Merge branch 'main' into static-file-server

envoyproxy · Nov 14, 2024 · a60d542 · a60d542
2 parents 97249a0 + c2b0ee3
commit a60d542
Show file tree

Hide file tree

Showing 40 changed files with 824 additions and 53 deletions.
diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
@@ -10,6 +10,14 @@ import (
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
+// WasmEnv defines the environment variables for the VM of a Wasm extension
+type WasmEnv struct {
+	// HostKeys is a list of keys for environment variables from the host envoy process
+	// that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+	// +optional
+	HostKeys []string `json:"hostKeys,omitempty"`
+}
+
 // Wasm defines a Wasm extension.
 //
 // Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
@@ -52,6 +60,10 @@ type Wasm struct {
 	// Priority defines the location of the Wasm extension in the HTTP filter chain.
 	// If not specified, the Wasm extension will be inserted before the router filter.
 	// Priority *uint32 `json:"priority,omitempty"`
+
+	// Env configures the environment for the Wasm extension
+	// +optional
+	Env *WasmEnv `json:"env,omitempty"`
 }
 
 // WasmCodeSource defines the source of the Wasm code.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -1232,6 +1232,17 @@ spec:
                         Config is the configuration for the Wasm extension.
                         This configuration will be passed as a JSON string to the Wasm extension.
                       x-kubernetes-preserve-unknown-fields: true
+                    env:
+                      description: Env configures the environment for the Wasm extension
+                      properties:
+                        hostKeys:
+                          description: |-
+                            HostKeys is a list of keys for environment variables from the host envoy process
+                            that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+                          items:
+                            type: string
+                          type: array
+                      type: object
                     failOpen:
                       default: false
                       description: |-

diff --git a/examples/envoy-als/Dockerfile b/examples/envoy-als/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23.1 AS builder
+FROM golang:1.23.3 AS builder
 
 ARG GO_LDFLAGS=""
 

diff --git a/examples/envoy-als/go.mod b/examples/envoy-als/go.mod
@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-envoy-als
 
-go 1.23.1
+go 1.23.3
 
 require (
 	github.com/envoyproxy/go-control-plane v0.13.1

diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod
@@ -1,6 +1,6 @@
 module github.com/exampleorg/envoygateway-extension
 
-go 1.23.1
+go 1.23.3
 
 require (
 	github.com/envoyproxy/gateway v1.0.2

diff --git a/examples/grpc-ext-auth/Dockerfile b/examples/grpc-ext-auth/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23.1 AS builder
+FROM golang:1.23.3 AS builder
 
 ARG GO_LDFLAGS=""
 

diff --git a/examples/grpc-ext-auth/go.mod b/examples/grpc-ext-auth/go.mod
@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-grcp-ext-auth
 
-go 1.23.1
+go 1.23.3
 
 require (
 	github.com/envoyproxy/go-control-plane v0.13.1

diff --git a/examples/grpc-ext-proc/Dockerfile b/examples/grpc-ext-proc/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23.1 AS builder
+FROM golang:1.23.3 AS builder
 
 ARG GO_LDFLAGS=""
 

diff --git a/examples/grpc-ext-proc/go.mod b/examples/grpc-ext-proc/go.mod
@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-grpc-ext-proc
 
-go 1.23.1
+go 1.23.3
 
 require (
 	github.com/envoyproxy/go-control-plane v0.13.1

diff --git a/examples/preserve-case-backend/Dockerfile b/examples/preserve-case-backend/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23.1 AS builder
+FROM golang:1.23.3 AS builder
 
 ARG GO_LDFLAGS=""
 

diff --git a/examples/preserve-case-backend/go.mod b/examples/preserve-case-backend/go.mod
@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-preserve-case-backend
 
-go 1.23.1
+go 1.23.3
 
 require github.com/valyala/fasthttp v1.51.0
 

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway
 
-go 1.23.1
+go 1.23.3
 
 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16
 

diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go
@@ -675,6 +675,10 @@ func (t *Translator) buildWasm(
 		Code:     code,
 	}
 
+	if config.Env != nil && len(config.Env.HostKeys) > 0 {
+		wasmIR.HostKeys = config.Env.HostKeys
+	}
+
 	return wasmIR, nil
 }
 

diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml
@@ -0,0 +1,123 @@
+secrets:
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    namespace: envoy-gateway
+    name: my-pull-secret
+  data:
+    .dockerconfigjson: VGhpc0lzTm90QVJlYWxEb2NrZXJDb25maWdKc29u
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-1
+  spec:
+    hostnames:
+    - www.example.com
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/foo"
+      backendRefs:
+      - name: service-1
+        port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-2
+  spec:
+    hostnames:
+    - www.example.com
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/bar"
+      backendRefs:
+      - name: service-1
+        port: 8080
+envoyextensionpolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyExtensionPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: policy-for-gateway  # This policy should attach httproute-2
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+    wasm:
+    - name: wasm-filter-1
+      code:
+        type: HTTP
+        http:
+          url: https://www.example.com/wasm-filter-1.wasm
+          sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4
+      env:
+        hostKeys:
+        - SOME_KEY
+        - ANOTHER_KEY
+    - name: wasm-filter-2
+      rootID: "my-root-id"
+      code:
+        type: Image
+        image:
+          url: oci://www.example.com/wasm-filter-2:v1.0.0
+          pullSecretRef:
+            name: my-pull-secret
+          sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46
+      env:
+        hostKeys:
+        - SOME_KEY
+        - ANOTHER_KEY
+    - code:
+        type: Image
+        image:
+          url: www.example.com:8080/wasm-filter-3
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyExtensionPolicy
+  metadata:
+    namespace: default
+    name: policy-for-http-route   # This policy should attach httproute-1
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-1
+    wasm:
+    - name: wasm-filter-4
+      code:
+        type: HTTP
+        http:
+          url: https://www.test.com/wasm-filter-4.wasm
+          sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463
+      failOpen: true
+      env:
+        hostKeys:
+        - SOME_KEY
+        - ANOTHER_KEY