gateway icon indicating copy to clipboard operation
gateway copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Support HTTP External Processing Filter

Open guydc opened this issue 1 year ago • 11 comments

Description: Envoy’s HTTP External Processing Filter can be used by vendors and extension developers to enhance Envoy Proxy's data-plane feature set. The ext-proc filter implements a callout to an external grpc service in request and response flows. The external processor service can inspect and mutate requests and responses, access context data such as attributes and dynamic metadata and emit dynamic metadata.

The external processing filter is included in the envoy base image and its security posture is robust. The external processing protocol and/or filter are also used in the industry for extensibility and integration: GCP Application LB, Gloo Edge, Imperva WAF.

Envoy Gateway can support the external processing filter in a way that is similar to the ext-authz implementation. If supported, this filter will fulfill some of the GA requirements outlined in #2025 related to Envoy Proxy extensibility.

guydc avatar Jan 31 '24 17:01 guydc

+1 to this my preference would be to include this into #2025 as a new Policy and combine all dev extensions into one new Policy resource type cc @Xunzhuo

arkodg avatar Jan 31 '24 18:01 arkodg

we could do this with EnvoyPatchPolicy now, right? what the benifit for create an new policy?

zirain avatar Feb 01 '24 00:02 zirain

a dedicated ExtensionAPI can do a better job

  • dealing with config validation
  • reducing surface area of extension
  • doing extra work such as downloading wasm from registry

arkodg avatar Feb 01 '24 00:02 arkodg

doing extra work such as downloading wasm from registry

you want download wasm in controlplane?

zirain avatar Feb 01 '24 01:02 zirain

I'm +1 for a dedicated ExtensionAPI, maybe named (Gateway|Proxy|Envoy)(Http/Networking)Filter, focus on insert/replace filters, and use ECDS to send XDS.

zirain avatar Feb 01 '24 01:02 zirain

@zirain - do you propose to use ECDS because you want EG's XDS server to delegate configuration for such extension to a different (extension owner/vendor) XDS server? While this provides a lot of flexibility, it could be a bit too much work for end users who want to provide a LUA snippet or a WASM module...

guydc avatar Feb 01 '24 01:02 guydc

@zirain - do you propose to use ECDS because you want EG's XDS server to delegate configuration for such extension to a different (extension owner/vendor) XDS server? While this provides a lot of flexibility, it could be a bit too much work for end users who want to provide a LUA snippet or a WASM module...

Just want to reduce the xds size, when there's only configurations change related to those filters.

zirain avatar Feb 01 '24 01:02 zirain

+1 for adding support to this, thanks for raisin it @guydc.

Xunzhuo avatar Feb 01 '24 02:02 Xunzhuo

Please assign to me.

guydc avatar Feb 01 '24 19:02 guydc

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Mar 02 '24 20:03 github-actions[bot]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar May 20 '24 00:05 github-actions[bot]