feat(envoyextensionpolicy): Implement TLS configuration for WASM code source.

[achernev]

What type of PR is this?
This implements an existing API.

What this PR does / why we need it:
This change wires in the existing API for configuring TLS when obtaining WASM code from a remote source. It covers both HTTP and OCI sources, and expands the feature to support ClusterTrustBundles alongside ConfigMaps and Secrets.

The only change under /api is to remove the +notImplementedHide flags from the WasmCodeSourceTLSConfig parts of the configuration.

Which issue(s) this PR fixes:
Fixes #4466.

Release Notes: Yes

[achernev]

Tested and working with the following (certain elements removed for brevity):

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
spec:
  wasm:
    - name: wasm-image-test
      code:
        type: Image
        image:
          url: registry.example.com/library/wasm-filter:latest
          tls:
            caCertificateRef:
              name: existing-cluster-trust-bundle
              group: ""
              kind: ClusterTrustBundle

[zhaohuabing]

@achernev Thanks for picking this up!

Can we add an e2e test for the https wasm source?
You need to modify the existing test/e2e/testdata/wasm-oci.yaml, and you can find an example of setting TLS for e2e in test/e2e/testdata/jwt-backend-remote-jwks.yaml .

[achernev]

@zhaohuabing Will do. A couple of questions:

• What's the best way to run these myself? Is there a Makefile target or something?
• Should I use the envoyproxy/gateway-static-file-server for serving the WASM?

[zhaohuabing]

@zhaohuabing Will do. A couple of questions:

• What's the best way to run these myself? Is there a Makefile target or something?

You should be able to run WASM e2e test using " E2E_RUN_TEST=WasmHTTPCodeSource make e2e", it'll create a local kind cluster, install EG, and run the test.

• Should I use the envoyproxy/gateway-static-file-server for serving the WASM?

Yes, you can modify the existing test:
test/e2e/testdata/wasm-oci.yaml
test/e2e/tests/wasm_http.go

[codecov]

Codecov Report

❌ Patch coverage is 78.84615% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.68%. Comparing base (d88b5b5) to head (c51b97c).
⚠️ Report is 130 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/provider/kubernetes/controller.go	62.00%	16 Missing and 3 partials ⚠️
internal/provider/kubernetes/predicates.go	72.72%	2 Missing and 1 partial ⚠️
internal/wasm/cache.go	62.50%	2 Missing and 1 partial ⚠️
internal/provider/kubernetes/indexers.go	95.00%	1 Missing and 1 partial ⚠️
internal/wasm/httpfetcher.go	86.66%	1 Missing and 1 partial ⚠️
internal/wasm/imagefetcher.go	81.81%	1 Missing and 1 partial ⚠️
internal/wasm/premissioncache.go	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7865      +/-   ##
==========================================
+ Coverage   73.65%   73.68%   +0.03%     
==========================================
  Files         237      237              
  Lines       35653    35798     +145     
==========================================
+ Hits        26259    26379     +120     
- Misses       7530     7550      +20     
- Partials     1864     1869       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	c51b97c
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69745cc635703f0008301148
😎 Deploy Preview	https://deploy-preview-7865--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[achernev]

@zhaohuabing Added an HTTP TLS e2e test. Had to expand the resource indexer a bit to include objects referenced by the code source configuration because it was only considering ConfigMaps from the LUA section.
The test uses a ConfigMap as cert source but I also tried using a Secret; both work fine. Also ran the full e2e suite which also ran fine with:

E2E_TIMEOUT=90m ENABLE_CLUSTER_TRUST_BUNDLE=true KIND_NODE_TAG=v1.35.0 NUM_WORKERS=2 make e2e

With regard to the Codecov report: the lines not covered by tests are the fallback to an empty cert pool when x509.SystemCertPool() returns an error. I'm not even sure how to emulate an error when calling x509.SystemCertPool. Ideas? Can we overlook this?

[achernev]

@zhaohuabing Regarding the failing test called TestE2E/WeightedRoute/MixedValidAndInvalid: This one is runs for 50 requests, expecting that the result is within +/-3 of 90% of the number of requests, i.e. 50 * 0.9 = 45, lower bound 42, upper bound 48. The test failed because it got 49 successful requests, which is above the upper bound. However, with 50 requests, offset of 3, and a binomial distribution (200/500), there is always a non-zero chance that the result would be out-of-bounds (~84% pass rate, 1 in 6 fails). It would be helpful to raise the offset a bit to mitigate (but not eliminate) the chance of failures (offset 5 would mean ~98.4% pass rate, 1 in 60, offset 7 would mean ~99.9% pass rate, 1 in 1000). This actually failed once for me whilst running this exact test on my own machine, passed the second time.

This is to say nothing of the fact that the logic in AlmostEquals appears to be flipped: it is applying the offset to the actual and not the expect:

func AlmostEquals(actual, expect, offset int) bool {
	upper := actual + offset
	lower := actual - offset
	if expect < lower || expect > upper {
		return false
	}
	return true
}

With this run's success number (49), that means that the numbers are: upper = 49 + 3 = 52, lower = 49 - 3 = 46, expect = 50 * 0.9 = 45, 45 < 46 is still a fail, hence the outcome.

I am not sure why the TestE2E/RateLimitMethodMatch/matched_method_can_got_limited test failed.

[zhaohuabing]

Hi @achernev No worries. These tests are flaky and they are not related to this PR. I'll review the PR later when I get a moment. Thanks for your patience！

[achernev]

@zhaohuabing Apologies for the delay here. I've fixed the test that broke and added a couple more to cover for most of the changes in the indexer.

[zhaohuabing]

Overall this looks good. I just left a minor comment.

[achernev]

I've removed the duplicated function.

[zhaohuabing]

LGTM thanks!

[achernev]

@zhaohuabing Apologies, missed the lint for the tests.

[achernev]

@zhaohuabing Is that due to a flaky test? Looks like the server side does not come up in time for TestE2E/WasmHTTPCodeSource/http_route_with_http_wasm_source: expected status code to be one of [200], got 503.

[zhaohuabing]

@zhaohuabing Is that due to a flaky test? Looks like the server side does not come up in time for TestE2E/WasmHTTPCodeSource/http_route_with_http_wasm_source: expected status code to be one of [200], got 503.

Yes, it's flaky.

[zirain]

/retest

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions!

[achernev]

@zhaohuabing I know you have a release cadence and policy but I’m wondering if this will make it into mainline? Thanks!