In the previous article, we implemented Basic Auth with Go extensions, and experienced Go extensions accepting configuration from Envoy.
The reason for this design is to reuse Envoy's original xDS configuration push channel. Today we will experience some cloud-native configuration changes .
prerequisite preparation
This time we need a K8s environment. If you don’t have one, it is recommended to use Kind to install one. The specific installation method will not be expanded here.
Install Istio
We install the latest version of Istio directly:
# 下载最新版的 istioctl$ export ISTIO_VERSION=1.18.0-alpha.0$ curl -L https://istio.io/downloadIstio | sh -
# 将 istioctl 加入 PATH$ cd istio-$ISTIO_VERSION/$ export PATH=$PATH:$(pwd)/bin
# 安装,包括 istiod 和 ingressgateway$ istioctl install
复制代码Yes, since the Go extension has been contributed to the upstream official, both Istiod (Pilot) and Ingress Gateway have enabled the Go extension by default and do not need to be recompiled.
Istio configuration Ingress
We first use Istio to complete the standard Ingress scene configuration. For details, please refer to Istio's official document [1].
After the configuration is complete, simply test it:
$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"HTTP/1.1 200 OKserver: istio-envoydate: Fri, 10 Mar 2023 15:49:37 GMT
复制代码The basic Ingress is already running.
Mount Golang so
As we mentioned before, the Go extension is compiled into a so file separately, so we need to mount the so file to the Ingress Gateway.
Here we mount the libgolang.so compiled by Basic Auth last time through a local file. Keep it simple, directly edit deployment and add these configurations:
# 申明一个 hostPath 的 volumevolumes:- name: golang-so-basic-auth hostPath: path: /data/golang-so/example-basic-auth/libgolang.so type: File
# 挂载进来volumeMounts:- mountPath: /etc/golang/basic-auth.so name: golang-so-basic-auth readOnly: true
复制代码Enable Basic Auth authentication
Istio provides EnvoyFilter CRD, so it is more convenient to use Istio to configure Go extension. After applying this configuration, Basic Auth is enabled.
apiVersion: networking.istio.io/v1alpha3kind: EnvoyFiltermetadata: name: golang-filter namespace: istio-systemspec: configPatches: # The first patch adds the lua filter to the listener/http connection manager - applyTo: HTTP_FILTER match: context: GATEWAY listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: # golang filter specification name: envoy.filters.http.golang typed_config: "@type": "type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config" library_id: example library_path: /etc/golang/basic-auth.so plugin_name: basic-auth plugin_config: "@type": "type.googleapis.com/xds.type.v3.TypedStruct" type_url: typexx value: username: foo password: bar
复制代码Although it is a bit long, it is also obvious that the configured username and password are still: foo:bar.
test
Let's test it out:
$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"HTTP/1.1 401 Unauthorized
# valid foo:bar$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200" -H 'Authorization: basic Zm9vOmJhcg=='HTTP/1.1 200 OK
复制代码In line with expectations.
Next, let's change the password in EnvoyFilter, reapply, and test again:
# foo:bar not match the new password$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200" -H 'Authorization: basic Zm9vOmJhcg=='HTTP/1.1 401 Unauthorized
复制代码At this time, Envoy does not need to be restarted, the new configuration will take effect immediately, and the cloud-native experience is so slippery~
Summarize
因为 Go 扩展可以利用 Envoy 原有的 xDS 来接受配置,所以,从 Istio 推送配置也变得很顺利。
不过,Istio 提供的 EnvoyFilter CRD 在使用上,其实并不是那么方便和自然,后面我们找机会试试 Envoy Gateway,看看 K8s Gateway API 的体验如何。
至此,我们已经体验了整个 Envoy Go 的开发&使用流程,在云原生时代,人均 Golang 的背景下,相信可以很好的完成网关场景的各种定制需求。
下一篇,我们将介绍,如何在 Go 扩展中使用异步协程。这意味着,我们可以使用的是一个全功能的 Go 语言,而不是像 Go Wasm 那样,只能用阉割版的。
敬请期待:MoE 系列(四)|Go 扩展的异步模式
[1]Istio 的官方文档:
https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/