Proto: wasm_deployment_policy.proto

Package: extensions.policy.gloo.solo.io

Types:

WasmDeploymentPolicyReport

FieldDescription
workspaces(repeated WasmDeploymentPolicyReport.WorkspacesEntry)

selectedWorkloads(repeated common.gloo.solo.io.WorkloadReference)

A list of workloads selected by the policy.

WasmDeploymentPolicyReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

WasmDeploymentPolicySpec

WasmDeploymentPolicy is used to deploy Wasm filters to workloads which have injected (sidecars) or are standalone proxies (gateways). WasmDeploymentPolicies are applied at the Workload level.

FieldDescription
applyToWorkloads(repeated common.gloo.solo.io.WorkloadSelector)

select the workloads where access logs will be collected. if left empty, will apply to all workloads in the workspace.
config(WasmDeploymentPolicySpec.Config)

The configuration of the specifying the WASM filters to apply to the selected workloads.

WasmDeploymentPolicySpec.Config

FieldDescription
filters(repeated WasmDeploymentPolicySpec.Config.WasmFilter)

Specify WASM filter parameters.
weight(uint32)

Weight is used to determine the order of WASM Filters when applying multiple WasmDeployments to a single workload. Deployed WASM filters will be sorted in order of highest to lowest weight. WasmDeployments with equal weights will be sorted non-deterministically. Note that all WASM Filters are currently inserted just before the Envoy router filter in the HTTP Connection Manager’s HTTP Filter Chain.

WasmDeploymentPolicySpec.Config.WasmFilter

Specify the WASM Filter to deploy.

FieldDescription
localPathSource(string)

Select local_path_source to deploy the filter from a file accessible to the workload proxy. Note that Gloo Mesh cannot verify whether the target workload proxy containers contain the given path. If filters do not load, please inspect the sidecar proxy logs. @exclude TODO(ilackarms): see if we can somehow verify the filter exists in the proxy container and surface that on the WasmDeployment status
httpUriSource(WasmDeploymentPolicySpec.Config.WasmFilter.UriSource)

Select http_uri_source to deploy the filter from an HTTP/S URI accessible to the workload proxy. Note that Gloo Mesh cannot verify whether the target workload proxy containers have HTTP access the given URI. If filters do not load, please inspect the sidecar proxy logs. @exclude TODO(ilackarms): see if we can somehow verify the filter exists in the proxy container and surface that on the WasmDeployment status @exclude TODO(ilackarms): we may need to provide options for customizing the Cluster given to envoy along with the HTTP Fetch URI. currently Gloo Mesh will create a simple plaintext HTTP cluster from the Host/Port specified in the URI.
wasmImageSource(WasmDeploymentPolicySpec.Config.WasmFilter.WasmImageSource)

fetch the image from a WASM OCI Registry Images can be built and pushed to registries using meshctl and wasme.
staticFilterConfig(google.protobuf.Any)

Provide configuration as a static google.protobuf.Struct is serialized as JSON before passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper. For information about the value format, see the Google protocol buffer documentation.
dynamicFilterConfig(string)

Provide configuration from a dynamic configuration source. This is used to connect proxies to a user-provided configuration server rather than using the WasmDeployment CR to update filter configuration. NOTE: Not currently implemented. This field serves as a placeholder. passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper. @exclude TODO(ilackarms): implement with dynamic filter config source (FCDS) https://github.com/envoyproxy/envoy/issues/7867
rootId(string)

The root id must match the root id defined inside the filter. If the user does not provide this field, Gloo Mesh will pull the image and set it from the filter_conf contained in the image config. Note that if the filter_source is not set to wasm_image_source, this field is required.
vmId(string)

An ID which will be used along with a hash of the wasm code (or the name of the registered Null VM plugin) to determine which VM will be used to load the WASM filter. All filters on the same proxy which use the same vm_id and code within will use the same VM. May be left blank. Sharing a VM between plugins can reduce memory utilization and make sharing of data easier which may have security implications.
filterContext(istio.networking.v1alpha3.EnvoyFilter.PatchContext)

The specific config generation context to which to attach the filter. Istio generates envoy configuration in the context of a gateway, inbound traffic to sidecar and outbound traffic from sidecar. Uses the Istio default (ANY).
insertBeforeFilter(string)

The filter in the Envoy HTTP Filter Chain immediately before which the WASM filter will be inserted. Defaults to envoy.router.

WasmDeploymentPolicySpec.Config.WasmFilter.UriSource

Specify options for fetching WASM Filters from an HTTP URI.

FieldDescription
uri(string)

The HTTP URI from which to fetch the filter.
sha(string)

Required. The Sha256 Checksum of the filter binary (will be verified by the proxy).

WasmDeploymentPolicySpec.Config.WasmFilter.WasmImageSource

Specify options for fetching WASM Filters from a WASM-compatible OCI Registry. Images can be built and pushed to registries using meshctl and wasme.

FieldDescription
wasmImageTag(string)

The full tag of the wasm image. It must include the registry address at the beginning, e.g. “webassemblyhub.io/ilackarms/helloworld:v0.1”.

WasmDeploymentPolicyStatus

reflects the status of the WasmDeploymentPolicy

FieldDescription
common(common.gloo.solo.io.Status)

numSelectedWorkloads(uint32)

The number of workloads selected by the policy.