Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable Network filters for Wasm Envoy Extension #17505

Merged
merged 2 commits into from
May 30, 2023
Merged

Enable Network filters for Wasm Envoy Extension #17505

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6bfd33e
Enable Network filters for Wasm Envoy Extension
cthain May 30, 2023
3643b73
add changelog
cthain May 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/17505.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:feature
xds: Add a built-in Envoy extension that inserts Wasm network filters.
```
100 changes: 41 additions & 59 deletions agent/envoyextensions/builtin/wasm/wasm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,36 +4,34 @@
package wasm

import (
"errors"
"fmt"

envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
envoy_http_wasm_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3"
envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
envoy_resource_v3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3"
envoy_wasm_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/wasm/v3"

"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/envoyextensions/extensioncommon"
cmn "github.com/hashicorp/consul/envoyextensions/extensioncommon"
)

// wasm is a built-in Envoy extension that can patch filter chains to insert Wasm plugins.
type wasm struct {
extensioncommon.BasicExtensionAdapter
cmn.BasicExtensionAdapter

name string
wasmConfig *wasmConfig
}

var supportedRuntimes = []string{"v8", "wamr", "wavm", "wasmtime"}

var _ extensioncommon.BasicExtension = (*wasm)(nil)
var _ cmn.BasicExtension = (*wasm)(nil)

func Constructor(ext api.EnvoyExtension) (extensioncommon.EnvoyExtender, error) {
func Constructor(ext api.EnvoyExtension) (cmn.EnvoyExtender, error) {
w, err := construct(ext)
if err != nil {
return nil, err
}
return &extensioncommon.BasicEnvoyExtender{
return &cmn.BasicEnvoyExtender{
Extension: &w,
}, nil
}
Expand Down Expand Up @@ -67,72 +65,56 @@ func (w *wasm) fromArguments(args map[string]any) error {
}

// CanApply indicates if the WASM extension can be applied to the given extension configuration.
// Currently the Wasm extension can be applied if the extension configuration is for an inbound
// listener (checked below) on a local connect-proxy.
func (w wasm) CanApply(config *extensioncommon.RuntimeConfig) bool {
return config.Kind == w.wasmConfig.ProxyType
func (w wasm) CanApply(cfg *cmn.RuntimeConfig) bool {
return cfg.Kind == w.wasmConfig.ProxyType &&
cfg.Protocol == w.wasmConfig.Protocol
}

func (w wasm) matchesConfigDirection(isInboundListener bool) bool {
return isInboundListener && w.wasmConfig.ListenerType == "inbound"
return (isInboundListener && w.wasmConfig.ListenerType == "inbound") ||
(!isInboundListener && w.wasmConfig.ListenerType == "outbound")
}

// PatchFilter adds a Wasm filter to the HTTP filter chain.
// TODO (wasm/tcp): Add support for TCP filters.
func (w wasm) PatchFilter(cfg *extensioncommon.RuntimeConfig, filter *envoy_listener_v3.Filter, isInboundListener bool) (*envoy_listener_v3.Filter, bool, error) {
// PatchFilters adds a Wasm HTTP or TCP filter to the filter chain.
func (w wasm) PatchFilters(cfg *cmn.RuntimeConfig, filters []*envoy_listener_v3.Filter, isInboundListener bool) ([]*envoy_listener_v3.Filter, error) {
if !w.matchesConfigDirection(isInboundListener) {
return filter, false, nil
return filters, nil
}

if filter.Name != "envoy.filters.network.http_connection_manager" {
return filter, false, nil
}
if typedConfig := filter.GetTypedConfig(); typedConfig == nil {
return filter, false, errors.New("failed to get typed config for http filter")
}

httpConnMgr := envoy_resource_v3.GetHTTPConnectionManager(filter)
if httpConnMgr == nil {
return filter, false, errors.New("failed to get HTTP connection manager")
// Check that the Wasm plugin protocol matches the service protocol.
// It is a runtime error if the extension is configured to apply a Wasm plugin
// that doesn't match the service's protocol.
// This shouldn't happen because the caller should check CanApply first, but just in case.
if cfg.Protocol != w.wasmConfig.Protocol {
return filters, fmt.Errorf("failed to apply Wasm filter: service protocol for %q is %q but protocol for the Wasm extension is %q. Please ensure the protocols match",
cfg.ServiceName.Name, cfg.Protocol, w.wasmConfig.Protocol)
}

// Generate the Wasm plugin configuration. It is the same config for HTTP and network filters.
wasmPluginConfig, err := w.wasmConfig.PluginConfig.envoyPluginConfig(cfg)
if err != nil {
return filter, false, fmt.Errorf("failed to encode Envoy Wasm configuration: %w", err)
return filters, fmt.Errorf("failed to encode Envoy Wasm plugin configuration: %w", err)
}

extHttpFilter, err := extensioncommon.MakeEnvoyHTTPFilter(
"envoy.filters.http.wasm",
&envoy_http_wasm_v3.Wasm{Config: wasmPluginConfig},
)
if err != nil {
return filter, false, err
}
// Insert the filter immediately before the terminal filter.
insertOptions := cmn.InsertOptions{Location: cmn.InsertBeforeFirstMatch}

var (
changedFilters = make([]*envoy_http_v3.HttpFilter, 0, len(httpConnMgr.HttpFilters)+1)
changed bool
)

// We need to be careful about overwriting http filters completely because
// http filters validates intentions with the RBAC filter. This inserts the
// filter before `envoy.filters.http.router` while keeping everything
// else intact.
for _, httpFilter := range httpConnMgr.HttpFilters {
if httpFilter.Name == "envoy.filters.http.router" {
changedFilters = append(changedFilters, extHttpFilter)
changed = true
switch cfg.Protocol {
case "grpc", "http2", "http":
insertOptions.FilterName = "envoy.filters.http.router"
filter, err := cmn.MakeEnvoyHTTPFilter("envoy.filters.http.wasm", &envoy_http_wasm_v3.Wasm{Config: wasmPluginConfig})
if err != nil {
return filters, fmt.Errorf("failed to make Wasm HTTP filter: %w", err)
}
changedFilters = append(changedFilters, httpFilter)
}
if changed {
httpConnMgr.HttpFilters = changedFilters
}

newFilter, err := extensioncommon.MakeFilter("envoy.filters.network.http_connection_manager", httpConnMgr)
if err != nil {
return filter, false, errors.New("error making new filter")
return cmn.InsertHTTPFilter(filters, filter, insertOptions)
case "tcp":
fallthrough
default:
insertOptions.FilterName = "envoy.filters.network.tcp_proxy"
filter, err := cmn.MakeFilter("envoy.filters.network.wasm", &envoy_wasm_v3.Wasm{Config: wasmPluginConfig})
if err != nil {
return filters, fmt.Errorf("failed to make Wasm network filter: %w", err)
}
return cmn.InsertNetworkFilter(filters, filter, insertOptions)
}

return newFilter, true, nil
}
Loading