feat: support dynamic modules #5669
Conversation
Xunzhuo
force-pushed
the
feat-dm-support
branch
2 times, most recently
from
ac887f1 to
3f82e3a
Compare
Signed-off-by: bitliu <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5669 +/- ##
==========================================
+ Coverage 65.20% 65.29% +0.08%
==========================================
Files 213 215 +2
Lines 34108 34273 +165
==========================================
+ Hits 22241 22379 +138
- Misses 10521 10541 +20
- Partials 1346 1353 +7 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
|
Some options that I can think of:
|
|
The first approach can solve the same issues for golang filter, so I'm +1 for this. Second one needs some prerequisites for features like golang/dynamic module, use envoyproxy to customize the image before using EEP for dm/go filter |
this experience is not seamless, so maybe lets first document this in docs post v1.4, and then get feedback, and then we can eliminate the need for the EnvoyPatchPolicy with an API field (maybe in EnvoyProxy) in the future |
|
FYI: Dynamic modules require the exact version match (at least for now), so for example, the modules working with Envoy v1.50.0 are not guaranteed to work with v1.51.0 (if the compatibility check fails, then HTTP filter configuration xds request will be rejected). So, coupling Envoy images would be the safest way; either using the Envoy container itself or with init container downloading (with some version argument). I believe the same restriction applies to golang filter. So either way, the life cycle of downloading into Envoy container should match the one of Envoy container itself. that's my 2p |
|
@mathetake Thanks for clarifying how dynamic modules need to match the version of Enovy Proxy. This would be a problem for upgrade - since the ABI version is defined in the abi_version.h, EG can't check if a dynamic module will still be compatible or not after upgrade. Users can only find out after something is broken. Is there a way for EG to detect an incompatibility between Envoy and a dynamic module, and then surfaced that issue in the status of EG resources? |
|
There's no mechanism to check that without actually loading Envoy. Like i suggested, the current best way is to tie the Envoy container with modules as in the examples or EG introduce some module management init container like the container receives the Envoy version and downloads the specific dynamic modules for that version before Envoy running. To be clear, the same problem exists for golang filter already, and nothing specific to dynamic modules. |
|
so i think we can go with this as-is leaving the lifecycle of dynamic modules to users for now, and then we can later add the "managed" installation of remote dynamic modules like in apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: envoy-ai-gateway
spec:
dynamic_modules:
- name: mymodule
location:
url_template: https://foo.bar.com/path/to/${ENVOY_VERSION}/libmymodule.so |
|
yah above approach looks good @mathetake, this is maybe hard to predict, but any guesstimate on average and max sizes of the module ? |
shared library is almost the same as normal application binary, so the question would be how large a normal application would be; a few MB at least for Rust and Go, and tens of MB if it contains debug info: |
| // Config is the configuration for the Dynamic Module extension. | ||
| // This configuration will be passed to the Dynamic Module extension. | ||
| // +optional | ||
| Config *apiextensionsv1.JSON `json:"config,omitempty"` |
There was a problem hiding this comment.
i am not sure if we want to force JSON all the time. The rationale behind why the Envoy API is Any is that we don't want to force dynamic modules to pull in dependencies to parse the input. Simply making this to string should work i guess?
For example, let's say i develop a module that allows javascript to run inside envoy to modify headers. Then this config will likely be a javascrip string instead of json
There was a problem hiding this comment.
Related to the comment above, I would make this ExtensionConfig but not that strong preference
| // | ||
| // +kubebuilder:validation:MaxItems=16 | ||
| // +optional | ||
| DynamicModule []DynamicModule `json:"dynamicModule,omitempty"` |
There was a problem hiding this comment.
I guess plural ?
| DynamicModule []DynamicModule `json:"dynamicModule,omitempty"` | |
| DynamicModules []DynamicModule `json:"dynamicModules,omitempty"` |
| // If not specified, EG will generate a unique name for the Dynamic Module extension. | ||
| // | ||
| // +optional | ||
| Name *string `json:"name,omitempty"` |
There was a problem hiding this comment.
i would make it ExtensionName to clarify what is this for. I would also want to add the comments about one module can contain multiple extensions so this name is used to specify one out of many
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #5668
Release Notes: Yes