Add gateway guardrails (#363)

* proxy: initial commit

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: support Docker build

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: add Hyprescan matcher and regex engine

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: remove unused Bazel target

Signed-off-by: Xie Zhihao <[email protected]>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* proxy: rename proxy to istio

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: add guardrails filter

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: add .clang-format

Signed-off-by: Xie Zhihao <[email protected]>

* guardrails: meet ChatQnA API

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: build image

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: add README

Signed-off-by: Xie Zhihao <[email protected]>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* guardrails: add deployment docs

Signed-off-by: Xie Zhihao <[email protected]>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* proxy: update README

Signed-off-by: Xie Zhihao <[email protected]>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* guardrails: add architecture

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: update README

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: remove Hyperscan temporarily

Signed-off-by: Xie Zhihao <[email protected]>

* guardrails: refactor

Signed-off-by: Xie Zhihao <[email protected]>

* guardrails: add tests

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: add license header on source files

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: add Makefile

Signed-off-by: Xie Zhihao <[email protected]>

* proxy: minor fix

Signed-off-by: Xie Zhihao <[email protected]>

* Update proxy/Makefile

Co-authored-by: Xin Huang <[email protected]>
Signed-off-by: Xie Zhihao <[email protected]>

* Update proxy/Makefile

Co-authored-by: Xin Huang <[email protected]>
Signed-off-by: Xie Zhihao <[email protected]>

* guardrails: minor deployment fix

Signed-off-by: Xie Zhihao <[email protected]>

---------

Signed-off-by: Xie Zhihao <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Xin Huang <[email protected]>

.gitignore

@@ -2,3 +2,6 @@
 *.out
 **/Chart.lock
 **/charts/*.tgz
+
+bazel-*
+compile_commands.json

proxy/.bazelrc

@@ -0,0 +1,22 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+# Keep envoy.bazelrc up-to-date by run:
+# curl -sSL https://raw.githubusercontent.com/istio/proxy/master/.bazelrc > envoy.bazelrc
+import %workspace%/envoy.bazelrc
+
+# Build with Clang by default.
+build --config=clang
+
+# Build with embedded V8-based WebAssembly runtime.
+build --define wasm=v8
+
+# Build Proxy-WASM plugins as native extensions.
+build --copt -DNULL_PLUGIN
+
+# Build with Docker.
+build:docker --action_env='PATH=/opt/llvm/bin:/opt/llvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin' --host_action_env='PATH=/opt/llvm/bin:/opt/llvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin'
+build:docker --action_env='LLVM_CONFIG=/opt/llvm/bin/llvm-config' --host_action_env='LLVM_CONFIG=/opt/llvm/bin/llvm-config'
+build:docker --repo_env='LLVM_CONFIG=/opt/llvm/bin/llvm-config'
+build:docker --linkopt='-L/opt/llvm/lib'
+build:docker --linkopt='-Wl,-rpath,/opt/llvm/lib'

proxy/.bazelversion

@@ -0,0 +1 @@
+6.5.0

proxy/.clang-format

@@ -0,0 +1,17 @@
+---
+Language:        Cpp
+AccessModifierOffset: -2
+ColumnLimit: 100
+DerivePointerAlignment: false
+PointerAlignment: Left
+SortIncludes: false
+TypenameMacros: ['STACK_OF']
+...
+
+---
+Language: Proto
+ColumnLimit: 100
+SpacesInContainerLiterals: false
+AllowShortFunctionsOnASingleLine: false
+ReflowComments: false
+...

proxy/BUILD

@@ -0,0 +1,29 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+load(
+    "@envoy//bazel:envoy_build_system.bzl",
+    "envoy_cc_binary",
+)
+
+exports_files(["LICENSE"])
+
+ISTIO_EXTENSIONS = [
+    "@istio//source/extensions/common/workload_discovery:api_lib",  # Experimental: WIP
+    "@istio//source/extensions/filters/http/alpn:config_lib",
+    "@istio//source/extensions/filters/http/istio_stats",
+    "@istio//source/extensions/filters/http/peer_metadata:filter_lib",
+    "@istio//source/extensions/filters/network/metadata_exchange:config_lib",
+]
+
+OPEA_EXTENSIONS = [
+    "//source/extensions/filters/http/guardrails:config",
+]
+
+envoy_cc_binary(
+    name = "envoy",
+    repository = "@envoy",
+    deps = ISTIO_EXTENSIONS + OPEA_EXTENSIONS + [
+        "@envoy//source/exe:envoy_main_entry_lib",
+    ],
+)

proxy/Makefile

@@ -0,0 +1,57 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+BUILD_IMG ?= envoy-build-ubuntu
+BUILD_TAG ?= 75238004b0fcfd8a7f71d380d7a774dda5c39622
+ISTIO_IMG ?= proxyv2
+ISTIO_TAG ?= 1.23.0
+DOCKER_REGISTRY ?= docker.io/opea
+
+BUILD_WITH_CONTAINER ?= 0
+BAZEL_ARG ?=
+
+ifeq ($(BUILD_WITH_CONTAINER),0)
+
+.PHONY: build
+build:
+	bazel build -c opt $(BAZEL_ARG) envoy
+	mkdir -p bin
+	cp -f bazel-bin/envoy bin/envoy
+
+.PHONY: test
+test:
+	bazel test $(BAZEL_ARG) //test/...
+
+else
+
+.PHONY: build
+build:
+	docker run -it \
+		--rm \
+		-v /tmp/proxy-docker-build:/root/.cache \
+		-v $(shell pwd):/source \
+		$(DOCKER_REGISTRY)/$(BUILD_IMG):$(BUILD_TAG) \
+		"/bin/bash" "-c" "cd /source && export PATH=/opt/llvm/bin:$$PATH && BAZEL_ARG=\"--config=docker\" make"
+
+.PHONY: test
+test:
+	docker run -it \
+		--rm \
+		-v /tmp/proxy-docker-build:/root/.cache \
+		-v $(shell pwd):/source \
+		$(DOCKER_REGISTRY)/$(BUILD_IMG):$(BUILD_TAG) \
+		"/bin/bash" "-c" "cd /source && export PATH=/opt/llvm/bin:$$PATH && BAZEL_ARG=\"--config=docker\" make test"
+
+endif
+
+.PHONY: image
+image:
+	docker build -f tools/Dockerfile -t $(DOCKER_REGISTRY)/$(ISTIO_IMG):$(ISTIO_TAG)
+
+.PHONY: build-image
+build-image:
+	docker build -f tools/Dockerfile-build -t $(DOCKER_REGISTRY)/$(BUILD_IMG):$(BUILD_TAG) .
+
+.PHONY: compilation-database
+compilation-database:
+	$(shell bazel info output_base)/external/envoy/tools/gen_compilation_database.py --vscode //source/... //test/...

proxy/README.md

@@ -0,0 +1,59 @@
+# OPEA Pipeline Proxy
+
+OPEA Pipeline Proxy is an enhancement of the default Istio proxy with additional features designed specifically for OPEA RAG pipelines.
+
+## Features
+
+- [Guardrails](./deployments/guardrails/README.md)
+
+## Build
+
+OPEA Pipeline Proxy is based on Istio proxy and Envoy, you can refer to [Building Envoy with Bazel](https://github.com/envoyproxy/envoy/blob/main/bazel/README.md) for build locally. In addition, Clang and OpenVINO is required to build OPEA Pipeline Proxy.
+
+```sh
+# Build OPEA Pipeline Proxy. The binary will be generated to `bin/envoy`.
+make
+
+# Build the image. The image will be tagged as `opea/proxyv2:<ISTIO_TAG>` by default.
+make image
+```
+
+You can also build OPEA Pipeline Proxy in the build container.
+
+```sh
+# Build the build image.
+make build-image
+
+# Build OPEA Pipeline Proxy with the build container. The binary will be generated to `bin/envoy`.
+BUILD_WITH_CONTAINER=1 make
+
+# Build the image. The image will be tagged as `opea/proxyv2:<ISTIO_TAG>` by default.
+make image
+```
+
+## Deployment
+
+Before deploying OPEA Pipeline Proxy, you have to install Istio. Please follow the steps [here](https://istio.io/latest/docs/setup/install/istioctl/) for Istio installation.
+
+During the installation, you have to assign the OPEA Pipeline Proxy to deploy instead of the default one delivered by Istio.
+
+```sh
+# Use the default Istio pilot and the proxyv2 delivered by OPEA.
+istioctl install --set hub=docker.io/opea --set components.pilot.hub=docker.io/istio
+```
+
+You can also use the annotation [here](https://istio.io/latest/docs/reference/config/annotations/#SidecarProxyImage) to inject OPEA Pipeline Proxy as sidecars.
+
+## Development
+
+You can generate the [JSON Compilation Database](https://clang.llvm.org/docs/JSONCompilationDatabase.html) for Visual Studio Code with [clangd](https://marketplace.visualstudio.com/items?itemName=llvm-vs-code-extensions.vscode-clangd) extension and other compatible tools.
+
+```sh
+make compilation-database
+```
+
+You can test OPEA Pipeline Proxy with the following command.
+
+```sh
+make test
+```

proxy/WORKSPACE

@@ -0,0 +1,71 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+workspace(name = "dev_opea_proxy")
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+# Update Istio and Envoy by:
+#   1. Determine SHA256 `wget https://github.com/istio/proxy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz`.
+#   2. Update .bazelversion, envoy.bazelrc, BUILD, Makefile and tools/Dockerfile* if needed.
+#
+# Istio 1.23.0.
+ISTIO_SHA = "165f7597596f5b4de7025bb635a7b59d1c3fe27e"
+ISTIO_SHA256 = "ac44db76cd00442c0485f5ce99d69ae1044f33ea62c2dccb8e72c26bcf03b4e3"
+ISTIO_ORG = "istio"
+ISTIO_REPO = "proxy"
+
+http_archive(
+    name = "istio",
+    sha256 = ISTIO_SHA256,
+    strip_prefix = ISTIO_REPO + "-" + ISTIO_SHA,
+    url = "https://github.com/" + ISTIO_ORG + "/" + ISTIO_REPO + "/archive/" + ISTIO_SHA + ".tar.gz",
+)
+
+# TODO(zhxie): remove external repository fetch since it is the same repository as Istio.
+http_archive(
+    name = "envoy_build_config",
+    sha256 = ISTIO_SHA256,
+    strip_prefix = ISTIO_REPO + "-" + ISTIO_SHA + "/bazel/extension_config",
+    url = "https://github.com/" + ISTIO_ORG + "/" + ISTIO_REPO + "/archive/" + ISTIO_SHA + ".tar.gz",
+)
+
+ENVOY_SHA = "97d97011f522006a816f8fe340c8a6f23d0dd712"
+ENVOY_SHA256 = "0ed516f812f477b23da723aa379fbe96fcd84a04112d8a5e27bfcfb34c986eea"
+ENVOY_ORG = "envoyproxy"
+ENVOY_REPO = "envoy"
+
+http_archive(
+    name = "envoy",
+    sha256 = ENVOY_SHA256,
+    strip_prefix = ENVOY_REPO + "-" + ENVOY_SHA,
+    url = "https://github.com/" + ENVOY_ORG + "/" + ENVOY_REPO + "/archive/" + ENVOY_SHA + ".tar.gz",
+)
+
+load("@envoy//bazel:api_binding.bzl", "envoy_api_binding")
+
+envoy_api_binding()
+
+load("@envoy//bazel:api_repositories.bzl", "envoy_api_dependencies")
+
+envoy_api_dependencies()
+
+load("@envoy//bazel:repositories.bzl", "envoy_dependencies")
+
+envoy_dependencies()
+
+load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra")
+
+envoy_dependencies_extra(ignore_root_user_error = True)
+
+load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies")
+
+envoy_python_dependencies()
+
+load("@base_pip3//:requirements.bzl", "install_deps")
+
+install_deps()
+
+load("@envoy//bazel:dependency_imports.bzl", "envoy_dependency_imports")
+
+envoy_dependency_imports()

proxy/bazel/BUILD

@@ -0,0 +1,2 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0

proxy/bazel/get_workspace_status

@@ -0,0 +1,6 @@
+#! /bin/bash
+
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+echo "BUILD_CONFIG ${BUILD_CONFIG:-default}"

proxy/bazel/platform_mappings

@@ -0,0 +1,36 @@
+flags:
+  --cpu=arm64-v8a
+  --crosstool_top=//external:android/crosstool
+    @envoy//bazel:android_aarch64
+
+  --cpu=armeabi-v7a
+  --crosstool_top=//external:android/crosstool
+    @envoy//bazel:android_armeabi
+
+  --cpu=x86
+  --crosstool_top=//external:android/crosstool
+    @envoy//bazel:android_x86
+
+  --cpu=x86_64
+  --crosstool_top=//external:android/crosstool
+    @envoy//bazel:android_x86_64
+
+  --cpu=darwin_x86_64
+  --apple_platform_type=macos
+    @envoy//bazel:macos_x86_64
+
+  --cpu=darwin_arm64
+  --apple_platform_type=macos
+    @envoy//bazel:macos_arm64
+
+  --cpu=ios_x86_64
+  --apple_platform_type=ios
+    @envoy//bazel:ios_x86_64_platform
+
+  --cpu=ios_sim_arm64
+  --apple_platform_type=ios
+    @envoy//bazel:ios_sim_arm64_platform
+
+  --cpu=ios_arm64
+  --apple_platform_type=ios
+    @envoy//bazel:ios_arm64_platform