Commit f98f0d0
authored
Feature: Wasi Context Configuration (#6)
* feat: WASI context configuration support
- CRD: args, env, volumes, resources, network spec
- Controller: serialize config to WASI_CONFIG env var
- Runner: modular Rust code, dynamic WasiCtx builder
- Resource limits: memory (StoreLimits), CPU (fuel)
- Network: granular TCP/UDP socket permissions
* Add http-fetch WASM module
Demonstrates TCP connect and outbound HTTP capabilities. Extracts target URL from header/query param, makes outbound request, returns JSON response.
* feat: e2e tests for WASI configuration
- Test infrastructure with registry safety checks
- Basic deployment test with reverse-text module
- Network permission tests with http-fetch module
- Echo server fixture for in-cluster testing
- Goyek e2e task integration
* fix: reconciler Ready condition & e2e fixes
- Check Knative Service Ready before marking WasmModule ready
- Strip oci:// prefix in runner image fetcher
- Fix http-fetch body reading with subscribe/block pattern
- Bind runner to 0.0.0.0 for readiness probes
- Add LOCAL_GATEWAY_ADDRESS for Kind port-forward access
- Add e2e runner script and test infrastructure
- Update build tasks to support http-fetch module
- Set runner image via ldflags in ko deploy
* fix: configure No DNS mode for all local clusters
- Extended domain configuration to minikube, not just Kind
- Removed dead isKindCluster function from helpers.go
- Added E2E_IMAGE_BASENAME to .env for convenience
- All e2e tests now pass on both Kind and minikube
* feat(e2e,runner): Enhance network policies and improve test reliability
This commit introduces significant improvements to the Wasm runner's network sandboxing capabilities and the overall reliability of the end-to-end test suite, particularly for cloud environments like GKE.
### Runner: Hostname-Based Network Policies
The Wasm runner's network permission checker has been enhanced to support hostname patterns in addition to IP addresses.
- Previously, network policies could only match against specific IP addresses, which is impractical in dynamic environments like Kubernetes.
- The runner now resolves all configured hostname patterns (e.g., `echo-server.default.svc.cluster.local:80`) at startup and checks socket connections against the resolved IPs.
- This allows Wasm modules to use standard networking libraries (like Rust's `std::net::TcpStream`) to connect to Kubernetes services by name, a critical feature for real-world use cases.
- The `http-fetch` example module has been updated to use `std::net::TcpStream` to demonstrate and test this new capability.
### E2E Test Reliability
Several changes have been made to make the e2e tests more robust and less prone to flakiness, especially when running on non-local clusters:
- **Wait for LoadBalancer:** The test framework now waits up to 2 minutes for the ingress gateway's LoadBalancer service to receive an external IP address, a common source of failures on GKE.
- **Retry on 404:** HTTP requests to Wasm modules now automatically retry on 404 errors for a few seconds. This handles the propagation delay before the ingress controller is fully configured to route traffic to a newly created Knative service.
- **Full FQDNs:** Tests now use the full FQDN for in-cluster services (e.g., `.svc.cluster.local`) to ensure consistent DNS resolution across different Kubernetes distributions.
- **ImagePullPolicy=Always:** During e2e tests, the controller is now deployed with `ImagePullPolicy=Always` for the runner image. This guarantees that the latest image built in CI is used, preventing issues with stale cached images.
- **Consistent "No DNS" Config:** The Knative "No DNS" configuration (`example.com`) is now applied unconditionally, simplifying the setup and ensuring consistent behavior between local and cloud test runs.
### Build Process
- The build process now generates a temporary `.ko.yaml` file to set linker flags (`ldflags`) instead of using `GOFLAGS`. This is necessary to support setting multiple `-X` flags, as required for the `ImagePullPolicy` configuration.
* chore: Update copyright headers for 2025
This commit updates the copyright year to 2025 in existing file headers.
It also adds the standard Apache 2.0 license header to several Rust source files
that were missing it.
* fix(e2e): improve test reliability across environments
- Add echo server readiness probe
- Add warmup pod for service networking verification
- Reduce warmup curl retry interval to 0.25s for faster detection
- Add port-forward readiness check with timeout (120s)
- Fix minikube cluster detection using node labels
- Add configurable test timeout via E2E_TEST_TIMEOUT env
- Add batch mode detection for CI/non-interactive runs
- Update knative.dev/hack dependency
Tested on: GKE, kind, minikube (5/5 tests pass)
* fix: resolve CI failures and dependency conflicts
1. Fix e2e test side effects (build test failure):
- Renamed test/e2e/main_test.go -> test/e2e/clients.go
- Removed TestMain that executed cluster connections during build verification
- Made client initialization lazy via ensureClients()
- Clients now initialize only when first test runs
This fixes 'go test -run "^$" -tags e2e' failing with:
'Failed to initialize clients: failed to load kubeconfig'
2. Fix google.golang.org/genproto conflict (verify deps failure):
- Upgraded github.com/cardil/ghet v0.1.1 -> v0.1.2
- Upgraded k8s.io/* packages v0.34.3 -> v0.35.1
- Resolved ambiguous import between old monolithic genproto and new split modules
ghet v0.1.2 no longer pulls in old genproto@v0.0.0-20200212174721-66ed5ce911ce
via go4.org -> cloud.google.com/go@v0.53.0 dependency chain.
Assisted-by: 🤖 Claude Opus/Sonnet 4.5
* Update generated code and dependencies
* Add e2e tests workflow with Kind cluster
- Set up Kind cluster for e2e testing
- Configure local registry at localhost:5001
- Run goyek e2e tests with proper environment
- Upload artifacts on failure for debugging
* Fix E2E workflow: upgrade to K8s v1.35.1 and fix registry setup
- Use kindest/node:v1.35.1 (Knative requires K8s >= 1.33)
- Set up registry before cluster creation
- Configure containerd to use kind-registry:5000 endpoint
- Connect registry to Kind network after cluster creation
- Add insecure_skip_verify for registry TLS
* Fix goyek scripts to fail early on command errors
Add ExecOrDie helper that wraps cmd.Exec and calls a.FailNow() on failure.
Replace all cmd.Exec calls with executil.ExecOrDie to ensure build/push
errors are properly propagated and cause immediate task failure.
This fixes the issue where push errors to the registry were logged but
didn't stop the e2e test execution, leading to confusing failures later.
* fix: Use correct WKG_OCI_INSECURE env var
Change WKG_REGISTRY_INSECURE to WKG_OCI_INSECURE with the registry
address as the value. This matches the wkg --insecure flag format.
* fix: Use GitHub Container Registry for E2E tests
Instead of a local registry, use ghcr.io with PR-specific image tags.
This avoids the localhost registry connectivity issues from within
Kind cluster pods. Images are pushed to:
ghcr.io/cardil/knative-serving-wasm/e2e-pr-<number>/<component>
Cleanup step deletes all PR-specific packages after tests complete.
* fix: Add packages:write permission for ghcr.io push
The E2E workflow needs packages:write permission to push images
to GitHub Container Registry.
* fix: Address AI review comments
- Fix ghcr.io cleanup step with proper error handling and URL encoding
- Fix http-fetch unwrap() panic on partial HTTP response
- Fix double error reporting for empty image in validation
- Fix address pattern validation to require colon separator
- Add fallback to run_id for push events in e2e workflow
* fix: Use GetGroupVersionKind, retry on 502/503, case-insensitive error check
- Use module.GetGroupVersionKind() instead of hardcoded GVK
- Remove unused runtime/schema import
- Retry HTTP requests on 502 and 503 in addition to 404
- Use case-insensitive error/denied check in network tests
* fix: Use here-string to avoid subshell in cleanup loop
The pipe to while loop runs in subshell, so FAILED=1 never propagates.
Use here-string (<<<) instead to run loop in current shell.
* fix: Use actual mount paths for volume mounts, not hardcoded paths
The runner sees volumes at vm.MountPath where Kubernetes mounts them,
not at hardcoded /var/run/* locations which don't exist.
Also fixes SubPath handling - applies to hostPath, not guestPath.
* fix: remove incorrect subPath handling in volume mount
With K8s subPath, the subdirectory content is already mounted
at vm.MountPath, so hostPath should be vm.MountPath directly.
* chore: add timeout-minutes to e2e workflow
* Enhance address pattern validation
- Split pattern on ':' and validate non-empty host/port
- Validate port is '*' or numeric
- Validate host is '*' or valid hostname/IP
- Add strconv and net imports1 parent 2bc6d60 commit f98f0d0
47 files changed
Lines changed: 6675 additions & 1654 deletions
File tree
- .github/workflows
- build
- boot
- tasks
- util/exec
- config
- examples
- manifests
- modules/http-fetch
- src
- hack
- pkg
- apis/wasm/v1alpha1
- client
- clientset/versioned/fake
- informers/externalversions
- wasm/v1alpha1
- injection/reconciler/wasm/v1alpha1/wasmmodule
- reconciler/wasmmodule
- runner
- src
- test
- e2e
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
| 2 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
5 | 6 | | |
6 | 7 | | |
7 | 8 | | |
8 | 9 | | |
9 | 10 | | |
10 | 11 | | |
11 | 12 | | |
| 13 | + | |
12 | 14 | | |
13 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
14 | 29 | | |
15 | 30 | | |
16 | 31 | | |
| |||
29 | 44 | | |
30 | 45 | | |
31 | 46 | | |
| 47 | + | |
32 | 48 | | |
33 | 49 | | |
34 | 50 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
| 6 | + | |
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
11 | | - | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
12 | 14 | | |
13 | 15 | | |
14 | 16 | | |
15 | 17 | | |
16 | 18 | | |
17 | | - | |
| 19 | + | |
18 | 20 | | |
19 | 21 | | |
20 | | - | |
| 22 | + | |
21 | 23 | | |
22 | 24 | | |
23 | 25 | | |
24 | 26 | | |
25 | | - | |
| 27 | + | |
26 | 28 | | |
27 | | - | |
28 | | - | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
29 | 32 | | |
30 | | - | |
31 | | - | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
32 | 39 | | |
33 | | - | |
34 | | - | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
35 | 43 | | |
36 | 44 | | |
37 | | - | |
| 45 | + | |
38 | 46 | | |
39 | 47 | | |
40 | 48 | | |
41 | 49 | | |
42 | | - | |
43 | | - | |
44 | | - | |
45 | | - | |
| 50 | + | |
| 51 | + | |
46 | 52 | | |
47 | | - | |
| 53 | + | |
48 | 54 | | |
49 | | - | |
50 | | - | |
51 | | - | |
| 55 | + | |
| 56 | + | |
52 | 57 | | |
53 | 58 | | |
54 | 59 | | |
55 | | - | |
| 60 | + | |
56 | 61 | | |
57 | | - | |
| 62 | + | |
58 | 63 | | |
59 | 64 | | |
60 | 65 | | |
61 | 66 | | |
62 | | - | |
| 67 | + | |
63 | 68 | | |
64 | 69 | | |
65 | 70 | | |
66 | | - | |
| 71 | + | |
67 | 72 | | |
68 | 73 | | |
69 | 74 | | |
70 | | - | |
| 75 | + | |
71 | 76 | | |
72 | | - | |
73 | | - | |
| 77 | + | |
| 78 | + | |
74 | 79 | | |
75 | 80 | | |
76 | 81 | | |
77 | | - | |
| 82 | + | |
| 83 | + | |
78 | 84 | | |
79 | | - | |
80 | | - | |
| 85 | + | |
| 86 | + | |
81 | 87 | | |
82 | 88 | | |
83 | 89 | | |
84 | | - | |
85 | | - | |
86 | | - | |
87 | | - | |
88 | | - | |
89 | | - | |
90 | | - | |
91 | | - | |
92 | | - | |
93 | | - | |
94 | | - | |
95 | | - | |
96 | | - | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
97 | 101 | | |
98 | 102 | | |
99 | | - | |
100 | | - | |
101 | | - | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
102 | 106 | | |
103 | | - | |
104 | | - | |
105 | | - | |
106 | | - | |
107 | | - | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
108 | 112 | | |
109 | | - | |
110 | | - | |
| 113 | + | |
| 114 | + | |
111 | 115 | | |
0 commit comments