Skip to content

Commit

Permalink
feat(translation): allow configuration of hostEnvKeys on WASM extensions
Browse files Browse the repository at this point in the history
exposes the hostEnvKeys configuration for WASM extensons through envoy extension policies.
This enables access to env vars that are set on the host envoy processes and is a convenient way to share secret meterial with WASM extensions.

Signed-off-by: Steve Gargan <[email protected]>
  • Loading branch information
sgargan committed Nov 13, 2024
1 parent 36d0193 commit ced3e03
Show file tree
Hide file tree
Showing 14 changed files with 732 additions and 22 deletions.
12 changes: 12 additions & 0 deletions api/v1alpha1/wasm_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,14 @@ import (
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
)

// WasmEnv defines the environment variables for the VM of a Wasm extension
type WasmEnv struct {
// HostKeys is a list of keys for environment variables from the host envoy process
// that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
// +optional
HostKeys []string `json:"hostKeys,omitempty"`
}

// Wasm defines a Wasm extension.
//
// Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
Expand Down Expand Up @@ -52,6 +60,10 @@ type Wasm struct {
// Priority defines the location of the Wasm extension in the HTTP filter chain.
// If not specified, the Wasm extension will be inserted before the router filter.
// Priority *uint32 `json:"priority,omitempty"`

// Env configures the environment for the Wasm extension
// +optional
Env *WasmEnv `json:"env,omitempty"`
}

// WasmCodeSource defines the source of the Wasm code.
Expand Down
25 changes: 25 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -1232,6 +1232,17 @@ spec:
Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension.
x-kubernetes-preserve-unknown-fields: true
env:
description: Env configures the environment for the Wasm extension
properties:
hostKeys:
description: |-
HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
items:
type: string
type: array
type: object
failOpen:
default: false
description: |-
Expand Down
4 changes: 4 additions & 0 deletions internal/gatewayapi/envoyextensionpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -675,6 +675,10 @@ func (t *Translator) buildWasm(
Code: code,
}

if config.Env != nil && len(config.Env.HostKeys) > 0 {
wasmIR.HostKeys = config.Env.HostKeys
}

return wasmIR, nil
}

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
secrets:
- apiVersion: v1
kind: Secret
metadata:
namespace: envoy-gateway
name: my-pull-secret
data:
.dockerconfigjson: VGhpc0lzTm90QVJlYWxEb2NrZXJDb25maWdKc29u
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- www.example.com
parentRefs:
- namespace: envoy-gateway
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: "/foo"
backendRefs:
- name: service-1
port: 8080
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-2
spec:
hostnames:
- www.example.com
parentRefs:
- namespace: envoy-gateway
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: "/bar"
backendRefs:
- name: service-1
port: 8080
envoyextensionpolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
namespace: envoy-gateway
name: policy-for-gateway # This policy should attach httproute-2
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
wasm:
- name: wasm-filter-1
code:
type: HTTP
http:
url: https://www.example.com/wasm-filter-1.wasm
sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4
env:
hostKeys:
- SOME_KEY
- ANOTHER_KEY
- name: wasm-filter-2
rootID: "my-root-id"
code:
type: Image
image:
url: oci://www.example.com/wasm-filter-2:v1.0.0
pullSecretRef:
name: my-pull-secret
sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46
env:
hostKeys:
- SOME_KEY
- ANOTHER_KEY
- code:
type: Image
image:
url: www.example.com:8080/wasm-filter-3
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
namespace: default
name: policy-for-http-route # This policy should attach httproute-1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
wasm:
- name: wasm-filter-4
code:
type: HTTP
http:
url: https://www.test.com/wasm-filter-4.wasm
sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463
failOpen: true
env:
hostKeys:
- SOME_KEY
- ANOTHER_KEY
Loading

0 comments on commit ced3e03

Please sign in to comment.