Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On grpc response flow #81

Merged
merged 13 commits into from
Sep 19, 2024
Merged

On grpc response flow #81

merged 13 commits into from
Sep 19, 2024

Conversation

didierofrivia
Copy link
Contributor

@didierofrivia didierofrivia commented Sep 9, 2024
edited
Loading

Part of the work needed for #58

This PR is yet another step closer to the new way the WASM Shim will be handling multiple operations of External Rate Limit and Auth.

It introduces the GrpcMessageResponse that will be responsible of parsing the response back from the external services into the correct type, thus allowing the Filter to decide on the flow given the different actions defined in configuration.

So far, it only replicates the previous Rate Limiting flow, opening the door to implement the Auth one.

Next step: Implement the actual Auth flow within the Filter.

Notes:

  • Following this approach, it doesn't delegate the response parsing to the Operation Dispatcher, but to the Service GrpcMessageResponse, being the Filter shaping the flow of the actions and the Operations in charge of only dispatching them.

Base automatically changed from action_dispatcher to external-auth September 10, 2024 09:02
@didierofrivia didierofrivia force-pushed the on_grpc_response_flow branch 3 times, most recently from 626b680 to c9e8f51 Compare September 10, 2024 14:55
@didierofrivia didierofrivia self-assigned this Sep 10, 2024
@didierofrivia didierofrivia force-pushed the on_grpc_response_flow branch 2 times, most recently from 0712164 to 9deb28e Compare September 13, 2024 10:58
@didierofrivia didierofrivia force-pushed the on_grpc_response_flow branch 2 times, most recently from 6619cfe to 194f62c Compare September 16, 2024 09:13
@didierofrivia didierofrivia marked this pull request as ready for review September 16, 2024 09:30
@didierofrivia didierofrivia force-pushed the external-auth branch 2 times, most recently from 37b6f1d to 312710e Compare September 16, 2024 14:40
@didierofrivia didierofrivia changed the title [WIP] On grpc response flow On grpc response flow Sep 18, 2024
@didierofrivia didierofrivia force-pushed the on_grpc_response_flow branch 3 times, most recently from f000154 to 5a4bc29 Compare September 18, 2024 15:20
@didierofrivia
[feat] Action dispatcher state machine, naive impl
625b205 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Changing name to Operation instead of Action
360c967 
* Could get confusing with proxy_wasm `Actions`
* Also with plugin configuration `Action`

Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] OperationDispatcher triggering procedures
1fc0e1a 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Specifying that it's about request messages
190b597 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor, feature] Adding a new GrpcResponse type
dbba0f5 
* Services also building the response Message

Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Indexing waiting operations by token_id
d70d038 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Wiring filter with dispatcher
93c980d 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Passing by references instead of cloning
98d3754 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Using action failure_mode when processing grpc error
49e4fec 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[fix] Changed behaviour, removing and triggering next op at same step
b0329d4 
* When Operation `n` is Done, it's removed and it triggers Op n+1

Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Renaming rlp to policy for consistency
c262342 
Signed-off-by: dd di cesare <didi@posteo.net>
@didierofrivia
[refactor] Explicit testing
4272ff7 
Signed-off-by: dd di cesare <didi@posteo.net>
alexsnaps
alexsnaps approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@alexsnaps alexsnaps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't spot anything explicitly broken... So I'm in favor in merging. I'd then slightly focus on merging this all to main & worst case nightly catches something, and we have plenty of time to then fix it (while making our test coverage better :)
That would require looking into the config bits on the kuadrant operator end tho

src/envoy/mod.rs
@@ -37,7 +37,7 @@ pub use {
AttributeContext_Request,
},
base::Metadata,
external_auth::CheckRequest,
external_auth::{CheckRequest, DeniedHttpResponse, OkHttpResponse},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this is more than RL then... which is fine ;)

src/filter/http_context.rs
}
} else {
warn!("No Operation found with token_id: {token_id}");
self.handle_error_on_grpc_response(&FailureMode::Deny); // TODO(didierofrivia): Decide on what's the default failure mode
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, interesting... I think this could (not asking to change the current behavior really) be a .next().expect("State machine is broken, we expected an operation to handle the gRPC response"), which if I'm not mistaken result in a 500.

src/filter/http_context.rs
Comment on lines +171 to 188
let res = match GrpcMessageResponse::new(
operation.get_extension_type(),
&res_body_bytes,
status_code,
) {
Ok(res) => res,
Err(e) => {
warn!(
"failed to parse grpc response body into GrpcMessageResponse message: {e}"
);
self.handle_error_on_grpc_response(failure_mode);
return;
}
};
match operation.get_extension_type() {
ExtensionType::Auth => {} // TODO(didierofrivia): Process auth grpc response.
ExtensionType::RateLimit => self.process_ratelimit_grpc_response(res, failure_mode),
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think much of that logic could be encapsulated in the operation itself... Probably would need a bigger refactoring tho (e.g. an enum for how to transition, i.e. () or GrpcMessageResponse, to the next state)... Same with the code in process_ratelimit_grpc_response... its back & forth between these two layers that I don't think adds value, nor is required...

@didierofrivia didierofrivia merged commit a852236 into external-auth Sep 19, 2024
8 checks passed
@didierofrivia didierofrivia deleted the on_grpc_response_flow branch September 19, 2024 14:58
@eguzki eguzki mentioned this pull request Sep 20, 2024
Open
@didierofrivia didierofrivia mentioned this pull request Oct 1, 2024
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexsnaps alexsnaps alexsnaps approved these changes

@eguzki eguzki Awaiting requested review from eguzki

@adam-cattermole adam-cattermole Awaiting requested review from adam-cattermole

Assignees

@didierofrivia didierofrivia

Labels
None yet
Projects
Kuadrant
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@didierofrivia @alexsnaps