if a username/password is required, specify here the name of a secret: with keys: * username: * password: the secret must live in the Enterprise Agent namespace as the FilterDeployment
insecureSkipVerify
bool
skip verifying the image server's TLS certificate
plainHttp
bool
use HTTP instead of HTTPS
UriSource
Specifies options for fetching WASM Filters from an HTTP URI.
Field
Type
Label
Description
uri
string
The HTTP URI from which to fetch the filter
sha
string
The Sha256 Checksum of the filter binary (will be verified by the proxy). Required.
WasmDeploymentSpec
A WasmDeployment deploys one or more WASM Envoy Filters to selected Sidecars and Gateways in a Mesh.
Sidecars/Gateways whose Workloads match these selectors will attach the specified WASM Filters. Leave empty to have all workloads in the mesh apply receive the WASM Filter.
weight is used to determine the order of WASM Filters when applying multiple WasmDeployments to a single workload. Deployed WASM filters will be sorted in order of highest to lowest weight. WasmDeployments with equal weights will be sorted non-deterministically. Note that all WASM Filters are currently inserted just before the Envoy router filter in the HTTP Connection Manager's HTTP Filter Chain.
WasmDeploymentStatus
Field
Type
Label
Description
observedGeneration
int64
The most recent generation observed in the the WasmDeployment metadata. if the observedGeneration does not match generation, the controller has not received the most recent version of this resource.
error
string
Any errors encountered while processing this generation of the resource. This can include failures to pull a WASM image as well as missing or invalid fields in the spec.
Select local_path_source to deploy the filter from a file accessible to the workload proxy. Note that Gloo Mesh cannot verify whether the target workload proxy containers contain the given path. If filters do not load, please inspect the sidecar proxy logs. TODO(ilackarms): see if we can somehow verify the filter exists in the proxy container and surface that on the WasmDeployment status
Select http_uri_source to deploy the filter from an HTTP/S URI accessible to the workload proxy. Note that Gloo Mesh cannot verify whether the target workload proxy containers have HTTP accesss the given URI. If filters do not load, please inspect the sidecar proxy logs. TODO(ilackarms): see if we can somehow verify the filter exists in the proxy container and surface that on the WasmDeployment status TODO(ilackarms): we may need to provide options for customizing the Cluster given to envoy along with the HTTP Fetch URI. currently Gloo Mesh will create a simple plaintext HTTP cluster from the Host/Port specified in the URI.
Provide configuration as a static google.protobuf.Struct is serialized as JSON before passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper.
dynamicFilterConfig
string
Provide configuration from a dynamic configuration source. This is used to connect proxies to a user-provided configuration server rather than using the WasmDeployment CR to update filter configuration. NOTE: Not currently implemented. This field serves as a placeholder. passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper. TODO(ilackarms): implement with dynamic filter config source (FCDS) https://github.com/envoyproxy/envoy/issues/7867
rootId
string
the root id must match the root id defined inside the filter. if the user does not provide this field, Gloo Mesh will attempt to pull the image and set it from the filter_conf contained in the image config. note that if the filter_source is not set to wasm_image_source, this field is required
vmId
string
An ID which will be used along with a hash of the wasm code (or the name of the registered Null VM plugin) to determine which VM will be used to load the WASM filter. All filters on the same proxy which use the same vm_id and code within will use the same VM. May be left blank. Sharing a VM between plugins can reduce memory utilization and make sharing of data easier which may have security implications.
The specific config generation context to which to attach the filter. Istio generates envoy configuration in the context of a gateway, inbound traffic to sidecar and outbound traffic from sidecar. Uses the Istio default (ANY).
insertBeforeFilter
string
The filter in the Envoy HTTP Filter Chain immediately before which the WASM filter will be inserted. Defaults to envoy.router.
WasmImageSource
Specifies options for fetching WASM Filters from a WASM-compatible OCI Registry Images can be built and pushed to registries using meshctl and wasme.
Field
Type
Label
Description
wasmImageTag
string
the full tag of the wasm image. should include the registry address at the beginning, e.g. webassemblyhub.io/ilackarms/helloworld:v0.1
WasmDeploymentStatus.WorkloadState
WorkloadState is the state of the WasmDeployment resource as it has been applied to an individual workload.
Name
Number
Description
DEPLOYMENT_PENDING
0
DEPLOYMENT_PENDING filters have not yet been deployed to the target workload.
FILTERS_DEPLOYED
1
FILTERS_DEPLOYED indicates the WASM Filters have been deployed to the target workload (along with any cluster dependencies).
DEPLOYMENT_FAILED
2
DEPLOYMENT_FAILED indicates Deploying the WASM Filters to this workload failed
