Proto: wasm_deployment_policy.proto

Package: extensions.policy.gloo.solo.io

Add a Wasm filter to the Envoy sidecar proxy, for use cases such as customizing the endpoints and thresholds for your workloads. WasmDeploymentPolicies are applied at the Workload level.

Example

In this example, a filter adds a custom header to the response from the ratings service in the Bookinfo application.

  apiVersion: extensions.policy.gloo.solo.io/v2
kind: WasmDeploymentPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: wasm-deployment-policy
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      cluster: cluster-1
      labels:
        app: ratings
      namespace: bookinfo
  config:
    filters:
    - filterContext: SIDECAR_INBOUND
      wasmImageSource:
        wasmImageTag: gcr.io/solo-public/docs/assemblyscript-test:istio-1.8
  

WasmDeploymentPolicyReport

The report shows the resources that the policy selects after the policy is successfully applied.

FieldDescription
workspaces(repeated WasmDeploymentPolicyReport.WorkspacesEntry)

A list of workspaces in which the policy can apply to workloads.
selectedWorkloads(repeated common.gloo.solo.io.WorkloadReference)

A list of workloads selected by the policy.

WasmDeploymentPolicyReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

WasmDeploymentPolicySpec

Specifications for the policy.

FieldDescription
applyToWorkloads(repeated common.gloo.solo.io.WorkloadSelector)

Select the workloads to apply the Wasm filter to. If empty, the policy applies to all workloads in the workspace.
config(WasmDeploymentPolicySpec.Config)

Details of the policy specifying the Wasm filters to apply to the selected workloads.

WasmDeploymentPolicySpec.Config

Details of the policy specifying the Wasm filters to apply to the selected workloads.

FieldDescription
filters(repeated WasmDeploymentPolicySpec.Config.WasmFilter)

Wasm filter parameters.
weight(uint32)

If you apply multiple Wasm filters to a single workload, add a weight to specify the order in which the filters are applied. Deployed Wasm filters are sorted in order of highest to lowest weight. Wasm filters with equal weights are sorted non-deterministically. Note that all Wasm filters are inserted immediately before the Envoy router filter in the HTTP Connection Manager’s HTTP Filter Chain.

WasmDeploymentPolicySpec.Config.WasmFilter

Specify the Wasm filter to deploy.

FieldDescription
localPathSource(string)

Select local_path_source to deploy the filter from a file accessible to the workload proxy. Note that Gloo Mesh cannot verify whether the target workload proxy containers contain the given path. If filters do not load, check the sidecar proxy logs.
httpUriSource(WasmDeploymentPolicySpec.Config.WasmFilter.UriSource)

Select http_uri_source to deploy the filter from an HTTP/S URI accessible to the workload proxy. Note that Gloo Mesh cannot verify whether the target workload proxy containers have HTTP access the given URI. If filters do not load, check the sidecar proxy logs.
wasmImageSource(WasmDeploymentPolicySpec.Config.WasmFilter.WasmImageSource)

Fetch the image from a WASM OCI Registry. Images can be built and pushed to registries using meshctl and wasme CLI tool.
staticFilterConfig(google.protobuf.Any)

Provide configuration as a static configuration source.
  • google.protobuf.Struct is serialized as JSON before it is passed to the plugin.
  • google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper.

For information about the value format, see the Google protocol buffer documentation.
dynamicFilterConfig(string)

NOTE: Not currently implemented. This field serves as a placeholder. Provide configuration from a dynamic configuration source. This setting connects proxies to a configuration server to update filter configuration instead of using a filter provided in the policy.
  • google.protobuf.Struct is serialized as JSON before it is passed to the plugin.
  • google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper.

rootId(string)

The rootId must match the rootId defined in the filter. If omitted, Gloo Mesh pulls and sets the image from the filter_conf contained in the image config. Note that if the filter_source is not set to wasm_image_source, this field is required.
vmId(string)

Optional: A VM ID, used along with a hash of the Wasm code (or the name of the registered Null VM plugin), to determine which VM loads the Wasm filter. All filters on the same workload that use the same vmId and code within use the same VM.
Note that sharing a VM between plugins can reduce memory utilization and make sharing of data easier, which may have security implications.
filterContext(istio.networking.v1alpha3.EnvoyFilter.PatchContext)

The context that the filter is attached to:
  • Any workload context (ANY)
  • A gateway (GATEWAY)
  • Inbound traffic to a sidecar proxy (SIDECAR_INBOUND)
  • Outbound traffic from a sidecar (SIDECAR_OUTBOUND)

By default, the value is ANY to permit any context.
insertBeforeFilter(string)

In the Envoy HTTP Filter Chain, the filter that the Wasm filter is inserted immediately before. Note that not all filters might be applied to a particular workload. Default value: envoy.router.

WasmDeploymentPolicySpec.Config.WasmFilter.UriSource

Options for fetching Wasm filters from an HTTP URI.

FieldDescription
uri(string)

The HTTP URI from which to fetch the filter.
sha(string)

Required: The sha256 checksum of the filter binary. This value is verified by the proxy.

WasmDeploymentPolicySpec.Config.WasmFilter.WasmImageSource

Options for fetching the Wasm image from a Wasm-compatible OCI Registry. Images can be built and pushed to registries using meshctl and wasme.

FieldDescription
wasmImageTag(string)

The full tag of the Wasm image. The tag must include the registry address at the beginning, such as webassemblyhub.io/ilackarms/helloworld:v0.1.

WasmDeploymentPolicyStatus

The status of the policy after it is applied to your Gloo environment.

FieldDescription
common(common.gloo.solo.io.Status)

The state and workspace conditions of the applied resource.
numSelectedWorkloads(uint32)

The number of workloads selected by the policy.