-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It would be great if Traefik supported wasm plugins #9552
Comments
Hiya! Thanks for your suggestion. We are interested in this issue but are unsure about the use case and the traction it will receive, so we are going to leave the status as "kind/proposal" to give the community time to let us know that they would like this. We will reevaluate as people respond. If you or another community member would like to build it before that happens, let us know and we will work with you to make sure you have all the information needed. Let us know here before you start. We prefer to work with our community members at the beginning of the design process to ensure that we are aligned and can move quickly with the review and merge process. |
I'd be really interested about this feature too. Right now creating plugins for multiple reverse proxies is a pain because of all the different API each reverse proxy propose. WasmProxy seems to be a very well fit usage. |
I am glad this issue already exists on this repository. I have been working with Wasm, proxy-wasm and proxies' features for a long time and I really like to see a way to extend traefik through Wasm soon. There are a few reasons why Wasm is a good match for this use case, the first one is the fact that currently using yaegi is the only way to extend Traefik with custom functionality, however it comes with some limitations:
As opposed Wasm present several advantages on these matters:
that said, we have three alternatives to pursue this goal:
I am happy to contribute with a PR supporting http-wasm. Any thoughts on this? |
Thanks for your feedback @jcchavezs, very much appreciated.
But it would make things a lot easier to integrate. |
At least I would like to see WASM support in Traefik. It could bring a lot more possibilities to plugin ecosystem (read: broader community and hopefully other products as well which will use WASM). If those 3 are the alternatives I would choose http-wasm and try to experiment that? |
Some time ago, I attempted to integrate Proxy-WASM, and my experience left me somewhat dissatisfied. Regrettably, I couldn't achieve the seamless functionality of a proper Envoy plugin. It seemed like a substantial amount of effort would be necessary to address the missing components. While I haven't explored HTTP-WASM, it appears to be a more attractive alternative. It seems relatively straightforward to integrate with Traefik. With the Yaegi plugin mechanism, you gain extensive access to the underlying Go objects, including the complete ResponseWriter. |
Hello, I recently conducted some tests using On a more positive note, I found I'm in agreement with @juliens about implementing a real middleware with |
@mmatur nice work! the actual change does not look even big! of course that is missing configurable parameters and kubernetes part etc. Anyway looks promising |
Really nice work @mmatur. I wonder if we could start a PR on this repo attempting to add http-wasm for traefik. There are a few things I want to discuss on this, for starting I would also suggest we look at existing impl. in dapr which also supports http-wasm (see https://github.com/dapr/docs/blob/v1.11/daprdocs/content/en/reference/components-reference/supported-middleware/middleware-wasm.md). Some of the questions are:
|
@jcchavezs I'm curious if attempting to incorporate it into the existing plugin system might provide a solution. We've already established a mechanism for handling configuration, and for addressing the remote or local issue, this could potentially be a viable option. Although I'm uncertain about how straightforward it would be to integrate it into the current catalog system. Perhaps @ldez could share their perspective on this matter. |
I can see solutions to integrate WASM plugins inside the catalog and Traefik (even if I still think that the best use of WASM is not for plugins). |
I believe Traefik should support both local and remote Wasm files. Perhaps this support could be integrated into https://plugins.traefik.io for better accessibility. Regarding the middleware configuration, I conducted some research and found that http-wasm-host-go offers a guestConfig option, which appears suitable for passing the config to the middleware. @ldez, could you please provide more details about your vision for the Wasm integration in Traefik?
What are your ideas for utilizing Wasm in Traefik? |
This is off-topic: this topic is about WASM and plugins, we can talk about it somewhere else. |
Maybe I was not clear: it's easy to integrate a different type of plugin if the repository follows the same convention as the existing plugins. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
All in all, here are important questions that still need to be answered regarding the WASM plugin implementation:
Even if that's not the case, I think it's worth exploring this WASM plugin implementation, but this would definitely make things easier. |
Thanks for the feedback. http-wasm plugins are agnostic so ideally you could use any http-wasm binary into traefik which in the end is beneficial for everyone and they can be hosted in traefik plugin system (if they allow to download a file) or any other artifact published somewhere. I was thinking of something like this for syntax for using http-wasm middleware with custom binaries # example for https://plugins.traefik.io/plugins/628c9f11108ecc83915d7772/traefik-token-middleware
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: http-wasm
spec:
file: https://plugins.traefik.io/plugins/628c9f11108ecc83915d7772/traefik-token-middleware-wasm
config:
queryParam: token
secret: secret can we reuse the same plugin middleware contract?I think so. command:
- --experimental.plugins.traefik-token-middleware.modulename=url-for-wasm-plugin
- --experimental.plugins.traefik-token-middleware.version=v0.1.4 apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-jwtauth
spec:
plugin:
traefik-token-middleware:
queryParam: token
secret: secret and the displayName: Traefik Token Middleware
type: http-wasm-middleware
binary: https://github.com/corazawaf/coraza-proxy-wasm/releases/download/{version}/coraza-proxy-wasm-{version}.zip
summary: 'Verify JWT Token from query Param'
testData:
encodedHeader:
- "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6ImY1NzVlNDZlLTU2ZDQtNGU0Zi04MDQ1LTcwMWJmYjViM2RmNCIsImlhdCI6MTYwODE1MDg1MSwiZXhwIjoxNjA4MTU0NDUxfQ.g_XGqgyR-vo1DZzHiw-HwPQJpJYSsYMvI9rdeMRJEg8" can we reuse exsiting plugins?Some work needs to happen to recompile them in wasm (using tinygo) |
There are 4 plugin contracts:
experimental:
plugins:
example:
moduleName: github.com/traefik/plugindemo
version: v0.2.1
# OR
experimental:
localPlugins:
example:
moduleName: github.com/traefik/plugindemo
middlewares:
my-plugin:
plugin:
example:
headers:
Foo: Bar The repository convention should be kept to ease the integration inside the catalog. The programmatic "interface" could be only partially different because it should follow the middleware signature. The static configuration should be changed to use another field than The dynamic configuration will stay the same. The 2 plugin systems can live together: we don't control the code of the current plugins so we cannot really compile for them, a compilation of plugins inside the infrastructure will lead to security issues, and the 2 systems can be handled without major difficulties. |
Wouldn't be possible to provide a cli to compile yaegi plugins to wasm binaries? |
Hey there, Before we dig deeper and spend time finding proper implementation, I'd like to do a quick poll to understand who supports integrating WASM as a plugin engine and who is against Please 👍 (in favor) 👎 (against) in the reaction! (I'm pinging other maintainers, making sure they see this poll as well, but anyone, feel free to add weight) |
I did some tests, it looks like its possible to support yaegi and wasm plugins by using same "ecosystem". So what I did? I used yaegi "demoexample" plugin and basically little bit modified @mmatur http-wasm example. the response
like we can see, both plugins are working (foo:bar from demoexample and x-powpow:hello from wasm plugin). However, there are still some questions:
requirements for yasm plugin repo: .traefik.yml file (which contains the manifest) and then path to compiled yasm file. Or should we hardcode that to like Or should this be even in git ecosystem? What if we have for instance S3 object storage (or any other http webserver that can server static files) which have two files: .traefik.yml and wasm file itself? Then the structure could be
in that case .traefik.yml should contain path to github repository, where people can fill issues and see the code itself. |
Update: traefik code v3.0...zetaab:traefik:feature/httpwasm logs from traefik:
the response
So what is solved here:
|
One possible problem that I see in this format, that before this people could write Example using http-wasm:
vs
@jcchavezs I am just thinking could there be a way to override https://github.com/http-wasm/http-wasm-host-go/blob/main/handler/nethttp/middleware.go#L111? It would be really nice to use standard http.Handler to write middlewares. It would make things much easier and people could basically copy paste things. |
Many thanks @zetaab
yes, guestconfig it is.
Mainly adapters. Logging is a sensitive piece as it can lead to several allocations if not done carefully (see https://networkbuilders.intel.com/blog/coraza-performance-optimization).
in this module we exercise most of the features: request, response access denial and mutation https://github.com/jcchavezs/coraza-http-wasm.
Yes, that is the way to go. We came up with a minimal host implementation that cover the use cases we wanted to support but projects like dapr used it and helped to improve it (see https://github.com/dapr/components-contrib/blob/master/go.mod#L71)
Yes, as pointed out before logging is very sensitive. Ideally we should provide a traefik implementation that implements the http-wasm logger so library maintainers can consume it.
What is the use case for panic? Do we want to crash traefik? I think logging and initializing nops on the interceptors is enough. |
This is by design. Notice ABI is language/platform agnostic so designing the ABI targeting standard http.Handler isn't a goal for http-wasm. Also technically talking no wasm implementation (targeting WASI) can support |
I am just thinking if for instance parsing config fails here https://github.com/zetaab/traefik-wasm-demo/blob/main/header.go#L27 basically it should mean that whole plugin should not work. Now it will just print error to logs and continue running the plugin |
I get that but in practice what does that mean for traefik? crashing or logging and becoming a noop?. HEADS UP: I am not saying we shouldn't support panic, we can. I am just asking what is the use case. |
In my opinion from Traefik point of view: it should not crash Traefik, but it could for instance make the route not working? It is little bit scary if people assumes that "yeah we do have WAF in place" but they forgot to check error logs and they have live route in production without WAF? |
We should design the behaviour here but still you can achieve the same without panic by passing a |
The philosophy we've been following until now is that when anything middleware that a router uses is malfunctionning, the whole route goes down, but the rest is unaffected. Indeed, as you mentioned, the idea is to avoid the user thinking they're all set and secure ... when they are not (that's the same idea with authentication middleware) |
Awesome. Then we have feature definition for this.
…On Sun, 22 Oct 2023, 19:29 Gérald Croës, ***@***.***> wrote:
In my opinion from Traefik point of view: it should not crash Traefik, but
it could for instance make the route not working? It is little bit scary if
people assumes that "yeah we do have WAF in place" but they forgot to check
error logs and they have live route in production without WAF?
The philosophy we've been following until now is that when anything
middleware that a router uses is malfunctionning, the whole route goes
down, but the rest is unaffected.
Indeed, as you mentioned, the idea is to avoid the user thinking they're
all set and secure ... when they are not (that's the same idea with
authentication middleware)
—
Reply to this email directly, view it on GitHub
<#9552 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXOYAWEKDVANSNX6OH7W6TYAVJV7AVCNFSM6AAAAAASL3LEFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZUGE2TEMBWGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
seems that os.Exit(1) handles that case https://github.com/zetaab/traefik-wasm-demo/blob/main/header.go#L29 it will print the error to logs and make the route unavailable because of broken middleware. from traefik log
|
@geraldcroes I think at least I have quite good picture how this could work. However, I would like to see that someone from Traefik side will implement this as PR, because you will define how you want to plugin system really work. I mean that you have catalog ecosystem etc, you will define the rules where the files can be stored and what is the structure for that. Feel free to use my code that I did. It works, but its not the most beautiful yet! |
Hey @zetaab ! We discussed this with other maintainers during the triage process yesterday, and we would very much rather help you finish the PR than writing it ourselves (based on your work and effort). For the integration within the rest of the plugin system (the catalog for example), we're looking into opening it to the community so that everyone can contribute as well. If finishing the PR sounds appealing to you, please open one, and one maintainer will take the time to ramp you up and get it to the project's standards (if need be). |
Closed by #10189. |
Welcome!
What did you expect to see?
Envoy WASM plugins:
https://github.com/envoyproxy/envoy/tree/master/examples/wasm-cc
The text was updated successfully, but these errors were encountered: