Emre Savcı - Jul 24 '22 - 
Envoy is an open source service proxy especially designed for cloud native applications. It has a wide variety of features like connection pooling, retry mechanism, TLS management, compression, health checking, fault injection, rate limiting, authorization etc. Those are achieved with built-in http filters. And today I will talk about a special filter which name is WASM Filter.
This article is not meant for explaining what is WASM, so I am skipping explaining WASM instead I will add resources for that at the end of the article.
In Trendyol Tech. We are using Istio as a service mesh. And our team’s (DevX) responsibility is improving developer experience by developing applications which meets common requirements of microservice’s like caching, authorization, rate limiting, cross cluster service discovery etc.
Since we already use Istio why not take advantages of the power of Envoy Proxy’s extensibility.
Our use case is acquiring JWT token for microservice’s which identifies that microservice application. When we want to avoid every team to write the same code in different languages, we can create a WASM Filter and inject it into Envoy Proxies.
Advantages of WASM Filters:
In Envoy Proxy there are worker threads that handles incoming requests. Every worker thread has its own WASM VM. So if you write time based operational code it works separately for every thread.
In Envoy Proxy every worker thread isolated from each other and has one or multiple WASM VM. There is also a concept called WASM Service for inter thread communications and data sharing (we are not cover this).
We are going to use tetratelabs/proxy-wasm-go-sdk to write WASM in Go. We also need TinyGo to build our Go code as WASM.
Our use case is very simple so we write a code which sends request to JWT Api for every 15 second. It extracts authorization header and sets it’s value to a global variable and puts that value to response header of every incoming request. We also set “hello from wasm” value to another header called “x-wasm-filter“.
In the OnTick function we are making http call to a service known by Envoy as cluster.
Let’s build our go code as WASM:
tinygo build -o optimized.wasm -scheduler=none -target=wasi ./main.go
Now we need to configure Envoy Proxy to use WASM Filter for incoming requests. We will define a routing rule and a WASM filter for our WASM code, also we define a cluster which represents our service.
I put all of the files into same directory. Now let’s run Envoy Proxy in Docker:
docker run -it — rm -v "$PWD"/envoy.yaml:/etc/envoy/envoy.yaml -v "$PWD"/optimized.wasm:/etc/envoy/optimized.wasm -p 9901:9901 -p 10000:10000 envoyproxy/envoy:v1.17.0
As we can see from logs our WASM Filter started to work and sending request to JWT Api in every 15 secon
Now let’s send a request to Envoy Proxy. We configure Envoy to listen incoming requests from 1000 port and we start our container with port mapping. So we can send request to localhost:10000:
In the response headers we can see “x-wasm-filter: hello from wasm” and “x-auth” values.
Thank you for reading so far. I hope it will give you a perspective about how and why use WASM in Envoy Proxy.
You can see full example in github:
mstrYoda
/
envoy-proxy-wasm-filter-golang
A WASM Filter for Envoy Proxy written in Golang
tinygo build -o optimized.wasm -scheduler=none -target=wasi ./main.go
docker run -it --rm -v "$PWD"/envoy.yaml:/etc/envoy/envoy.yaml -v "$PWD"/optimized.wasm:/etc/envoy/optimized.wasm -p 9901:9901 -p 10000:10000 envoyproxy/envoy:v1.17.0
WebAssembly is a type of code that can be run in modern web browsers — it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages such as C/C++, C# and Rust with a compilation target so that they can run on the web. It is also designed to run alongside JavaScript, allowing both to work together.
developer.mozilla.org
If you've ever wondered what WebAssembly (Wasm) is and how it fits into the service mesh ecosystem, this is the article you want to read.
thenewstack.io
tetratelabs
/
proxy-wasm-go-sdk
Warning
We are no longer recommending this SDK or Wasm in general for anyone due to the fundamental memory issue of TinyGo (See the detailed explanation by a long-time community member) as well as the project state of Proxy-Wasm in general If you are not in a position where you have to run untrusted binaries (like for example, you run Envoy proxies while your client gives you the binaries to run), we recommend using other extension mechanism such as Lua or External Processing which should be comparable or better or worse depending on the use case.
If you are already using this SDK, but still want to continue using Wasm for some reason instead of Lua or External Processing we strongly recommend migrating to the Rust or C++ SDK due to the memory issue of TinyGo described in the link above.
We keep this repository open and not archived…
