feat: Wasm OCI image

[zhaohuabing]

This PR adds support for Wasm OCI image format to EG.
It allows EG to download Wasm images from remote registries and serve them to the Envoy fleet via a local HTTP server inside EG running on 18002.

• The EG Wasm cache fetches Wasm modules from their original URLs and stores them locally. Currently, the cache directory resides within the EG container, it can be made configurable to use a mounted volume if necessary.
• Gateway API translator updates the original Wasm downloading URLs in the EnvoyExtensionPolicy to point to the local EG HTTP server.
• To ensure a consistent UI experience, HTTP Wasm modules are also cached and served locally.
• To prevent unauthorized access to private images, the OIDC HMAC secret is used as a hash salt to generate unguessable downloading paths for Wasm modules.
• The cached Wasm modules are purged periodically. A cached Wasm module will be deleted if it hasn't been requested by Envoy proxies within a certain period. Currently, defaults to 24 hours, which can be configurable if needed.
• The total cache size is limited to 10G by default, which can be configurable if needed.

Implements: #3304
Design: #3313

[codecov]

Codecov Report

Attention: Patch coverage is 74.40758% with 216 lines in your changes missing coverage. Please review.

Project coverage is 68.75%. Comparing base (2a86997) to head (86016ee).

Files	Patch %	Lines
internal/wasm/imagefetcher.go	64.32%	35 Missing and 26 partials ⚠️
internal/gatewayapi/runner/runner.go	19.35%	50 Missing ⚠️
internal/gatewayapi/envoyextensionpolicy.go	74.03%	17 Missing and 10 partials ⚠️
internal/wasm/httpfetcher.go	74.76%	14 Missing and 13 partials ⚠️
internal/wasm/cache.go	89.76%	13 Missing and 9 partials ⚠️
internal/provider/kubernetes/controller.go	0.00%	13 Missing ⚠️
internal/wasm/httpserver.go	89.42%	5 Missing and 6 partials ⚠️
internal/provider/kubernetes/predicates.go	70.00%	2 Missing and 1 partial ⚠️
internal/provider/kubernetes/indexers.go	87.50%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3564      +/-   ##
==========================================
+ Coverage   68.55%   68.75%   +0.20%     
==========================================
  Files         170      175       +5     
  Lines       20690    21484     +794     
==========================================
+ Hits        14183    14771     +588     
- Misses       5492     5636     +144     
- Partials     1015     1077      +62     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zhaohuabing]

Hi @envoyproxy/gateway-reviewers my apologies for the large PR. I would have broken it into multiple smaller ones if possible :-). A lot of *.out.yaml test files have been updated due to the addition of the new wasm HTTP server static cluster to the Envoy bootstrap config.

If you're going to review it, the most significant changes are in the internal/wasm package, which implements the Wasm file cache and an HTTP server to serve these files to the Envoy fleet.

Additionally, the Gateway API runner has been modified to initialize the Wasm cache server.

[arkodg]

prob needs to be split up into 2 - error, total
cc @shawnh2 any prior art here for naming

[zhaohuabing]

There are two different naming styles in EG:

xds_snapshot_creation_total
xds_snapshot_creation_failed
xds_snapshot_creation_success

status_update_total
status_update_failed_total
status_update_success_total
status_update_conflict_total

Prefer the first one. We also need to align "failed, failure, error" to a single term.

[arkodg]

1 looks more like envoy stats
2 looks like prom naming https://prometheus.io/docs/practices/naming/
@Xunzhuo @shawnh2 can you help drive/unify this naming

[zhaohuabing]

Tracked with #3684

[arkodg]

is this configurable in the API ?

[zhaohuabing]

Not yet, we can expose it to API when needed.

[arkodg]

overall LGTM !

there are some non blocking comments added in the PR, that can be tackled in follow ups

long term, my vote would be to move the wasm server into its own runner (like ratelimit)
this eliminates the shared fate problem of delaying xDS due to one slow URL download.

this also creates a eventual consistency problem, which can be resolved by implementing retries in the wasm cluster in envoy

[guydc]

In general, can we have some sort of a feature toggle here? Some components like the runner and the servers will execute even when the feature is not in use. LAter we can expose this by default, when we're confident and/or extracted to a different component.

[guydc]

if cache fails to start, should we fail EG or disable cache-related translation?

[zhaohuabing]

Fail the Wasm translation in EEP gateway API translation if cache fails to start.

[guydc]

any way to avoid the docker dependency and use more generic oci libs here?

[zhaohuabing]

The docker lib is used to parse docker compatible config file to get auth info.

[zhaohuabing]

long term, my vote would be to move the wasm server into its own runner (like ratelimit)
this eliminates the shared fate problem of delaying xDS due to one slow URL download.

We probably could:

• move the Wasm cache server into a standalone runner.
• fail httproutes containing Wasm extensions if that Wasm module has not been downloaded yet. By this way, the downloading won't block the translation and only the httproutes with Wasm will fail.(Or just send out the route configuration to Envoy without Wasm, like what EG currently does if any policy translation fails?)
• trigger the API translation again when a Wasm module is available in the cache.

[guydc]

Seeing as most of the implementation that will execute regardless of EEP presence is taken from istio and already has sufficient production burn time, I take back my request for a feature gate.