前置條件
k8s集群,版本1.23.8
安裝方法略
istio安裝完成demo哭廉,版本1.17.2
curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.17.2 sh
cd istio-1.17.2/
./bin/istioctl install --set profile=demo -y
kubectl label namespace default istio-injection=enabled --overwrite
安裝httpbin,sleep 示例
httpbin主要為了提供http響應(yīng)妆棒,也可以用已有的能夠提供http服務(wù)的任意服務(wù)川抡。
sleep 為了在pod里使用curl命令,有別的pod中能執(zhí)行curl命令也可以边臼。
kubectl apply -f samples/httpbin/httpbin.yaml
kubectl apply -f samples/sleep/sleep.yaml
本地docker環(huán)境哄尔,版本 20.10.21
docker安裝略
go語(yǔ)言環(huán)境,版本1.18.1
go安裝略
阿里云或其他鏡像倉(cāng)庫(kù)
類似部署一個(gè)普通應(yīng)用柠并,wasm插件來源于某個(gè)鏡像倉(cāng)庫(kù)岭接。
為了方便使用了阿里云的免費(fèi)鏡像倉(cāng)庫(kù),也可以本地搭建或使用別的倉(cāng)庫(kù)臼予。
注意需要將阿里云的倉(cāng)庫(kù)設(shè)置為公開鸣戴!
示例功能
在請(qǐng)求頭增加自定義的返回信息
將插件的配置信息放到頭信息中返回(測(cè)試讀取配置的功能)
簡(jiǎn)單的限流功能
直接看效果
使用我編譯好的鏡像直接部署,保存以下內(nèi)容為 gowasm.yaml
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: my-go-wasm-plugin
namespace: default
spec:
selector:
matchLabels:
app: httpbin
## 編譯好的鏡像
url: oci://registry.cn-hangzhou.aliyuncs.com/hallywang/gowasm:20230530181612
#插件的配置信息粘拾,在代碼中可以獲取到j(luò)son string
pluginConfig:
testConfig: abcddeeeee
listconfig:
- abc
- def
部署到k8s中
kubectl apply -f gowasm.yaml
示例驗(yàn)證方法
- 執(zhí)行以下命令窄锅,從sleep pod中發(fā)送http 請(qǐng)求到 httpbin ,打印出返回的header
SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}
kubectl exec ${SLEEP_POD} -c sleep -- sh -c 'for i in $(seq 1 3); do curl --head -s httpbin:8000/headers; sleep 0.1; done'
在未部署gowasm.yaml之前半哟,每次請(qǐng)求都會(huì)返回200成功酬滤,且頭信息中沒有自定義的內(nèi)容
-
在部署了gowasm.yaml之后签餐,返回如下結(jié)果(兩次請(qǐng)求的結(jié)果)寓涨,有自定義的頭信息和403的返回說明插件部署成功。
## 第一次請(qǐng)求的返回結(jié)果: HTTP/1.1 200 OK server: envoy date: Wed, 31 May 2023 03:20:12 GMT content-type: application/json content-length: 526 access-control-allow-origin: * access-control-allow-credentials: true x-envoy-upstream-service-time: 3 ## 下面是插件增加的頭信息 who-am-i: wasm-extension injected-by: istio-api! hally: wang wang: 1234567 configdata: {"listconfig":["abc","def"],"testConfig":"abcddeeeee"} ## 第二次請(qǐng)求的返回結(jié)果: ## 限流起作用戒良,返回403 HTTP/1.1 403 Forbidden powered-by: proxy-wasm-go-sdk!! content-length: 29 content-type: text/plain who-am-i: wasm-extension injected-by: istio-api! hally: wang wang: 1234567 configdata: {"listconfig":["abc","def"],"testConfig":"abcddeeeee"} date: Wed, 31 May 2023 03:20:12 GMT server: envoy x-envoy-upstream-service-time: 0
從代碼開始
安裝tinygo
tinygo可以將go編譯成wasm文件
https://tinygo.org/getting-started/install/
創(chuàng)建go工程
mkdir go-wasm-plugin
cd go-wasm-plugin
go mod init go-wasm
新增文件main.go
package main
import (
"time"
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"
)
func main() {
proxywasm.SetVMContext(&vmContext{})
}
type vmContext struct {
// Embed the default VM context here,
// so that we don't need to reimplement all the methods.
types.DefaultVMContext
}
// Override types.DefaultVMContext.
func (*vmContext) NewPluginContext(contextID uint32) types.PluginContext {
return &pluginContext{}
}
type pluginContext struct {
// Embed the default plugin context here,
// so that we don't need to reimplement all the methods.
types.DefaultPluginContext
// the remaining token for rate limiting, refreshed periodically.
remainToken int
// // the preconfigured request per second for rate limiting.
// requestPerSecond int
// NOTE(jianfeih): any concerns about the threading and mutex usage for tinygo wasm?
// the last time the token is refilled with `requestPerSecond`.
lastRefillNanoSec int64
}
// Override types.DefaultPluginContext.
func (p *pluginContext) NewHttpContext(contextID uint32) types.HttpContext {
return &httpHeaders{contextID: contextID, pluginContext: p}
}
type httpHeaders struct {
// Embed the default http context here,
// so that we don't need to reimplement all the methods.
types.DefaultHttpContext
contextID uint32
pluginContext *pluginContext
}
// Additional headers supposed to be injected to response headers.
var additionalHeaders = map[string]string{
"who-am-i": "go-wasm-extension",
"injected-by": "istio-api!",
"hally": "wang",
"wang": "1234567",
// 定義自定義的header糯崎,每個(gè)返回中都添加以上header
}
// 讀取部署yaml中的 pluginConfig 內(nèi)容几缭,用于插件的一些配置信息
var configData string
func (p *pluginContext) OnPluginStart(pluginConfigurationSize int) types.OnPluginStartStatus {
proxywasm.LogDebug("loading plugin config")
data, err := proxywasm.GetPluginConfiguration()
if data == nil {
return types.OnPluginStartStatusOK
}
if err != nil {
proxywasm.LogCriticalf("error reading plugin configuration: %v", err)
return types.OnPluginStartStatusFailed
}
// 插件啟動(dòng)的時(shí)候讀取配置
configData = string(data)
return types.OnPluginStartStatusOK
}
func (ctx *httpHeaders) OnHttpResponseHeaders(numHeaders int, endOfStream bool) types.Action {
//添加headr
for key, value := range additionalHeaders {
proxywasm.AddHttpResponseHeader(key, value)
}
//為了便于演示觀察,將配置信息也加到返回頭里
proxywasm.AddHttpResponseHeader("configData", configData)
return types.ActionContinue
}
// 實(shí)現(xiàn)限流
func (ctx *httpHeaders) OnHttpRequestHeaders(int, bool) types.Action {
current := time.Now().UnixNano()
// We use nanoseconds() rather than time.Second() because the proxy-wasm has the known limitation.
// TODO(incfly): change to time.Second() once https://github.com/proxy-wasm/proxy-wasm-cpp-host/issues/199
// is resolved and released.
if current > ctx.pluginContext.lastRefillNanoSec+1e9 {
ctx.pluginContext.remainToken = 2
ctx.pluginContext.lastRefillNanoSec = current
}
proxywasm.LogCriticalf("Current time %v, last refill time %v, the remain token %v",
current, ctx.pluginContext.lastRefillNanoSec, ctx.pluginContext.remainToken)
if ctx.pluginContext.remainToken == 0 {
if err := proxywasm.SendHttpResponse(403, [][2]string{
{"powered-by", "proxy-wasm-go-sdk!!"},
}, []byte("rate limited, wait and retry."), -1); err != nil {
proxywasm.LogErrorf("failed to send local response: %v", err)
proxywasm.ResumeHttpRequest()
}
return types.ActionPause
}
ctx.pluginContext.remainToken -= 1
return types.ActionContinue
}
新增文件 Dockerfile
# Dockerfile for building "compat" variant of Wasm Image Specification.
# https://github.com/solo-io/wasm/blob/master/spec/spec-compat.md
FROM scratch
COPY main.wasm ./plugin.wasm
編譯go代碼為wasm
go get
tinygo build -o main.wasm -scheduler=none -target=wasi main.go
編譯成功后,工程目錄中將出現(xiàn) main.wasm 文件
build一個(gè)Docker鏡像,推送到鏡像倉(cāng)庫(kù)
docker build . -t registy.cn-hangzhou.aliyuncs.com/USER_NAME/gowasm:0.1
docker push registy.cn-hangzhou.aliyuncs.com/USER_NAME/gowasm:0.1
新增部署yaml
gowasm.yaml
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: my-go-wasm-plugin
namespace: default
spec:
selector:
matchLabels:
app: httpbin
url: oci://registry.cn-hangzhou.aliyuncs.com/USER_NAME/gowasm:0.1
pluginConfig:
testConfig: abcddeeeee
listconfig:
- abc
- def
部署到k8s,執(zhí)行測(cè)試腳本
kubectl apply -f gowasm.yaml
SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}
kubectl exec ${SLEEP_POD} -c sleep -- sh -c 'for i in $(seq 1 3); do curl --head -s httpbin:8000/headers; sleep 0.1; done'
## 觀察返回內(nèi)容
刪除插件
kubectl delete wasmplugins my-go-wasm-plugin
遇到的問題
- 修改代碼重新發(fā)布部署后薄霜,如果鏡像的tag沒變化某抓,可能出現(xiàn)不生效,這是因?yàn)閣asmplugin有自己的緩存機(jī)制,tag版本發(fā)生變化惰瓜,不會(huì)出現(xiàn)該問題
本文代碼
https://github.com/hallywang/go-wasm-plugin-example.git
其他玩法
- istio官方提供的使用webassemblyhub來打包發(fā)布否副,內(nèi)容參考
https://istio.io/latest/zh/blog/2020/deploy-wasm-declarative/
但是發(fā)現(xiàn)webassemblyhub提供的工具不支持最新版本的istio备禀。
參考資料
https://tetrate.io/blog/istio-wasm-extensions-and-ecosystem/
