Skip to main content
Version: 1.6.x

WASM Extension

The WASM extension resource allows defining custom WASM extensions that are packaged in OCI images. The resource allows specifying extension metadata that helps understand how extensions work and how they can be used. Once defined, extensions can be referenced in Ingress and Egress Gateways and Security Groups so that traffic is captured and processed by the extension accordingly. By default, extensions are globally available, but they can be assigned to specific Tenants as well to further control and constraint where in the Organization the extensions are allowed to be used.

apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
organization: org
name: wasm-auth
spec:
allowedIn:
- organizations/org/tenants/tenant1
image: oci://docker.io/example/my-wasm-extension:1.0
source: https://github.com/example/wasm-extension
description: |
Long description for the extension such as an
entire README file
phase: AUTHZ
priority: 1000
config:
some_key: some_value

EnvValueSource

NameNumberDescription

INLINE

0

Explicitly given key-value pairs to be injected to this VM.

HOST

1

Istio-proxy's* environment variables exposed to this VM.

EnvVar

FieldDescriptionValidation Rule

name

string
REQUIRED
Name of the environment variable. Must be a CIDENTIFIER, by following this regex: [A-Za-z][A-Za-z0-9_]*

string = {
  pattern: [A-Za-z_][A-Za-z0-9_]*
}

valueFrom

tetrateio.api.tsb.extension.v2.EnvValueSource
REQUIRED
Source for the environment variable's value.

enum = {
  defined_only: true
}

value

string
Value for the environment variable. Note that if value_from is HOST, it will be ignored. Defaults to "".

VmConfig

Configuration for a Wasm VM. more details can be found here.

FieldDescriptionValidation Rule

env

List of tetrateio.api.tsb.extension.v2.EnvVar
Specifies environment variables to be injected to this VM. Note that if a key does not exist, it will be ignored.

WasmExtension

FieldDescriptionValidation Rule

allowedIn

List of string
List of fqns where this extension is allowed to run. If it is empty, the extension can be used across the entire organization. Currently only Tenant resources are considered.

repeated = {
  items: {string:{min_len:1}}
}

image

string
REQUIRED
Repository and tag of the OCI image containing the WASM extension.

string = {
  prefix: oci://
}

source

string
Source to find the code for the WASM extension

phase

tetrateio.api.tsb.extension.v2.WasmExtension.PluginPhase
The phase in the filter chain where the extension will be injected. https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase

enum = {
  defined_only: true
}

priority

int32
Determines the ordering of WasmExtensions in the same phase. When multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order. If no priority is assigned it will use the default 0 value. In case of several extensions having the same priority in the same phase, the fqn will be used to sort them.

config

google.protobuf.Struct
Configuration parameters sent to the WASM plugin execution The configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups. The config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.

imagePullPolicy

tetrateio.api.tsb.extension.v2.WasmExtension.PullPolicy
The pull behaviour to be applied when fetching Wasm module by either OCI image or http/https. Only relevant when referencing Wasm module without any digest, including the digest in OCI image URL or sha256 field in vm_config. Defaults to IfNotPresent, except when an OCI image is referenced in the url and the latest tag is used, in which case Always is the default, mirroring K8s behaviour.

enum = {
  defined_only: true
}

imagePullSecret

string
Credentials to use for OCI image pulling. Name of a K8s Secret in the same namespace as the WasmPlugin that contains a docker pull secret which is to be used to authenticate against the registry when pulling the image.

vmConfig

tetrateio.api.tsb.extension.v2.VmConfig
VM Configuration sent to the WASM plugin execution

PluginPhase

Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase

NameNumberDescription

UNSPECIFIED_PHASE

0

Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others.

AUTHN

1

Insert plugin before Istio authentication filters.

AUTHZ

2

Insert plugin before Istio authorization filters and after Istio authentication filters.

STATS

3

Insert plugin before Istio stats filters and after Istio authorization filters.

PullPolicy

The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour.

NameNumberDescription

UNSPECIFIED_POLICY

0

Defaults to IfNotPresent, except for OCI images with tag latest, for which the default will be Always.

IfNotPresent

1

If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version.

Always

2

We will always pull the latest version of an image when changing this plugin. Note that the change includes metadata field as well.