Skip to content

Latest commit

 

History

History
194 lines (161 loc) · 5.69 KB

wasm.mdx

File metadata and controls

194 lines (161 loc) · 5.69 KB
Raw
layout page_title description
docs
Run WebAssembly plug-ins in Envoy proxy
Learn how to use the Consul wasm extension for Envoy, which directs Consul to run your WebAssembly (Wasm) plugins for Envoy proxies in your service mesh.

Run WebAssembly plug-ins in Envoy proxy

This topic describes how to use the wasm extension, which directs Consul to run your WebAssembly (Wasm) plug-ins for Envoy proxies.

Workflow

You can create Wasm plugins for Envoy and integrate them using the wasm extension. Wasm is a binary instruction format for stack-based virtual machines that has the potential to run anywhere after it has been compiled. Wasm plug-ins run as filters in a service mesh application's sidecar proxy.

The following steps describe the process of integrating Wasm plugins:

  • Create your Wasm plugin. You must ensure that your plugin functions as expected. Refer to the WebAssembly website for information and links to documentation.
  • Configure an EnvoyExtensions block in a service defaults or proxy defaults configuration entry.
  • Apply the configuration entry.

Add the EnvoyExtensions

Add Envoy extension configuration to a proxy defaults or service defaults configuration entry. Place the extension configuration in an EnvoyExtensions block in the configuration entry.

  • When you configure Envoy extensions on proxy defaults, they apply to every service.
  • When you configure Envoy extensions on service defaults, they apply to a specific service.

Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.

In the following example, the extension uses an upstream service named file-server to serve a Wasm-based web application firewall (WAF).

Kind = "service-defaults"
Name = "api"
Protocol = "http"
EnvoyExtensions = [
  {
    Name = "builtin/wasm"
    Arguments = {
      Protocol = "http"
      ListenerType = "inbound"
      PluginConfig = {
        VmConfig = {
          Code = {
            Remote = {
              HttpURI = {
                Service = {
                  Name = "file-server"
                }
                URI = "https://file-server/waf.wasm"
              }
              SHA256  = "c9ef17f48dcf0738b912111646de6d30575718ce16c0cbde3e38b21bb1771807"
            }
          }
        }
      Configuration =  <<EOF
{
  "rules": [
    "Include @demo-conf",
    "Include @crs-setup-demo-conf",
    "SecDebugLogLevel 9",
    "SecRuleEngine On",
    "Include @owasp_crs/*.conf"
  ]
}
EOF
      }
    }
  }
]
{
	"kind": "service-defaults",
	"name": "api",
	"protocol": "http",
	"envoyExtensions": [{
		"name": "builtin/wasm",
		"arguments": {
			"protocol": "http",
			"listenerType": "inbound",
			"pluginConfig": {
				"VmConfig": {
					"Code": {
						"Remote": {
							"HttpURI": {
								"Service": {
									"Name": "file-server"
								},
								"URI": "https://file-server/waf.wasm"
							}
						}
					}
				},
				"Configuration": {
					"rules": [
						"Include @demo-conf",
						"Include @crs-setup-demo-conf",
						"SecDebugLogLevel 9",
						"SecRuleEngine On",
						"Include @owasp_crs/*.conf"
					]
				}

			}
		}
	}]
}
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
  name: api
spec:
  protocol: http
  envoyExtensions:
    - name: builtin/wasm
      required: true
      arguments:
        protocol: http
        listenerType: inbound
        pluginConfig:
          VmConfig:
            Code:
              Remote:
                HttpURI:
                  Service:
                    Name: file-server
                    URI: https://file-server/waf.wasm
          Configuration:
            rules:
            - Include @demo-conf
            - Include @crs-setup-demo-conf
            - SecDebugLogLevel 9
            - SecRuleEngine On
            - Include @owasp_crs/*.conf

Refer to the Wasm extension configuration reference for details on how to configure the extension.

Refer to the proxy defaults configuration entry reference and service defaults configuration entry reference for details on how to define the configuration entries.

!> Warning: Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring EnvoyExtensions in service defaults configuration entries in most cases.

Apply the configuration entry

If your network is deployed to virtual machines, use the consul config write command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the kubectl apply command. The following example applies the extension in a proxy defaults configuration entry.

$ consul config write wasm-extension-serve-waf.hcl

$ consul config write wasm-extension-serve-waf.json

$ kubectl apply wasm-extension-serve-waf.yaml