feat: add wasm filter-chain entity support

[hishamhm]

This brings support for wasm filter chains to deck.

Most of the groundwork for this was laid in the other repos:

• feat: WebAssembly filter chains go-kong#362
• feat: add wasm filter-chain entity support go-database-reconciler#72

Wasm filters were added in 3.4 and are an optional feature. Feature detection in deck works by fetching the root admin API endpoint and inspecting the configuration to see if wasm is enabled (this works for versions <3.4 and versions >=3.4 with wasm disabled). Feature detection does not run in Konnect mode; therefore Konnect is not yet supported, only Kong gateway OSS/EE

For the sake of keeping things reasonable in size (we're at >3k new lines of code if you include the other 2 PRs), there are some validation steps that have been left out:

• validating filter chain names against those that the admin API tells us are installed/available
• validating filter configurations against the JSON schema from the admin API

These things are of course still validated by the Kong admin API, but at a later date it will be possible to validate them client-side for better UX.

---

KAG-4005
KOKO-1275

[CLAassistant]

All committers have signed the CLA.

[flrgh]

See also: Kong/go-database-reconciler#72

[flrgh]

Kong/go-database-reconciler#72 has been merged. Awaiting the merge of Kong/go-database-reconciler#90 and for a new release of go-database-reconciler now.

Edit: both of these are done.

[flrgh]

This feels like a mega hack, but I get test failures without it because sometimes tests run against a workspace that doesn't exist. Is there a better way?

[GGabriele]

I added a comment related to this here: https://github.com/Kong/deck/pull/987/files#r1629376245

In case we need to do this check, do you think we can modify the fetchKongVersion function to also deal with it?

[flrgh]

Ah, so fetchKongVersion() is actually where I got the idea for this. It does something similar by trying to fetch / before trying the /{workspace} endpoint.

[GGabriele]

I suggested to reuse fetchKongVersion() so that we will not have to run the same query twice.

Also, the current code would fail with 401 if decK doesn't have the permissions to query the default workspace.

[flrgh]

re: CI Test / test (pull_request) Failing after 4m, this is due to us getting ratelimited by Codecov:

[2024-05-21T16:04:17.142Z] ['error'] There was an error running the uploader: Error uploading to https://codecov.io: Error: There was an error fetching the storage URL during POST: 429 - {'detail': ErrorDetail(string='Rate limit reached. Please upload with the Codecov repository upload token to resolve issue. Expected time to availability: 2452s.', code='throttled')}
Error: Codecov: Failed to properly upload: The process '/home/runner/work/_actions/codecov/codecov-action/v3/dist/codecov' failed with exit code 255

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 0% with 50 lines in your changes are missing coverage. Please review.

Project coverage is 22.18%. Comparing base (509fa23) to head (47aac11).

Files	Patch %	Lines
cmd/common.go	0.00%	42 Missing ⚠️
cmd/gateway_dump.go	0.00%	4 Missing ⚠️
cmd/gateway_validate.go	0.00%	2 Missing ⚠️
validate/validate.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #987      +/-   ##
==========================================
- Coverage   22.42%   22.18%   -0.25%     
==========================================
  Files          54       54              
  Lines        4508     4558      +50     
==========================================
  Hits         1011     1011              
- Misses       3397     3447      +50     
  Partials      100      100              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[flrgh]

👋 @GGabriele do you think you could review or help source a reviewer for this PR?

[GGabriele]

Is this even needed? If decK attempts to create a filter chain on a Gateway that doesn't support it, can't we just return the API error back to the caller?

Right now decK is mostly best effort when it comes to features driven by Kong configuration, for example decK doesn't check whether a custom plugin exists before attempting to configure it.

[flrgh]

If we don't do some kind of feature detection, pretty much all deck commands will throw an error when executing against a Kong node without wasm support (too old version, not turned on, etc) because GET /filter-chains will return 404/405.

So you are correct that checkFilterChainsAllowed is not strictly required, but determineFilterChainSupport (feature detection) is. I would prefer to keep the checkFilterChainsAllowed guard in place because it's nicer on the user to fail fast and protects against things like incomplete sync, but I can remove it if you think it's just not a good fit with the rest of the codebase.

[GGabriele]

GET /filter-chains will return 404/405.

For reference, we do this already for Consumer Groups: https://github.com/Kong/go-database-reconciler/blob/main/pkg/dump/dump.go#L90

I'm okay if you prefer to do this extra check though.

[flrgh]

Ahhhhh interesting. I think I prefer it that way actually. I'll do some testing and push this logic to go-database-reconciler.

[flrgh]

Kong/go-database-reconciler#101

[GGabriele]

Can we please add some integration tests too?