Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-11855

Configuring a WASMPlugin as described in the documentation does not work

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 2.14.0 GA
    • Istio Integration
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Important

      Customer and I followed the documentation, but no traffic seems to be sent to 3scale for validation.

      This is what I have configured, and what I get in the logs.

      3Scale deployed correctly: 

      ❯ oc -n 3scale-apigateway get pods
NAME                                     READY   STATUS      RESTARTS      AGE
apicast-production-68fb5cd8f-wmb4h       1/1     Running     4             6d5h
apicast-staging-6c97cf4848-k8467         1/1     Running     4             6d5h
backend-cron-5cb8847455-5tw56            1/1     Running     4             6d5h
backend-listener-657d955cfc-5rflw        1/1     Running     4             6d5h
backend-redis-767bc7768c-tmp8h           1/1     Running     2             4d7h
backend-worker-6496c4979c-7jvfm          1/1     Running     4             6d5h
sleep-57b97966d7-gncmh                   1/1     Running     4             6d2h
system-app-84bcb54b7f-r69hp              3/3     Running     60 (8h ago)   6d5h
system-app-post-pp2jp                    0/1     Completed   0             6d5h
system-app-pre-xjzzh                     0/1     Completed   0             6d5h
system-memcache-5458bd78cb-xdqxw         1/1     Running     4             6d5h
system-mysql-698955cc58-h8859            1/1     Running     4             6d5h
system-redis-65966486d9-sdtwn            1/1     Running     4             6d5h
system-searchd-54d9c745dc-x4d2n          1/1     Running     4             6d5h
system-searchd-manticore-reindex-8l6gz   0/1     Completed   0             6d5h
system-searchd-manticore-reindex-ct4jz   0/1     Error       0             6d5h
system-sidekiq-76df4cb69c-2d6z6          1/1     Running     4             6d5h
zync-66d7df886b-sl4nh                    1/1     Running     5             6d5h
zync-database-684484f67f-8wgff           1/1     Running     2             4d7h
zync-que-564694dc65-wzvkh                1/1     Running     15            6d5h

❯ oc -n 3scale-apigateway get routes
NAME                         HOST/PORT                                               PATH   SERVICES             PORT      TERMINATION     WILDCARD
backend                      backend-3scale.apps.ocp417.ocptest.lan                         backend-listener     http      edge/Allow      None
zync-3scale-api-c4tv5        api-3scale-apicast-production.apps.ocp417.ocptest.lan          apicast-production   gateway   edge/Redirect   None
zync-3scale-api-jsmch        api-3scale-apicast-staging.apps.ocp417.ocptest.lan             apicast-staging      gateway   edge/Redirect   None
zync-3scale-master-qld84     master.apps.ocp417.ocptest.lan                                 system-master        http      edge/Redirect   None
zync-3scale-provider-h7p57   3scale.apps.ocp417.ocptest.lan                                 system-developer     http      edge/Redirect   None
zync-3scale-provider-nbxkb   3scale-admin.apps.ocp417.ocptest.lan                           system-provider      http      edge/Redirect   None

      Then I created a product (testproduct), an application (testapp), and application plan (testappplan), a token (testtoken), and the secret that contains my pullsecret, and I tested that I could access it correctly: 

      ❯ curl -k "https://testproduct-3scale-apicast-staging.apps.ocp417.ocptest.lan:443/?user_key=a2e5dea6dba64dfdb21954ec5516240d"
{
  "method": "GET",
  "path": "/",
  "args": "user_key=a2e5dea6dba64dfdb21954ec5516240d",
  "body": "",
  "headers": {
    "HTTP_VERSION": "HTTP/1.1",
    "HTTP_HOST": "echo-api.3scale.net",
    "HTTP_X_REAL_IP": "10.129.2.2",
    "HTTP_X_3SCALE_PROXY_SECRET_TOKEN": "Shared_secret_sent_from_proxy_to_API_backend_868a9d1817af1859",
    "HTTP_USER_AGENT": "curl/8.7.1",
    "HTTP_ACCEPT": "*/*",
    "HTTP_X_FORWARDED_HOST": "testproduct-3scale-apicast-staging.apps.ocp417.ocptest.lan",
    "HTTP_X_FORWARDED_PORT": "443",
    "HTTP_X_FORWARDED_PROTO": "https",
    "HTTP_FORWARDED": "for=192.168.123.253;host=testproduct-3scale-apicast-staging.apps.ocp417.ocptest.lan;proto=https",
    "HTTP_X_FORWARDED_FOR": "192.168.123.253,88.7.42.87",
    "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "88.7.42.87",
    "HTTP_X_REQUEST_ID": "1d397c5c-75d7-4f39-befe-1cbfce7fa6f7",
    "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000"
  },
  "uuid": "8e47a6fa-177c-456e-8800-7aa575ea0a59"
}

       Next I changed the product settings to Istio so that it matches the documentation.

       Then I deployed my test application (httpbin) and verified that I can access it either from outside the OpenShift cluster as well as from a pod in the same namespace.

       

      I created the ServiceEntries and DestinationRules)

      apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: se-3scale-system
spec:
  hosts:
  - 3scale-admin.apps.ocp417.ocptest.lan
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: se-3scale-backend
spec:
  hosts:
  - backend-3scale.apps.ocp417.ocptest.lan
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-3scale-system
spec:
  host:  3scale-admin.apps.ocp417.ocptest.lan
  trafficPolicy:
    tls:
      mode: SIMPLE
      sni: 3scale-admin.apps.ocp417.ocptest.lan
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-3scale-backend
spec:
  host:  backend-3scale.apps.ocp417.ocptest.lan
  trafficPolicy:
    tls:
      mode: SIMPLE
      sni: backend-3scale.apps.ocp417.ocptest.lan

      I believe this matches the values defined in the documentation.

      Next I created the wasmplugin object:

      apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: wasm-docs
spec:
  url: oci://registry.redhat.io/3scale-amp2/3scale-auth-wasm-rhel8:0.0.3
  imagePullSecret: wasm-pull-secret
  phase: AUTHZ
  priority: 100
  match:
   - mode: CLIENT
  selector:
    matchLabels:
      app: httpbin
  pluginConfig:
    api: v1
    system:
      name: system
      upstream:
        name: outbound|443||3scale-admin.apps.ocp417.ocptest.lan
        url: https://3scale-admin.apps.ocp417.ocptest.lan
        timeout: 5000
      token: 2d9a42d384238385c9cf2622791927ddaae5bf13bb2acf25d56112dfb1ea2596    backend:
      name: backend
      upstream:
        name: outbound|443||backend-3scale.apps.ocp417.ocptest.lan
        url: https://backend-3scale.apps.ocp417.ocptest.lan
        timeout: 5000
      extensions:
      - no_body
    services:
    - id: '3'
      authorities:
      - "*"
      credentials:
        user_key:
          - query_string:
              keys:
                - user_key
          - header:
              keys:
                - user_key

      Upon creation of the wasmplugin object, the logs in the istio-proxy container of the httpbin pod show the following:

       

      2025-05-26T14:46:40.463965Z     info    wasm    fetching image 3scale-amp2/3scale-auth-wasm-rhel8 from registry registry.redhat.io with tag 0.0.3
2025-05-26T14:46:43.193700Z     warning envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1174 wasm log:  (root/1)  781290295: on_vm_start: empty VM config    thread=14
2025-05-26T14:46:43.204929Z     warning envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1174 wasm log:  (root/1) 3167592217: on_vm_start: empty VM config    thread=14
2025-05-26T14:46:43.205209Z     warning envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1174 wasm log:  (root/1) 1798701385: on_vm_start: empty VM config    thread=23
2025-05-26T14:46:43.206363Z     warning envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1174 wasm log:  (root/1) 2434919839: on_vm_start: empty VM config    thread=22

      And when I try to access my application I don't get a 403 error as the documentation describes, however the traffic is served correctly: 

      ❯ curl httpbin.ocptest.lan/status/418    

-=[ teapot ]=-
       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
        `"""`

      Is there any step missing?

      How can we check that the istio-proxy is actually sending the requests to the 3Scale backend?

              bgallagh@redhat.com Brian Gallagher
              rhn-support-asolanas Alexis Solanas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: