Merge branch 'main' into filter_chain

.github/workflows/acceptance-test.yaml

@@ -45,6 +45,10 @@ jobs:
         id: set-git-refname
         run: echo "git_refname=$(echo "${{ github.ref }}" | sed -r 's@refs/(heads|pull|tags)/@@g')" >> $GITHUB_OUTPUT
 
+      - name: Build TCP metadata exchange filter
+        run: |
+          make tcp-metadata-exchange-filter
+
       - name: Deploy to kind cluster (istio-operator)
         run: |
           test/deploy-kind.sh

.github/workflows/ci.yaml

@@ -44,6 +44,10 @@ jobs:
           restore-keys: |
             build-deps-v2
 
+      - name: Build TCP metadata exchange filter
+        run: |
+          make tcp-metadata-exchange-filter
+
       - name: Run unit tests
         run: make test
 

Cargo.toml

@@ -2,3 +2,13 @@
 members = [
     "./experimental/wasm-tcp-metadata",
 ]
+
+[profile.release]
+# do not include debug symbols
+debug = false
+# link-time optimalization
+lto = 'thin' # this works much better for wasm3 than 'true'
+# optimize for binary size for wasm s is better than z
+opt-level = "s"
+# do not unwind the stack when panicking
+#panic = "abort"

Makefile

@@ -52,3 +52,9 @@ lint-fix-all: ${REPO_ROOT}/bin/golangci-lint ## lint --fix the whole repo
 .PHONY: mod-download-all
 mod-download-all:	## go mod download all go modules
 	./scripts/for_all_go_modules.sh -- go mod download all
+
+.PHONY: tcp-metadata-exchange-filter
+tcp-metadata-exchange-filter:	## build the tcp-metadata-exchange-filter
+	rustup target add wasm32-unknown-unknown
+	cargo build --target wasm32-unknown-unknown --release
+	cp target/wasm32-unknown-unknown/release/wasm_tcp_metadata.wasm pkg/istio/filters/tcp-metadata-exchange-filter.wasm

examples/grpc/client/main.go

@@ -20,13 +20,16 @@ import (
 	"flag"
 	"log"
 	"os"
+	"sync"
 	"time"
 
 	"google.golang.org/grpc"
 	"k8s.io/klog/v2"
 
 	"github.com/cisco-open/nasp/examples/grpc/pb"
 	"github.com/cisco-open/nasp/pkg/istio"
+	"github.com/cisco-open/nasp/pkg/network"
+	"github.com/cisco-open/nasp/pkg/util"
 )
 
 var heimdallURL string
@@ -38,6 +41,8 @@ func init() {
 }
 
 func main() {
+	logger := klog.Background()
+
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
@@ -51,36 +56,50 @@ func main() {
 
 	iih, err := istio.NewIstioIntegrationHandler(&istioHandlerConfig, klog.TODO())
 	if err != nil {
-		log.Fatal(err)
+		panic(err)
 	}
 
 	grpcDialOptions, err := iih.GetGRPCDialOptions()
 	if err != nil {
-		log.Fatal(err)
+		panic(err)
 	}
 
-	client, err := grpc.Dial(
+	client, err := grpc.DialContext(
+		ctx,
 		"localhost:8082",
 		grpcDialOptions...,
 	)
 	if err != nil {
-		log.Fatal(err)
+		panic(err)
 	}
 
-	iih.Run(ctx)
+	if err := iih.Run(ctx); err != nil {
+		panic(err)
+	}
 
 	func() {
 		defer cancel()
 		defer client.Close()
 
+		wg := sync.WaitGroup{}
 		for i := 0; i < 10; i++ {
-			reply, err := pb.NewGreeterClient(client).SayHello(ctx, &pb.HelloRequest{Name: "world"})
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			log.Println(reply.Message)
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				ctx = network.NewConnectionStateHolderToContext(ctx)
+				reply, err := pb.NewGreeterClient(client).SayHello(ctx, &pb.HelloRequest{Name: "world"})
+				if err != nil {
+					log.Fatal(err)
+				}
+
+				if s, ok := network.ConnectionStateFromContext(ctx); ok {
+					util.PrintConnectionState(s, logger)
+				}
+
+				logger.Info(reply.Message)
+			}()
 		}
+		wg.Wait()
 	}()
 
 	time.Sleep(time.Millisecond * 100)

examples/grpc/main.go

@@ -21,13 +21,14 @@ import (
 	"log"
 	"os"
 
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
 	"k8s.io/klog/v2"
 
 	"github.com/cisco-open/nasp/examples/grpc/pb"
 	"github.com/cisco-open/nasp/pkg/istio"
-
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/reflection"
+	"github.com/cisco-open/nasp/pkg/network"
+	"github.com/cisco-open/nasp/pkg/util"
 )
 
 var heimdallURL string
@@ -43,7 +44,12 @@ type greeterServer struct {
 }
 
 func (gs *greeterServer) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
+	if s, ok := network.ConnectionStateFromContext(ctx); ok {
+		util.PrintConnectionState(s, klog.Background())
+	}
+
 	log.Printf("Received: %v", in.GetName())
+
 	return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
 }
 
@@ -64,15 +70,17 @@ func main() {
 		panic(err)
 	}
 
-	iih.Run(ctx)
+	if err := iih.Run(ctx); err != nil {
+		panic(err)
+	}
 
 	grpcServer := grpc.NewServer()
 	reflection.Register(grpcServer)
 	pb.RegisterGreeterServer(grpcServer, &greeterServer{})
 
 	//////// standard HTTP library version with TLS
 
-	err = iih.ListenAndServe(context.Background(), ":8082", grpcServer)
+	err = iih.ListenAndServe(ctx, ":8082", grpcServer)
 	if err != nil {
 		log.Fatalf("failed to serve: %v", err)
 	}

examples/http/main.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"errors"
 	"flag"
-	"fmt"
 	"io/ioutil"
 	"net/http"
 	"os"
@@ -32,6 +31,7 @@ import (
 
 	"github.com/cisco-open/nasp/pkg/istio"
 	"github.com/cisco-open/nasp/pkg/network"
+	"github.com/cisco-open/nasp/pkg/util"
 )
 
 var mode string
@@ -75,32 +75,16 @@ func sendHTTPRequest(url string, transport http.RoundTripper, logger logr.Logger
 
 	if dumpClientResponse {
 		buff, _ := ioutil.ReadAll(response.Body)
-		fmt.Printf("%s\n", string(buff))
+		os.Stdout.Write(buff)
 	}
 
-	if conn, ok := network.WrappedConnectionFromContext(response.Request.Context()); ok {
-		printConnectionInfo(conn, logger)
+	if state, ok := network.ConnectionStateFromContext(response.Request.Context()); ok {
+		util.PrintConnectionState(state, logger)
 	}
 
 	return nil
 }
 
-func printConnectionInfo(connection network.Connection, logger logr.Logger) {
-	localAddr := connection.LocalAddr().String()
-	remoteAddr := connection.RemoteAddr().String()
-	var localSpiffeID, remoteSpiffeID string
-
-	if cert := connection.GetLocalCertificate(); cert != nil {
-		localSpiffeID = cert.GetFirstURI()
-	}
-
-	if cert := connection.GetPeerCertificate(); cert != nil {
-		remoteSpiffeID = cert.GetFirstURI()
-	}
-
-	logger.Info("connection info", "localAddr", localAddr, "localSpiffeID", localSpiffeID, "remoteAddr", remoteAddr, "remoteSpiffeID", remoteSpiffeID, "ttfb", connection.GetTimeToFirstByte().Format(time.RFC3339Nano))
-}
-
 func main() {
 	logger := klog.TODO()
 	ctx, cancel := context.WithCancel(context.Background())
@@ -128,9 +112,11 @@ func main() {
 
 	iih.Run(ctx)
 
-	// make idle timeout minimal to test least request increment/decrement
+	// use client side connection pooling
 	t := http.DefaultTransport.(*http.Transport)
-	t.IdleConnTimeout = time.Nanosecond * 1
+	t.MaxIdleConns = 50
+	t.MaxConnsPerHost = 50
+	t.MaxIdleConnsPerHost = 50
 
 	transport, err := iih.GetHTTPTransport(t)
 	if err != nil {
@@ -153,10 +139,10 @@ func main() {
 			i++
 		}
 
-		time.Sleep(sleepBeforeClientExit)
-
 		wg.Wait()
 
+		time.Sleep(sleepBeforeClientExit)
+
 		if len(clientErrors) > 0 {
 			os.Exit(2)
 		}
@@ -174,6 +160,11 @@ func main() {
 				logger.Error(err, "could not send http request")
 			}
 		}
+
+		if state, ok := network.ConnectionStateFromContext(c.Request.Context()); ok {
+			util.PrintConnectionState(state, logger)
+		}
+
 		c.Data(http.StatusOK, "text/html", []byte("Hello world!"))
 	})
 	err = iih.ListenAndServe(context.Background(), ":8080", r.Handler())

examples/tcp/main.go

@@ -27,6 +27,8 @@ import (
 	"k8s.io/klog/v2"
 
 	"github.com/cisco-open/nasp/pkg/istio"
+	"github.com/cisco-open/nasp/pkg/network"
+	"github.com/cisco-open/nasp/pkg/util"
 )
 
 var mode string
@@ -96,11 +98,16 @@ func server() {
 			panic(err)
 		}
 		go func(conn net.Conn) {
-			defer conn.Close()
+			defer func() {
+				if s, ok := network.ConnectionStateFromNetConn(conn); ok {
+					util.PrintConnectionState(s, klog.Background())
+				}
+				conn.Close()
+			}()
 			reader := bufio.NewReader(conn)
 			for {
 				// read client request data
-				bytes, err := reader.ReadBytes(byte('!'))
+				bytes, err := reader.ReadBytes(byte('\n'))
 				if err != nil {
 					if err != io.EOF {
 						fmt.Println("failed to read data, err:", err)
@@ -138,7 +145,12 @@ func client() {
 		panic(err)
 	}
 
-	defer conn.Close()
+	defer func() {
+		if s, ok := network.ConnectionStateFromNetConn(conn); ok {
+			util.PrintConnectionState(s, klog.Background())
+		}
+		conn.Close()
+	}()
 
 	for i := 0; i < 5; i++ {
 		if err := sendReceive(conn, fmt.Sprintf("name %d", i)); err != nil {