Skip to content

Latest commit

 

History

History

prime-wasm-filter

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
release
release
 
 
src
src
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
envoy.test.sh
envoy.test.sh
 
 
istio.test.sh
istio.test.sh
 
 

README.md

prime-wasm-filter

Sample project to builld a istio/envoy extension using WASM for Rust

Based on:

Getting started

  • Generate extension with docker
docker build . -t prime-wasm-filter
  • Copy extension to host using
docker run -v $PWD/release/wasm32-unknown-unknown/:/opt/mount --rm --entrypoint cp prime-wasm-filter /target/wasm32-unknown-unknown/release/primeenvoyfilter.wasm /opt/mount/primeenvoyfilter.wasm
  • Generate checksum for installer
sha256sum release/wasm32-unknown-unknown/primeenvoyfilter.wasm

  • Replace generated checksum in istio prime.filter.yaml

  • Run docker compose with istio envoy with the wasm extension using

docker-compose -f ./release/docker-compose.yaml up --build -d

In order to test execute the following instruction

  • OK curl -H "x-prime-token":"32323" 0.0.0.0:18000
  • FAIL curl -H "x-prime-token":"323232" 0.0.0.0:18000

Shutdown docker compose

docker-compose -f ./release/docker-compose.yaml stop
docker-compose -f ./release/docker-compose.yaml rm

Istio example

It is required to use istio gateway for the traffic because the http filter is applied for gateway. It is possible to apply it for inbound or outbound proxy traffic (envoy) but it should go through the gateway for the filter to work.

  1. Run the Google cloud setup with istio enable
  2. Create namespace for httpbin demo project
kaf release/istio/httbin.gateway.ns.yaml
  1. Install httpbin
kaf https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml -n httpbin-gateway
  1. Configure istio gateway for httpbin project
kaf release/istio/istio.gateway.httpbin.yaml
  1. Run release/istio/ files to install the filter. Istio will install the filter in each envoy proxy
  2. Export variables to access istio ingress
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
  1. Test the isitio ingress gateway before install the filter. It should get 200 OK
curl -v -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"
  1. Install prime filter
kaf release/istio/filter
  1. Execute the test

HTTP/1.1 403 Forbidden

curl -H "x-prime-token":"3232" -v -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"

HTTP/1.1 200 OK

curl -H "x-prime-token":"32323" -v -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"
  1. Delete prime filter
k delete -f release/istio/filter

Useful commands

  • Connect to docker to browser content using sh
docker run -it --entrypoint sh prime-wasm-filter

The generated file is located in /target/wasm32-unknown-unknown/release with the name primeenvoyfilter.wasm

  • Connect to isto-proxy (envoy proxy) of the pod
kubectl exec --stdin --tty httpbin-74fb669cc6-6bmjl -c istio-proxy -- /bin/bash
  • Use envoy administration interface inside of the istio-proxy container
curl localhost:15000/clusters?format=json