feat(translation): allow configuration of hostEnvKeys on WASM extensions

exposes the hostEnvKeys configuration for WASM extensons through envoy extension policies. This enables access to env vars that are set on the host envoy processes and is a convenient way to share secret meterial with WASM extensions. Signed-off-by: Steve Gargan <steve.gargan@gmail.com>
envoyproxy · Oct 22, 2024 · ac9a5c9 · ac9a5c9
1 parent aab669d
commit ac9a5c9
Show file tree

Hide file tree

Showing 13 changed files with 803 additions and 32 deletions.
diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
@@ -52,6 +52,11 @@ type Wasm struct {
 	// Priority defines the location of the Wasm extension in the HTTP filter chain.
 	// If not specified, the Wasm extension will be inserted before the router filter.
 	// Priority *uint32 `json:"priority,omitempty"`
+
+	// HostEnvKeys is a list of keys for environment variables from the host envoy process
+	// that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+	// +optional
+	HostEnvKeys []string `json:"hostEnvKeys,omitempty"`
 }
 
 // WasmCodeSource defines the source of the Wasm code.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -1242,6 +1242,13 @@ spec:
                         not set (defaulting to false), the system blocks the traffic and returns
                         an HTTP 5xx error.
                       type: boolean
+                    hostEnvKeys:
+                      description: |-
+                        HostEnvKeys is a list of keys for environment variables from the host envoy process
+                        that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+                      items:
+                        type: string
+                      type: array
                     name:
                       description: |-
                         Name is a unique name for this Wasm extension. It is used to identify the

diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go
@@ -691,12 +691,13 @@ func (t *Translator) buildWasm(
 		wasmName = *config.Name
 	}
 	wasmIR := &ir.Wasm{
-		Name:     name,
-		RootID:   config.RootID,
-		WasmName: wasmName,
-		Config:   config.Config,
-		FailOpen: failOpen,
-		Code:     code,
+		Name:        name,
+		RootID:      config.RootID,
+		WasmName:    wasmName,
+		Config:      config.Config,
+		FailOpen:    failOpen,
+		Code:        code,
+		HostEnvKeys: config.HostEnvKeys,
 	}
 
 	return wasmIR, nil

diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml
@@ -0,0 +1,120 @@
+secrets:
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    namespace: envoy-gateway
+    name: my-pull-secret
+  data:
+    .dockerconfigjson: VGhpc0lzTm90QVJlYWxEb2NrZXJDb25maWdKc29u
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-1
+  spec:
+    hostnames:
+    - www.example.com
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/foo"
+      backendRefs:
+      - name: service-1
+        port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-2
+  spec:
+    hostnames:
+    - www.example.com
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/bar"
+      backendRefs:
+      - name: service-1
+        port: 8080
+envoyextensionpolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyExtensionPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: policy-for-gateway  # This policy should attach httproute-2
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+    wasm:
+    - name: wasm-filter-1
+      code:
+        type: HTTP
+        http:
+          url: https://www.example.com/wasm-filter-1.wasm
+          sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5
+      hostEnvKeys:
+        - SOME_KEY
+        - ANOTHER_KEY
+    - name: wasm-filter-2
+      rootID: "my-root-id"
+      code:
+        type: Image
+        image:
+          url: oci://www.example.com/wasm-filter-2:v1.0.0
+          pullSecretRef:
+            name: my-pull-secret
+          sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980
+      hostEnvKeys:
+        - SOME_KEY
+        - ANOTHER_KEY
+    - code:
+        type: Image
+        image:
+          url: www.example.com:8080/wasm-filter-3
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyExtensionPolicy
+  metadata:
+    namespace: default
+    name: policy-for-http-route   # This policy should attach httproute-1
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-1
+    wasm:
+    - name: wasm-filter-4
+      code:
+        type: HTTP
+        http:
+          url: https://www.test.com/wasm-filter-4.wasm
+          sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6
+      failOpen: true
+      hostEnvKeys:
+        - SOME_KEY
+        - ANOTHER_KEY