WASM Extension
The WASM extension resource allows defining custom WASM extensions that are packaged in OCI images. The resource allows specifying extension metadata that helps understand how extensions work and how they can be used. Once defined, extensions can be referenced in Ingress and Egress Gateways and Security Groups so that traffic is captured and processed by the extension accordingly. By default, extensions are globally available, but they can be assigned to specific Tenants as well to further control and constraint where in the Organization the extensions are allowed to be used.
apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
organization: org
name: wasm-auth
spec:
allowedIn:
- organizations/org/tenants/tenant1
image: oci://docker.io/example/my-wasm-extension:1.0
source: https://github.com/example/wasm-extension
description: |
Long description for the extension such as an
entire README file
phase: AUTHZ
priority: 1000
config:
some_key: some_value
EnvValueSource
Name | Number | Description |
INLINE | 0 | Explicitly given key-value pairs to be injected to this VM. |
HOST | 1 | Istio-proxy's* environment variables exposed to this VM. |
EnvVar
Field | Description | Validation Rule |
name | string | string = { |
valueFrom | tetrateio.api.tsb.extension.v2.EnvValueSource | enum = { |
value | string | – |
VmConfig
Configuration for a Wasm VM. more details can be found here.
Field | Description | Validation Rule |
env | List of tetrateio.api.tsb.extension.v2.EnvVar | – |
WasmExtension
Field | Description | Validation Rule |
allowedIn | List of string | repeated = { |
image | string | string = { |
source | string | – |
phase | tetrateio.api.tsb.extension.v2.WasmExtension.PluginPhase | enum = { |
priority | int32 | – |
config | google.protobuf.Struct | – |
imagePullPolicy | tetrateio.api.tsb.extension.v2.WasmExtension.PullPolicy | enum = { |
imagePullSecret | string | – |
vmConfig | tetrateio.api.tsb.extension.v2.VmConfig | – |
PluginPhase
Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase
Name | Number | Description |
UNSPECIFIED_PHASE | 0 | Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others. |
AUTHN | 1 | Insert plugin before Istio authentication filters. |
AUTHZ | 2 | Insert plugin before Istio authorization filters and after Istio authentication filters. |
STATS | 3 | Insert plugin before Istio stats filters and after Istio authorization filters. |
PullPolicy
The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour.
Name | Number | Description |
UNSPECIFIED_POLICY | 0 | Defaults to IfNotPresent, except for OCI images with tag |
IfNotPresent | 1 | If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version. |
Always | 2 | We will always pull the latest version of an image when changing
this plugin. Note that the change includes |