diff --git a/Makefile b/Makefile index e7944622..e8c3fe88 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,10 @@ SHELL := /bin/bash MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH))) -WASM_RELEASE_PATH = $(PROJECT_PATH)/target/wasm32-unknown-unknown/release/wasm_shim.wasm +BUILD ?= debug + +WASM_RELEASE_BIN = $(PROJECT_PATH)/target/wasm32-unknown-unknown/$(BUILD)/wasm_shim.wasm +WASM_RELEASE_PATH = $(dir $(WASM_RELEASE_BIN)) PROTOC_BIN=$(PROJECT_PATH)/bin/protoc PROTOC_VERSION=21.1 @@ -18,7 +21,6 @@ $(PROTOC_BIN): $(call get-protoc,$(PROJECT_PATH),https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-$(PROTOC_VERSION)-$(PROTOC_OS).zip) # builds the module and move to deploy folder -build: export BUILD?=debug build: $(PROTOC_BIN) @echo "Building the wasm filter" ifeq ($(BUILD), release) @@ -56,15 +58,8 @@ update-protobufs: RUST_SOURCES := $(shell find $(PROJECT_PATH)/src -name '*.rs') -$(WASM_RELEASE_PATH): export BUILD = release -$(WASM_RELEASE_PATH): $(RUST_SOURCES) - make -C $(PROJECT_PATH) -f $(MKFILE_PATH) build - -development: $(WASM_RELEASE_PATH) - docker compose up - -stop-development: - docker compose down +$(WASM_RELEASE_BIN): $(RUST_SOURCES) + make -C $(PROJECT_PATH) -f $(MKFILE_PATH) build BUILD=$(BUILD) # get-protoc will download zip from $2 and install it to $1. define get-protoc diff --git a/README.md b/README.md index 9ab09747..12aa1395 100644 --- a/README.md +++ b/README.md @@ -240,80 +240,6 @@ Stop and clean up resources: make local-cleanup ``` -## Running local development environment (docker-compose legacy) - -`docker` and `docker-compose` required. - -Run local development environment - -``` -make development -``` - -Three rate limit policies defined for e2e testing: - -* `rlp-a`: Only one data item. Data selector should not generate return any value. Thus, descriptor should be empty and - rate limiting service should **not** be called. - -``` -curl -H "Host: test.a.com" http://127.0.0.1:18000/get -``` - -* `rlp-b`: Conditions do not match. Hence, rate limiting service should **not** be called. - -``` -curl -H "Host: test.b.com" http://127.0.0.1:18000/get -``` - -* `rlp-c`: Four descriptors from multiple rules should be generated. Hence, rate limiting service should be called. - -``` -curl -H "Host: test.c.com" -H "x-forwarded-for: 127.0.0.1" -H "My-Custom-Header-01: my-custom-header-value-01" -H "x-dyn-user-id: bob" http://127.0.0.1:18000/get -``` - -The expected descriptors: - -``` -RateLimitDescriptor { entries: [Entry { key: "limit_to_be_activated", value: "1" }], limit: None } -``` - -``` -RateLimitDescriptor { entries: [Entry { key: "source.address", value: "127.0.0.1:0" }], limit: None } -``` - -``` -RateLimitDescriptor { entries: [Entry { key: "request.headers.My-Custom-Header-01", value: "my-custom-header-value-01" }], limit: None } -``` - -``` -RateLimitDescriptor { entries: [Entry { key: "user_id", value: "bob" }], limit: None } -``` - -**Note:** -Using [Header-To-Metadata filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/header_to_metadata_filter#config-http-filters-header-to-metadata), `x-dyn-user-id` -header value is available in the metadata struct with the `user-id` key. - -According to the defined limits: - -```yaml ---- -- namespace: rlp-ns-C/rlp-name-C - max_value: 2 - seconds: 10 - conditions: - - "limit_to_be_activated == '1'" - - "user_id == 'bob'" - variables: [ ] -``` - -The third request in less than 10 seconds should return `429 Too Many Requests`. - -### Clean up all resources - -``` -make stop-development -``` - ## License [Apache 2.0 License](LICENSE) diff --git a/docker-compose.yaml b/docker-compose.yaml deleted file mode 100644 index e0265d69..00000000 --- a/docker-compose.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -version: '2.2' -services: - envoy: - image: envoyproxy/envoy:v1.20-latest - depends_on: - - limitador - - upstream - command: - - /usr/local/bin/envoy - - --config-path - - /etc/envoy.yaml - - --log-level - - info - - --component-log-level - - wasm:debug,http:debug,router:debug - - --service-cluster - - proxy - expose: - - "80" - - "8001" - ports: - - "18000:80" - - "18001:8001" - volumes: - - ./utils/docker-compose/envoy.yaml:/etc/envoy.yaml - - ./target/wasm32-unknown-unknown/release/wasm_shim.wasm:/opt/kuadrant/wasm/wasm_shim.wasm - limitador: - image: quay.io/kuadrant/limitador:latest - command: ["limitador-server", "-vvv", "/opt/kuadrant/limits/limits.yaml"] - expose: - - "8080" - - "8081" - volumes: - - ./utils/docker-compose/limits.yaml:/opt/kuadrant/limits/limits.yaml - upstream: - image: kennethreitz/httpbin diff --git a/make/deploy.mk b/make/deploy.mk index 64ba2ed6..1042d0eb 100644 --- a/make/deploy.mk +++ b/make/deploy.mk @@ -11,8 +11,7 @@ kind: $(KIND) ## Download kind locally if necessary. KIND_CLUSTER_NAME ?= wasm-auth-local -kind-create-cluster: BUILD?=debug -kind-create-cluster: WASM_PATH=$(subst /,\/,$(PROJECT_PATH)/target/wasm32-unknown-unknown/$(BUILD)) +kind-create-cluster: WASM_PATH=$(subst /,\/,$(WASM_RELEASE_PATH)) kind-create-cluster: kind ## Create the "wasm-auth-local" kind cluster. @{ \ TEMP_FILE=/tmp/kind-cluster-$$(openssl rand -hex 4).yaml ;\ @@ -66,7 +65,7 @@ deploy-authorino: certs sed ## Deploys an instance of Authorino into the Kuberne ##@ Limitador deploy-limitador: - kubectl create configmap limits --from-file=$(PROJECT_PATH)/utils/docker-compose/limits.yaml + kubectl create configmap limits --from-file=$(PROJECT_PATH)/utils/deploy/limits.yaml kubectl -n $(NAMESPACE) apply -f $(PROJECT_PATH)/utils/deploy/limitador.yaml @@ -98,7 +97,7 @@ local-setup: local-env-setup echo "After that, you can curl -H \"Host: myhost.com\" localhost:8000"; \ } -local-env-setup: +local-env-setup: $(WASM_RELEASE_BIN) $(MAKE) kind-delete-cluster $(MAKE) kind-create-cluster $(MAKE) install-authorino-operator diff --git a/utils/docker-compose/limits.yaml b/utils/deploy/limits.yaml similarity index 100% rename from utils/docker-compose/limits.yaml rename to utils/deploy/limits.yaml diff --git a/utils/docker-compose/envoy.yaml b/utils/docker-compose/envoy.yaml deleted file mode 100644 index e2b8b25d..00000000 --- a/utils/docker-compose/envoy.yaml +++ /dev/null @@ -1,267 +0,0 @@ ---- -static_resources: - listeners: - - name: main - address: - socket_address: - address: 0.0.0.0 - port_value: 80 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: local_route - virtual_hosts: - - name: local_service - domains: - - "*" - routes: - - match: - prefix: "/" - route: - cluster: upstream - http_filters: - - name: envoy.filters.http.header_to_metadata - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config - request_rules: - - header: x-dyn-user-id - on_header_present: - key: user_id - type: STRING - remove: false - - name: envoy.filters.http.wasm - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - config: - name: kuadrant_wasm - root_id: kuadrant_wasm - vm_config: - vm_id: vm.sentinel.kuadrant_wasm - runtime: envoy.wasm.runtime.v8 - code: - local: - filename: /opt/kuadrant/wasm/wasm_shim.wasm - allow_precompiled: true - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: > - { - "failureMode": "deny", - "rateLimitPolicies": [ - { - "name": "rlp-ns-A/rlp-name-A", - "domain": "rlp-ns-A/rlp-name-A", - "service": "limitador", - "hostnames": ["*.a.com"], - "rules": [ - { - "data": [ - { - "selector": { - "selector": "unknown.path" - } - } - ] - } - ] - }, - { - "name": "rlp-ns-B/rlp-name-B", - "domain": "rlp-ns-B/rlp-name-B", - "service": "limitador", - "hostnames": ["*.b.com"], - "rules": [ - { - "conditions": [ - { - "allOf": [ - { - "selector": "request.url_path", - "operator": "startswith", - "value": "/unknown-path" - } - ] - } - ], - "data": [ - { - "static": { - "key": "rlp-ns-B/rlp-name-B/limit-not-to-be-activated", - "value": "1" - } - } - ] - } - ] - }, - { - "name": "rlp-ns-C/rlp-name-C", - "domain": "rlp-ns-C/rlp-name-C", - "service": "limitador", - "hostnames": ["*.c.com"], - "rules": [ - { - "conditions": [ - { - "allOf": [ - { - "selector": "request.url_path", - "operator": "startswith", - "value": "/get" - }, - { - "selector": "request.host", - "operator": "eq", - "value": "test.c.com" - }, - { - "selector": "request.method", - "operator": "eq", - "value": "GET" - } - ] - } - ], - "data": [ - { - "static": { - "key": "limit_to_be_activated", - "value": "1" - } - } - ] - }, - { - "conditions": [ - { - "allOf": [ - { - "selector": "request.url_path", - "operator": "startswith", - "value": "/get" - }, - { - "selector": "request.host", - "operator": "eq", - "value": "test.c.com" - }, - { - "selector": "request.method", - "operator": "eq", - "value": "GET" - } - ] - } - ], - "data": [ - { - "selector": { - "selector": "source.address" - } - } - ] - }, - { - "conditions": [ - { - "allOf": [ - { - "selector": "request.url_path", - "operator": "startswith", - "value": "/get" - }, - { - "selector": "request.host", - "operator": "eq", - "value": "test.c.com" - }, - { - "selector": "request.method", - "operator": "eq", - "value": "GET" - } - ] - } - ], - "data": [ - { - "selector": { - "selector": "request.headers.My-Custom-Header-01" - } - } - ] - }, - { - "conditions": [ - { - "allOf": [ - { - "selector": "request.url_path", - "operator": "startswith", - "value": "/get" - }, - { - "selector": "request.host", - "operator": "eq", - "value": "test.c.com" - }, - { - "selector": "request.method", - "operator": "eq", - "value": "GET" - } - ] - } - ], - "data": [ - { - "selector": { - "selector": "metadata.filter_metadata.envoy\\.filters\\.http\\.header_to_metadata.user_id", - "key": "user_id" - } - } - ] - } - ] - } - ] - } - - name: envoy.filters.http.router - clusters: - - name: upstream - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: round_robin - load_assignment: - cluster_name: upstream - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: upstream - port_value: 80 - - name: limitador - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: round_robin - http2_protocol_options: {} - load_assignment: - cluster_name: limitador - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: limitador - port_value: 8081 -admin: - access_log_path: "/dev/null" - address: - socket_address: - address: 0.0.0.0 - port_value: 8001