+----------------------+ | Kubernetes | | Cluster | +----------|-----------+ | | +----------v-----------+ | | | Pod | | | | +------------------+ | | | Envoy | | | | with WASM | | | | Filter | | | +------------------+ | | | Backend App | | | +------------------+ | | | +----------------------+在这个示意图中,我们有一个运行在Kubernetes中的Pod,其中包含了Envoy和后端服务两个容器。Envoy与WASM过滤器一起作为Sidecar代理与后端服务一起运行,负责处理流量转发、负载均衡、安全策略等功能。后端服务则是实际提供业务功能的应用程序。
编写你的WASM模块,其中包含Envoy的Filter逻辑。确保你的WASM模块包含了你期望的Filter行为,比如认证、日志记录等。编译WASM模块,以确保其与Envoy兼容。
filters: - name: envoy.filters.http.wasm config: name: "my_wasm_filter" root_id: "my_root_id" vm_config: code: local: filename: "/etc/wasm/ip-rate-limit/main.wasm" runtime: "envoy.wasm.runtime.v8" configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "ttlSecond": 60, "burst": 3 }请根据实际情况替换 my_wasm_filter、my_root_id、/etc/wasm/ip-rate-limit/main.wasm。如果你的envoy部署在k8s里,那上面的文件应该是envoy pod里的路径,你可以通过pvc进行指定pv,(pv对应存储类或者持久类)
将更新后的Envoy配置部署到Rancher or k8s中。
监控Envoy的日志以查看是否有任何关于WASM Filter的错误或警告。确保Envoy能够成功加载和运行你的WASM模块。
发送请求到Envoy并确保WASM Filter按照预期进行操作。可以通过查看Envoy的日志、观察返回的请求或使用其他调试工具来验证Filter的行为。
envoyproxy/envoy 对应80端口
admin: access_log_path: /tmp/admin_access.log address: socket_address: { address: 0.0.0.0, port_value: 9901 } #envoy后台系统的端口 static_resources: listeners: - name: listener_0 address: socket_address: { address: 0.0.0.0, port_value: 10000 } #envoy路由的端口 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager scheme_header_transformation: scheme_to_overwrite: https stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: local_service domains: ["*"] routes: - match: prefix: "/" route: cluster: httpbin http_filters: - name: wasmdemo typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: name: wasmdemo vm_config: runtime: envoy.wasm.runtime.v8 code: local: filename: /etc/wasm/ip-rate-limit/main.wasm configuration: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { "ttlSecond": 60, "burst": 3 } - name: envoy.filters.http.router clusters: - name: httpbin connect_timeout: 30s type: LOGICAL_DNS # Comment out the following line to test on v6 networks dns_lookup_family: V4_ONLY lb_policy: ROUND_ROBIN load_assignment: cluster_name: httpbin endpoints: - lb_endpoints: - endpoint: address: socket_address: address: httpbin_app_service.app_namespace port_value: 8080最后,我们把envoy服务的10000端口公开出去,在集群外就可以访问它了,你的wasm就可以被启用了;当然将10000端口公开出现的方法有很多,比较通用的方式是将它通过ingress或者阿里higress进行代理,更灵活。