Run WebAssembly plug-ins in Envoy proxy
This topic describes how to use the wasm
extension, which directs Consul to run your WebAssembly (Wasm) plug-ins for Envoy proxies.
Workflow
You can create Wasm plugins for Envoy and integrate them using the wasm
extension. Wasm is a binary instruction format for stack-based virtual machines that has the potential to run anywhere after it has been compiled. Wasm plug-ins run as filters in a service mesh application’s sidecar proxy.
The following steps describe the process of integrating Wasm plugins:
- Create your Wasm plugin. You must ensure that your plugin functions as expected. Refer to the WebAssembly website for information and links to documentation.
- Configure an
EnvoyExtensions
block in a service defaults or proxy defaults configuration entry. - Apply the configuration entry.
Add the EnvoyExtensions
Add Envoy extension configuration to a proxy defaults or service defaults configuration entry. Place the extension configuration in an EnvoyExtensions
block in the configuration entry.
- When you configure Envoy extensions on proxy defaults, they apply to every service.
- When you configure Envoy extensions on service defaults, they apply to a specific service.
Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
In the following example, the extension uses an upstream service named file-server
to serve a Wasm-based web application firewall (WAF).
wasm-extension-serve-waf.hcl
Kind = "service-defaults"
Name = "api"
Protocol = "http"
EnvoyExtensions = [
{
Name = "builtin/wasm"
Arguments = {
Protocol = "http"
ListenerType = "inbound"
PluginConfig = {
VmConfig = {
Code = {
Remote = {
HttpURI = {
Service = {
Name = "file-server"
}
URI = "https://file-server/waf.wasm"
}
SHA256 = "c9ef17f48dcf0738b912111646de6d30575718ce16c0cbde3e38b21bb1771807"
}
}
}
Configuration = <<EOF
{
"rules": [
"Include @demo-conf",
"Include @crs-setup-demo-conf",
"SecDebugLogLevel 9",
"SecRuleEngine On",
"Include @owasp_crs/*.conf"
]
}
EOF
}
}
}
]
wasm-extension-serve-waf.json
{
"kind": "service-defaults",
"name": "api",
"protocol": "http",
"envoyExtensions": [{
"name": "builtin/wasm",
"arguments": {
"protocol": "http",
"listenerType": "inbound",
"pluginConfig": {
"VmConfig": {
"Code": {
"Remote": {
"HttpURI": {
"Service": {
"Name": "file-server"
},
"URI": "https://file-server/waf.wasm"
}
}
}
},
"Configuration": {
"rules": [
"Include @demo-conf",
"Include @crs-setup-demo-conf",
"SecDebugLogLevel 9",
"SecRuleEngine On",
"Include @owasp_crs/*.conf"
]
}
}
}
}]
}
wasm-extension-serve-waf.yaml
kind: service-defaults
name: api
protocol: http
envoyExtensions:
- name: builtin/wasm
required: true
arguments:
protocol: http
listenerType: inbound
pluginConfig:
VmConfig:
Code:
Remote:
HttpURI:
Service:
Name: file-server
URI: https://file-server/waf.wasm
Configuration:
rules:
- Include @demo-conf
- Include @crs-setup-demo-conf
- SecDebugLogLevel 9
- SecRuleEngine On
- Include @owasp_crs/*.conf
Refer to the Wasm extension configuration reference for details on how to configure the extension.
Refer to the proxy defaults configuration entry reference and service defaults configuration entry reference for details on how to define the configuration entries.
Warning: Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring EnvoyExtensions
in service defaults configuration entries in most cases.
Apply the configuration entry
If your network is deployed to virtual machines, use the consul config write
command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the kubectl apply
command. The following example applies the extension in a proxy defaults configuration entry.
$ consul config write wasm-extension-serve-waf.hcl
$ consul config write wasm-extension-serve-waf.json
$ kubectl apply wasm-extension-serve-waf.yaml