Description:
When loading a WASM blob over http, the docs say of EnvoyExtensionPolicy::spec.wasm.code.http.sha256 "If not specified, Envoy Gateway will not verify the downloaded Wasm code."
However, when I omit that field
1) The CR is accepted, but
2) The WASM doesn't load, and the controlplane logs contain the following
2024-10-01T11:39:52.810Z INFO xds-translator runner/runner.go:55 received an update {"runner": "xds-translator"}
2024-10-01T11:39:52.811Z ERROR xds-translator runner/runner.go:85 failed to translate xds ir {"runner": "xds-translator", "error": "invalid Wasm.Config: embedded message failed validation | caused by: invalid PluginConfig.VmConfig: embedded message failed validation | caused by: invalid VmConfig.Code: embedded message failed validation | caused by: invalid AsyncDataSource.Remote: embedded message failed validation | caused by: invalid RemoteDataSource.Sha256: value length must be at least 1 runes"}
2024-10-01T11:39:52.811Z INFO xds-server runner/runner.go:140 received an update {"runner": "xds-server"}
2024-10-01T11:39:52.812Z ERROR watchable message/watchutil.go:56 observed an error {"runner": "xds-translator", "error": "invalid Wasm.Config: embedded message failed validation | caused by: invalid PluginConfig.VmConfig: embedded message failed validation | caused by: invalid VmConfig.Code: embedded message failed validation | caused by: invalid AsyncDataSource.Remote: embedded message failed validation | caused by: invalid RemoteDataSource.Sha256: value length must be at least 1 runes"}
So it seems like a non-empty sha256 is needed (I confirmed: supplying one fixes the issue). Worse, the docs are mis-leading, and the user-facing statuses say everything's ok.
What do we want to do? I guess either
a) Change the docs, and enforce a non-missing, non-empty sha256 field on the CRD, or
b) Change the code so that it doesn't try to produce RemoteDataSource.Sha256 and provides any other Envoy config necessary to skip sha256 validation
arkodg
commented
2 hours ago
Description: When loading a WASM blob over http, the docs say of
EnvoyExtensionPolicy::spec.wasm.code.http.sha256"If not specified, Envoy Gateway will not verify the downloaded Wasm code."However, when I omit that field 1) The CR is accepted, but 2) The WASM doesn't load, and the controlplane logs contain the following
So it seems like a non-empty sha256 is needed (I confirmed: supplying one fixes the issue). Worse, the docs are mis-leading, and the user-facing statuses say everything's ok.
What do we want to do? I guess either a) Change the docs, and enforce a non-missing, non-empty
sha256field on the CRD, or b) Change the code so that it doesn't try to produceRemoteDataSource.Sha256and provides any other Envoy config necessary to skip sha256 validation