mirror of https://github.com/hashicorp/consul
192 lines
5.6 KiB
Markdown
192 lines
5.6 KiB
Markdown
---
|
|
layout: docs
|
|
page_title: Run WebAssembly plug-ins in Envoy proxy
|
|
description: Learn how to use the Consul wasm extension for Envoy, which directs Consul to run your WebAssembly (Wasm) plugins for Envoy proxies in your service mesh.
|
|
---
|
|
|
|
|
|
# Run WebAssembly plug-ins in Envoy proxy
|
|
|
|
This topic describes how to use the `wasm` extension, which directs Consul to run your WebAssembly (Wasm) plug-ins for Envoy proxies.
|
|
|
|
## Workflow
|
|
|
|
You can create Wasm plugins for Envoy and integrate them using the `wasm` extension. Wasm is a binary instruction format for stack-based virtual machines that has the potential to run anywhere after it has been compiled. Wasm plug-ins run as filters in a service mesh application's sidecar proxy.
|
|
|
|
The following steps describe the process of integrating Wasm plugins:
|
|
|
|
- Create your Wasm plugin. You must ensure that your plugin functions as expected. Refer to the [WebAssembly website](https://webassembly.org/) for information and links to documentation.
|
|
- Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry.
|
|
- Apply the configuration entry.
|
|
|
|
## Add the `EnvoyExtensions`
|
|
|
|
Add Envoy extension configuration to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
|
|
|
|
- When you configure Envoy extensions on proxy defaults, they apply to every service.
|
|
- When you configure Envoy extensions on service defaults, they apply to a specific service.
|
|
|
|
Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
|
|
|
|
In the following example, the extension uses an upstream service named `file-server` to serve a Wasm-based web application firewall (WAF).
|
|
|
|
<Tabs>
|
|
<Tab heading="HCL" group="hcl">
|
|
<CodeBlockConfig filename="wasm-extension-serve-waf.hcl">
|
|
|
|
```hcl
|
|
Kind = "service-defaults"
|
|
Name = "api"
|
|
Protocol = "http"
|
|
EnvoyExtensions = [
|
|
{
|
|
Name = "builtin/wasm"
|
|
Arguments = {
|
|
Protocol = "http"
|
|
ListenerType = "inbound"
|
|
PluginConfig = {
|
|
VmConfig = {
|
|
Code = {
|
|
Remote = {
|
|
HttpURI = {
|
|
Service = {
|
|
Name = "file-server"
|
|
}
|
|
URI = "https://file-server/waf.wasm"
|
|
}
|
|
SHA256 = "c9ef17f48dcf0738b912111646de6d30575718ce16c0cbde3e38b21bb1771807"
|
|
}
|
|
}
|
|
}
|
|
Configuration = <<EOF
|
|
{
|
|
"rules": [
|
|
"Include @demo-conf",
|
|
"Include @crs-setup-demo-conf",
|
|
"SecDebugLogLevel 9",
|
|
"SecRuleEngine On",
|
|
"Include @owasp_crs/*.conf"
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
}
|
|
}
|
|
]
|
|
```
|
|
</CodeBlockConfig>
|
|
</Tab>
|
|
<Tab heading="JSON" group="json">
|
|
<CodeBlockConfig filename="wasm-extension-serve-waf.json">
|
|
|
|
```json
|
|
{
|
|
"kind": "service-defaults",
|
|
"name": "api",
|
|
"protocol": "http",
|
|
"envoyExtensions": [{
|
|
"name": "builtin/wasm",
|
|
"arguments": {
|
|
"protocol": "http",
|
|
"listenerType": "inbound",
|
|
"pluginConfig": {
|
|
"VmConfig": {
|
|
"Code": {
|
|
"Remote": {
|
|
"HttpURI": {
|
|
"Service": {
|
|
"Name": "file-server"
|
|
},
|
|
"URI": "https://file-server/waf.wasm"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"Configuration": {
|
|
"rules": [
|
|
"Include @demo-conf",
|
|
"Include @crs-setup-demo-conf",
|
|
"SecDebugLogLevel 9",
|
|
"SecRuleEngine On",
|
|
"Include @owasp_crs/*.conf"
|
|
]
|
|
}
|
|
|
|
}
|
|
}
|
|
}]
|
|
}
|
|
```
|
|
|
|
|
|
</CodeBlockConfig>
|
|
</Tab>
|
|
<Tab heading="YAML" group="yaml">
|
|
<CodeBlockConfig filename="wasm-extension-serve-waf.yaml">
|
|
|
|
```yaml
|
|
kind: service-defaults
|
|
name: api
|
|
protocol: http
|
|
envoyExtensions:
|
|
- name: builtin/wasm
|
|
required: true
|
|
arguments:
|
|
protocol: http
|
|
listenerType: inbound
|
|
pluginConfig:
|
|
VmConfig:
|
|
Code:
|
|
Remote:
|
|
HttpURI:
|
|
Service:
|
|
Name: file-server
|
|
URI: https://file-server/waf.wasm
|
|
Configuration:
|
|
rules:
|
|
- Include @demo-conf
|
|
- Include @crs-setup-demo-conf
|
|
- SecDebugLogLevel 9
|
|
- SecRuleEngine On
|
|
- Include @owasp_crs/*.conf
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
|
|
Refer to the [Wasm extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/wasm) for details on how to configure the extension.
|
|
|
|
Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries.
|
|
|
|
!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
|
|
|
|
## Apply the configuration entry
|
|
|
|
If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry.
|
|
|
|
<Tabs>
|
|
<Tab heading="HCL" group="hcl">
|
|
|
|
```shell-session
|
|
$ consul config write wasm-extension-serve-waf.hcl
|
|
```
|
|
|
|
</Tab>
|
|
<Tab heading="JSON" group="json">
|
|
|
|
```shell-session
|
|
$ consul config write wasm-extension-serve-waf.json
|
|
```
|
|
|
|
</Tab>
|
|
<Tab heading="Kubernetes" group="kubernetes">
|
|
|
|
```shell-session
|
|
$ kubectl apply wasm-extension-serve-waf.yaml
|
|
```
|
|
|
|
</Tab>
|
|
</Tabs>
|