-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Offline validation for config passed to proxy wasm #35
Comments
even if this function is added, Envoy/Istio has no way to report back to the users. Plus this seems essentially the same as the return value from the existing |
Yeah, sorry for not being clear. This function has not the purpose of being
loaded by istio/envoy but by control planes. Also as for loading the
extension and attempt to start the plugin, that was my initial ide about
the output (error message) isn't the best one.
…On Mon, 21 Nov 2022, 04:04 Takeshi Yoneda, ***@***.***> wrote:
even if this function is added, Envoy/Istio has no way to report back to
the users. Plus this seems essentially the same as the return value from
the existing proxy_on_configure ABI. I suggest instead we just
instantiate plugins at the control plane layer, and see the return value
from proxy_on_configure
—
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXOYAV5YTJ7DI55ZW3IC7DWJLRC5ANCNFSM6AAAAAASDHFXUI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
The original ABI had a function exactly like that, and Proxy-Wasm C++ SDK still has it (see: proxy_validate_configuration, RootContext::validateConfiguration), but I'm not aware of any plugins using it. Note there are a few problems with such approach:
Basically, |
Could you elaborate? I don't understand how this is related to control plane performing config validation. |
Agree and I think the main difference between the two is the output but functionality wise they are quite similar.
Agree, this is mainly a best effort to allow users to validate the config offline. So providing the method in the wasm extension isn't a perfect solution it just guarantees cohesion meaning that the same wasm that is running in prod is the one validating the config as opposed to provide another wasm (to be able to load it in different languages) or per language libraries (mostly limited to the wasm extension language) |
proxy-wasm extensions allows people to extend proxy functionalities in the request/response lifecycle and are deployed along with proxies but have their own lifecycle.
One big issue right now is that the config passed to those extensions are mainly validated in runtime, meaning that user can't have feedback about incorrect config before deployment have been attempted for example:
A new proxy_validate_config method could be added to the ABI:
the result could be a list of errors e.g.
[LINE 1] Unexpected token {
or going forward a flatmap with the location e.g..rules[0]
but that assumes all configs are structured which I am not 100% sure.Ping @mathetake @PiotrSikora
Related: corazawaf/coraza-proxy-wasm#88 (comment)
The text was updated successfully, but these errors were encountered: