Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-3647

WasmPlugin applies also to outbound traffic

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • OSSM 2.4.5
    • OSSM 2.4.0
    • Maistra
    • None
    • False
    • None
    • False
    • Release Notes
    • Release Notes
    • Hide
      In SMCP v2.2 (Istio 1.12), WASM plugins were applied only to inbound listeners. Since SMCP v2.3 (Istio 1.14), WASM plugins are applied to inbound and outbound listeners by default. This change introduced regression for users of 3scale WASM plugin, which should be applied only to inbound listeners. As a solution, we added environment variable APPLY_WASM_PLUGINS_TO_INBOUND_ONLY, which allows safe migration from SMCP v2.2 to v2.3 and v.2.4. We recommend to set this variable in SMCP v2.2, then upgrade to v2.4, then set `spec.match[].mode: SERVER` in WasmPlugins, and at the end remove previously added environment variable.
      The following setting should be added to the SMCP config:
      ```
      spec:
        runtime:
          components:
            pilot:
              container:
                env:
                  APPLY_WASM_PLUGINS_TO_INBOUND_ONLY: "true"
      ```
      Show
      In SMCP v2.2 (Istio 1.12), WASM plugins were applied only to inbound listeners. Since SMCP v2.3 (Istio 1.14), WASM plugins are applied to inbound and outbound listeners by default. This change introduced regression for users of 3scale WASM plugin, which should be applied only to inbound listeners. As a solution, we added environment variable APPLY_WASM_PLUGINS_TO_INBOUND_ONLY, which allows safe migration from SMCP v2.2 to v2.3 and v.2.4. We recommend to set this variable in SMCP v2.2, then upgrade to v2.4, then set `spec.match[].mode: SERVER` in WasmPlugins, and at the end remove previously added environment variable. The following setting should be added to the SMCP config: ``` spec:   runtime:     components:       pilot:         container:           env:             APPLY_WASM_PLUGINS_TO_INBOUND_ONLY: "true" ```

      Previously ServiceMeshExtension was applied only to inbound traffic. Its replacement, WasmPlugin, currently applies to both inbound and outbound, which is a huge change.

      It seems to be unintentional as the behaviour was changed (previously, even WasmPlugin was only for inbound) in Istio 1.14, and didn't even make it to the changelog.

      This heavily affects the 3scale WASM Plugin, because it forbids any outgoing requests if they are missing auth.

              jewertow@redhat.com Jacek Ewertowski
              phala@redhat.com Petr Hála (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: