我的书签
添加书签
移除书签Run WebAssembly plug-ins in Envoy proxy
This topic describes how to use the wasm extension, which directs Consul to run your WebAssembly (Wasm) plug-ins for Envoy proxies.
Workflow
You can create Wasm plugins for Envoy and integrate them using the wasm extension. Wasm is a binary instruction format for stack-based virtual machines that has the potential to run anywhere after it has been compiled. Wasm plug-ins run as filters in a service mesh application’s sidecar proxy.
The following steps describe the process of integrating Wasm plugins:
- Create your Wasm plugin. You must ensure that your plugin functions as expected. Refer to the WebAssembly website for information and links to documentation.
- Configure an
EnvoyExtensionsblock in a service defaults or proxy defaults configuration entry. - Apply the configuration entry.
Add the EnvoyExtensions
Add Envoy extension configuration to a proxy defaults or service defaults configuration entry. Place the extension configuration in an EnvoyExtensions block in the configuration entry.
- When you configure Envoy extensions on proxy defaults, they apply to every service.
- When you configure Envoy extensions on service defaults, they apply to a specific service.
Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
In the following example, the extension uses an upstream service named file-server to serve a Wasm-based web application firewall (WAF).
wasm-extension-serve-waf.hcl
Kind = "service-defaults"Name = "api"Protocol = "http"EnvoyExtensions = [{Name = "builtin/wasm"Arguments = {Protocol = "http"ListenerType = "inbound"PluginConfig = {VmConfig = {Code = {Remote = {HttpURI = {Service = {Name = "file-server"}URI = "https://file-server/waf.wasm"}SHA256 = "c9ef17f48dcf0738b912111646de6d30575718ce16c0cbde3e38b21bb1771807"}}}Configuration = <<EOF{"rules": ["Include @demo-conf","Include @crs-setup-demo-conf","SecDebugLogLevel 9","SecRuleEngine On","Include @owasp_crs/*.conf"]}EOF}}}]
wasm-extension-serve-waf.json
{"kind": "service-defaults","name": "api","protocol": "http","envoyExtensions": [{"name": "builtin/wasm","arguments": {"protocol": "http","listenerType": "inbound","pluginConfig": {"VmConfig": {"Code": {"Remote": {"HttpURI": {"Service": {"Name": "file-server"},"URI": "https://file-server/waf.wasm"}}}},"Configuration": {"rules": ["Include @demo-conf","Include @crs-setup-demo-conf","SecDebugLogLevel 9","SecRuleEngine On","Include @owasp_crs/*.conf"]}}}}]}
wasm-extension-serve-waf.yaml
kind: service-defaultsname: apiprotocol: httpenvoyExtensions:- name: builtin/wasmrequired: truearguments:protocol: httplistenerType: inboundpluginConfig:VmConfig:Code:Remote:HttpURI:Service:Name: file-serverURI: https://file-server/waf.wasmConfiguration:rules:- Include @demo-conf- Include @crs-setup-demo-conf- SecDebugLogLevel 9- SecRuleEngine On- Include @owasp_crs/*.conf
Refer to the Wasm extension configuration reference for details on how to configure the extension.
Refer to the proxy defaults configuration entry reference and service defaults configuration entry reference for details on how to define the configuration entries.
Warning: Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring EnvoyExtensions in service defaults configuration entries in most cases.
Apply the configuration entry
If your network is deployed to virtual machines, use the consul config write command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the kubectl apply command. The following example applies the extension in a proxy defaults configuration entry.
$ consul config write wasm-extension-serve-waf.hcl
$ consul config write wasm-extension-serve-waf.json
$ kubectl apply wasm-extension-serve-waf.yaml
