Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-3647

WasmPlugin applies also to outbound traffic

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Critical
    • OSSM 2.4.5
    • OSSM 2.4.0
    • Customer Impact, Maistra
    • None
    • False
    • None
    • False
    • Release Notes
    • Release Notes
    • Hide
      In SMCP v2.2 (Istio 1.12), WASM plugins were applied only to inbound listeners. Since SMCP v2.3 (Istio 1.14), WASM plugins are applied to inbound and outbound listeners by default. This change introduced regression for users of 3scale WASM plugin, which should be applied only to inbound listeners. As a solution, we added environment variable APPLY_WASM_PLUGINS_TO_INBOUND_ONLY, which allows safe migration from SMCP v2.2 to v2.3 and v.2.4. We recommend to set this variable in SMCP v2.2, then upgrade to v2.4, then set `spec.match[].mode: SERVER` in WasmPlugins, and at the end remove previously added environment variable.
      The following setting should be added to the SMCP config:
      ```
      spec:
        runtime:
          components:
            pilot:
              container:
                env:
                  APPLY_WASM_PLUGINS_TO_INBOUND_ONLY: "true"
      ```
      Show
      In SMCP v2.2 (Istio 1.12), WASM plugins were applied only to inbound listeners. Since SMCP v2.3 (Istio 1.14), WASM plugins are applied to inbound and outbound listeners by default. This change introduced regression for users of 3scale WASM plugin, which should be applied only to inbound listeners. As a solution, we added environment variable APPLY_WASM_PLUGINS_TO_INBOUND_ONLY, which allows safe migration from SMCP v2.2 to v2.3 and v.2.4. We recommend to set this variable in SMCP v2.2, then upgrade to v2.4, then set `spec.match[].mode: SERVER` in WasmPlugins, and at the end remove previously added environment variable. The following setting should be added to the SMCP config: ``` spec:   runtime:     components:       pilot:         container:           env:             APPLY_WASM_PLUGINS_TO_INBOUND_ONLY: "true" ```

    Description

      Previously ServiceMeshExtension was applied only to inbound traffic. Its replacement, WasmPlugin, currently applies to both inbound and outbound, which is a huge change.

      It seems to be unintentional as the behaviour was changed (previously, even WasmPlugin was only for inbound) in Istio 1.14, and didn't even make it to the changelog.

      This heavily affects the 3scale WASM Plugin, because it forbids any outgoing requests if they are missing auth.

      Attachments

        Activity

          People

            jewertow@redhat.com Jacek Ewertowski
            phala@redhat.com Petr Hála
            Votes:
            3 Vote for this issue
            Watchers:
            15 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: