Envoy is an open source service proxy especially designed for cloud native applications. It has a wide variety of features like connection pooling, retry mechanism, TLS management, compression, health checking, fault injection, rate limiting, authorization etc. Those are achieved with built-in http filters. And today I will talk about a special filter which name is WASM Filter.
This article is not meant for explaining what is WASM, so I am skipping explaining WASM instead I will add resources for that at the end of the article.
Why We Use WASM Filter
In Trendyol Tech. We are using Istio as a service mesh. And our team’s (DevX) responsibility is improving developer experience by developing applications which meets common requirements of microservice’s like caching, authorization, rate limiting, cross cluster service discovery etc.
Since we already use Istio why not take advantages of the power of Envoy Proxy’s extensibility.
Our use case is acquiring JWT token for microservice’s which identifies that microservice application. When we want to avoid every team to write the same code in different languages, we can create a WASM Filter and inject it into Envoy Proxies.
Advantages of WASM Filters:
It allows to write code in any language which has WASM support
Dynamically load code to Envoy
WASM code is isolated from Envoy so crashes in WASM not affect Envoy
In Envoy Proxy there are worker threads that handles incoming requests. Every worker thread has its own WASM VM. So if you write time based operational code it works separately for every thread.
In Envoy Proxy every worker thread isolated from each other and has one or multiple WASM VM. There is also a concept called WASM Service for inter thread communications and data sharing (we are not cover this).
Our use case is very simple so we write a code which sends request to JWT Api for every 15 second. It extracts authorization header and sets it’s value to a global variable and puts that value to response header of every incoming request. We also set “hello from wasm” value to another header called “x-wasm-filter“.
In the OnTick function we are making http call to a service known by Envoy as cluster.
Now we need to configure Envoy Proxy to use WASM Filter for incoming requests. We will define a routing rule and a WASM filter for our WASM code, also we define a cluster which represents our service.
I put all of the files into same directory. Now let’s run Envoy Proxy in Docker:
As we can see from logs our WASM Filter started to work and sending request to JWT Api in every 15 secon
Now let’s send a request to Envoy Proxy. We configure Envoy to listen incoming requests from 1000 port and we start our container with port mapping. So we can send request to localhost:10000:
In the response headers we can see “x-wasm-filter: hello from wasm” and “x-auth” values.
Thank you for reading so far. I hope it will give you a perspective about how and why use WASM in Envoy Proxy.
WebAssembly is a type of code that can be run in modern web browsers — it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages such as C/C++, C# and Rust with a compilation target so that they can run on the web. It is also designed to run alongside JavaScript, allowing both to work together.
The Go SDK for
Proxy-Wasm, enabling developers to write Proxy-Wasm plugins in Go
This SDK is powered by TinyGo and does not support the official Go compiler.
Getting Started
examples directory contains the example codes on top of this SDK.
OVERVIEW.md the overview of Proxy-Wasm, the API of this SDK, and the things you should know when writing plugins.
Requirements
TinyGo - This SDK depends on TinyGo and leverages its WASI (WebAssembly System Interface) target. Please follow the official instruction here for installing TinyGo.
Envoy - To run compiled examples, you need to have Envoy binary. We recommend using func-e as the easiest way to get started with Envoy. Alternatively, you can follow the official instruction.
Dealing with memory issues
TinyGo's default memory allocator (Garbage Collector) is known to have some issues when it's used in the high workload environment (e.g. 1…