Open rajatjindal opened 4 days ago
Fixing this is one of the motivations behind Spin Factors. You can see in the branch that the (unfinished) outbound http factor implements both spin and wasi interfaces. I haven't tackled the http-trigger differences there yet but that is definitely a priority.
There are currently three code paths when making an outbound http request when running a Spin app:
outbound-http
crate (used by old spin sdk such as Golang)WasiOutboundHttpHandler in trigger-http crate
(used when outbound request is made from within a http-trigger)WasiOutboundHttpHandler implementation in core
(used when outbound request is made from other trigger types e.g. redis trigger and using a newer sdk e.g. Rust)In addition to that, we also have
host-components
that makes outbound requests on behalf of the Spin app e.g.remote-llm
host component for making inferencing request to cloud app.This introduces interesting problems w.r.t CA certificates used when making an outbound https request:
outbound-http
andhost-components
uses the CA bundle present on the file system.WasiOutboundHttpHandler in trigger-http crate
andWasiOutboundHttpHandler implementation in core
uses the CA bundle configured in wasmtime (at build time).We ran into this problem when working deploying an AI app to SpinKube/Kubernetes (which made an outbound request from host component) and resolved that by injecting CA bundle as a volume.
but then when trying out a different app, the injected custom CA was not working as expected (because it was using wasmtime outbound handler which uses default CA).
It will be nice if we can make this behavior consistent and deterministic.