istio: Wasmplugin targetRef not working for istio-ingressgateway
Is this the right place to submit this?
- This is not a security vulnerability or a crashing bug
- This is not a question about how to use Istio
Bug Description
How to reproduce
- Create local cluster
kind create cluster
- Install the Gateway API CRDs
kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | kubectl apply -f -; }
- Install Istio v1.20.0
curl -sSL https://istio.io/downloadIstio | ISTIO_VERSION=1.20.0 sh
cat <<EOF > ./my-config.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
service:
type: ClusterIP
EOF
./istio-1.20.0/bin/istioctl install -f my-config.yaml --skip-confirmation
- Gateway manual deployment on existing istio-ingressgateway
kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
istio: ingressgateway
name: istio-ingressgateway
namespace: istio-system
spec:
gatewayClassName: istio
listeners:
- name: default
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: All
addresses:
- value: istio-ingressgateway.istio-system.svc.cluster.local
type: Hostname
EOF
kubectl wait -n istio-system --for=condition=programmed gateways.gateway.networking.k8s.io istio-ingressgateway
- Create WASMPlugin (taken from Kuadrant’s rate limiting wasm module https://github.com/Kuadrant/wasm-shim)
kubectl apply -f - <<EOF
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: testing-targetref
namespace: istio-system
spec:
phase: STATS
pluginConfig: {}
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: istio-ingressgateway
url: oci://quay.io/kuadrant/wasm-shim:latest
EOF
The wasm module is never called.
Interesting to highlight that when I create a Gateway API Gateway resource (Automated deployment which provision a Service and Deployment), a WASMPlugin targeting that Gateway is working as expected.
Expected behavior
The WASM module being called.
When reading gateway’s dynamic listeners
./istio-1.20.0/bin/istioctl proxy-config listener $(kubectl get pods -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}') -n istio-system -o json | yq -P
I expect to see the WASM filter. something like this:
- name: istio-system.testing-targetref
configDiscovery:
configSource:
ads: {}
initialFetchTimeout: 0s
resourceApiVersion: V3
typeUrls:
- type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
- type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
Version
❯ ./istio-1.20.0/bin/istioctl version
client version: 1.20.0
control plane version: 1.20.0
data plane version: 1.20.0 (1 proxies)
❯ kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.24.1
Kustomize Version: v4.5.4
Server Version: v1.27.3
WARNING: version difference between client (1.24) and server (1.27) exceeds the supported minor version skew of +/-1
Additional Information
No response
About this issue
- Original URL
- State: closed
- Created 7 months ago
- Comments: 20 (18 by maintainers)
Ack - yeah if you’ve moved to the auto-deployed kubegateway, then targetRef is preferable. If you’re using a “classic” Istio gateway, then you’ll need workloadSelector. Feel free to reopen if you have more questions