-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Envoygateway wasm controller #848
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## envoygateway #848 +/- ##
===============================================
Coverage ? 81.73%
===============================================
Files ? 87
Lines ? 6927
Branches ? 0
===============================================
Hits ? 5662
Misses ? 848
Partials ? 417
Flags with carried forward coverage won't be shown. Click here to find out more.
|
// Build imaginary route with all the routes not having a RLP targeting it | ||
untargetedRoutes := t.GetUntargetedRoutes(gw) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was banging my head against the wall for 20 min or so, trying to find where in the code we "fixed" the imaginary route thing for RLPs. It turns out we haven't. 🙄
Leaving this comment here then only so we remember to fix the issue here as well whenever it is addressed with #688.
IOW, this LOC is wrong, but consistently wrong with all the other places where we made the same mistake, making it kind of right, if it makes any sense 😵💫
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point. Thanks for that. That will ease the process of rebasing when we fix that in main
. With a little bit of luck, we can merge this into main
before we fix it and then no rebase conflicts.
6fd4a90
to
36477e3
Compare
Limitador cluster controller based on EnvoyPatchPolicy Wasm controller based on EnvoyExtensionPolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com>
Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com>
Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com>
36477e3
to
db62eb3
Compare
@adam-cattermole ready for review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice job here, lgtm
@@ -39,10 +39,19 @@ $(EGCTL): | |||
.PHONY: egctl | |||
egctl: $(EGCTL) ## Download egctl locally if necessary. | |||
|
|||
envoy-gateway-enable-envoypatchpolicy: $(YQ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting, I guess if we document support for envoygateway in the repo / on the website we should call out this requirement to enable the envoy patch policy API
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure!
* envoygateway controllers to setup wasm module Limitador cluster controller based on EnvoyPatchPolicy Wasm controller based on EnvoyExtensionPolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: enable envoypatchpolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: wasm module tests Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com>
* envoygateway controllers to setup wasm module Limitador cluster controller based on EnvoyPatchPolicy Wasm controller based on EnvoyExtensionPolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: enable envoypatchpolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: wasm module tests Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com>
* envoygateway controllers to setup wasm module Limitador cluster controller based on EnvoyPatchPolicy Wasm controller based on EnvoyExtensionPolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: enable envoypatchpolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: wasm module tests Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com>
* envoygateway dev environment install (#678) * envoygateway dev environment install * egctl on detected os and arch * Makefile: pulling out os and arch Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * development environment: envoygateway v1.1.0 (#778) Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Runtime istio updated to 1.20.8 (ossm 2.6) and Istio go dep to 1.22.3 (#785) * deployed istio updated to 1.20.8 (ossm 2.6) Golang istio.io/istio deps upgraded to 1.22.3 It is required because golang envoygateway 1.1 dep conflicts on github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/generic/v3 package istio.io/istio 1.20.0 requires a package from github.com/envoyproxy/go-control-plane in 0.12.0 that does not exist when github.com/envoyproxy/go-control-plane is upgraded to 0.12.1 due to envoygateway 1.1 Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * updated manifests --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Envoy Gateway AuthPolicy (#737) * Enable envoygateway integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add egapiv1 to scheme Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Fix lint issues Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add envoy SecurityPolicy controller Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add envoy ReferenceGrant controller Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update manifests and bundle Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update envoy gatewayclass to match GATEWAYAPI_PROVIDER name Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Set gateway class in tests from provider Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Enable new controllers in integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add policy target object tracking to topology index Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add istio AuthorizationPolicy controller Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Prepare for envoygateway integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Generify for integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Add envoygateway auth integration tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Do not set GATEWAYAPI_PROVIDER for tests that do not use it Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Set owner references in new controllers Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Enable security policy deletion tests Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Shorten github workflow integration test names Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Refactor SecurityPolicy controller For Kuadrants Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update deletion logic Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Use new PolicyType Signed-off-by: Adam Cattermole <acatterm@redhat.com> * test: Explicitly set parentRef gateway namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> --------- Signed-off-by: Adam Cattermole <acatterm@redhat.com> * envoygateway kuadrant status controller check added (#847) Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Envoygateway wasm controller (#848) * envoygateway controllers to setup wasm module Limitador cluster controller based on EnvoyPatchPolicy Wasm controller based on EnvoyExtensionPolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: enable envoypatchpolicy Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: wasm module tests Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * fix lint issues Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * bundle/manifests/kuadrant-operator.clusterserviceversion.yaml: autogeneration update Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * go.[mod|sum] updated Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * envoygateway: doc Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Provider agnostic gateway name/namespace (#771) * Provider agnostic gateway name/namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update docs gateway name/namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Use istio/envoy-gateway for provider namespace Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Use EG_NAMESPACE when patching Signed-off-by: Adam Cattermole <acatterm@redhat.com> --------- Signed-off-by: Adam Cattermole <acatterm@redhat.com> * Update doc/install/install-kubernetes.md Co-authored-by: Adam Cattermole <acatterm@redhat.com> Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> * Update doc/install/install-kubernetes.md Co-authored-by: Adam Cattermole <acatterm@redhat.com> Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> --------- Signed-off-by: Eguzki Astiz Lezaun <eastizle@redhat.com> Signed-off-by: Adam Cattermole <acatterm@redhat.com> Co-authored-by: Adam Cattermole <acatterm@redhat.com>
What
Controller to configure kuadrant wasm-shim when EnvoyGateway is the gateway provider.
It enables kuadrant rate limiting
Verification Steps
① Setup (Persona: Cluster admin)
Request an instance of Kuadrant in the
kuadrant-system
namespace:② Deploy the Toy Store sample application (Persona: App developer)
Wait for the deployment:
kubectl wait --timeout=5m deployment/toystore --for=condition=Available
Export the gateway hostname and port:
Test the route with traffic generator of 1 request per second.
All responses should be
200 OK
.③ Protect the Toy Store application (Persona: App developer)
In other terminal, create the RateLimitPolicy for all the traffic defined for the HTTPRoute, max 5 request every 10 seconds.
Check the response of the traffic being run in the previous terminal. It should now be rate limited to 5 request every 10 seconds.
④ Verification of kuadrant managed EnvoyGateway resources
EnvoyExtensionPolicy
Check EnvoyExtensionPolicy resource defined by kuadrant
kubectl get envoyextensionpolicy -n envoy-gateway-system kuadrant-wasm-for-eg -o yaml | yq e -P
Few things to highlight:
oci://quay.io/kuadrant/wasm-shim:latest
.status
, so kuadrant controller can test status for the rate limit policy enforce's condition (missing, to be done in other PR).EnvoyPatchPolicy
Check EnvoyPatchPolicy resource defined by kuadrant
The EnvoyPatchPolicy is used to tell Envoy the address of limitador, which is being used by the wasm module to open a grpc connection. Basically, it needs to tell: Envoy cluster
kuadrant-rate-limiting-service
is the addresslimitador-limitador.kuadrant-system.svc.cluster.local:8081
kubectl get envoypatchpolicy -n envoy-gateway-system kuadrant-patch-for-kuadrant-wasm-for-eg -o yaml | yq e -P