy/gateway-maintainers @envoyproxy/gateway-reviewers on naming, we could try and get this into the v1.2.0-rc.1 release (late next week) |
|
|
||
This is especially useful for sharing secure data from environment vars on the envoy process set using [valueFrom](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) a Kubernetes secret. | ||
|
||
Note that setting an env var on the envoy process requires a custom [EnvoyProxy](../../api/extension_types#envoyproxy) configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it would be great to show an example here!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 I've added an example to the envoyproxy customization docs and referenced it here.
ac9a5c9
to
b2da559
Compare
@sgargan After discussing with @arkodg and @guydc in today's EG meeting, it was suggested to consider using Kubernets Secrets for the As the next step, I suggest raising a PR for the API design, followed by a follow-up PR for the implementation, once the community reaches a consensus on the API. A similar example can be found in the gateway/api/v1alpha1/shared_types.go Lines 706 to 729 in 7188dad
|
rethinking this one @guydc @zhaohuabing we can't allow the app dev who has access to the EEP to inject any env vars into the proxy, so we'll need to split up the task of injecting env vars (using |
there is definitely the danger that a dev with access to the EEP could exfil secrets that they shouldn't have access to if they could reason about what keys to use. This is mostly a problem if the EP is shared Perhaps the EEP should only be able to use a secret from the same namespace that it explicitly calls out by name along with the key names to expose it to wasm? If the target Proxy is in a different namespace it might require duplicating the secret into that namespace with a reconciliation process to remove it when the referencing EEP is removed. |
Sure thing. Just so I'm clear on the process, are you suggesting a PR with just the wasm_types.go in it to capture the api conversation? |
hey @sgargan , @guydc and I discussed this issue again today in the community meeting and prefer if the API was It should be fine to make all the changes in this PR, we ideally prefer if the API and Implementation PR are separate to keep the PR sizes small and easier to review, but also the API discussion ( and churn) may cause a lot of work/change in the PR for the commiter |
@arkodg i'm currently implementing a wasm plugin and i need to pass some sensitive values. is this likely going to land in 1.2? |
this won't make it into v1.2, we just cut the RC release and can't add anymore API changes to this release, the workaround would be to use https://gateway.envoyproxy.io/docs/tasks/extensibility/envoy-patch-policy/ ChatGPT can be helpful here,
|
@arkodg Sorry, I didn't quite get the security concern behind this. Does this mean that we can still use a ValueRef to a local Secret, just like what EG does with the SecuritPolicy, but not an env from the host because the host envs are global scope and the app dev may not be allowed to access them? |
yes, retrieving a value here requires inserting it to the host first (for |
Thanks @arkodg - your sample got me started and i found the minimal patch required for those else interested. can't wait till this is a first class feature!
|
Got it, since envs are used host wide, so it should be manged by the admin who has a global view to all variables. Thanks for the explaination! |
9d954a4
to
c532009
Compare
Apologies for the delay, I was ooo last week and couldn't get to it. I've made the suggested changes to introduce an |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4470 +/- ##
==========================================
+ Coverage 65.54% 65.57% +0.02%
==========================================
Files 211 211
Lines 31954 31964 +10
==========================================
+ Hits 20944 20960 +16
+ Misses 9767 9764 -3
+ Partials 1243 1240 -3 ☔ View full report in Codecov by Sentry. |
fa1c0d1
to
0f26b83
Compare
e2c2a8b
to
dc28246
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks !
thanks for addressing all the comments
hey @sgargan there's a lint error
|
db52ba3
to
05923ef
Compare
exposes the hostEnvKeys configuration for WASM extensons through envoy extension policies. This enables access to env vars that are set on the host envoy processes and is a convenient way to share secret meterial with WASM extensions. Signed-off-by: Steve Gargan <steve.gargan@gmail.com>
@arkodg I've updated the lint error, can this be merged? |
exposes the hostEnvKeys configuration for WASM extensons through envoy extension policies. This enables access to env vars that are set on the host envoy processes and is a convenient way to share secret meterial with WASM extensions.
Release Note: Yes