WASM Extension
Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.
The WASM extension resource allows defining custom WASM extensions that are packaged in OCI images. The resource allows specifying extension metadata that helps understand how extensions work and how they can be used. Once defined, extensions can be referenced in Ingress and Egress Gateways and Security Groups so that traffic is captured and processed by the extension accordingly. By default, extensions are globally available, but they can be assigned to specific Tenants as well to further control and constraint where in the Organization the extensions are allowed to be used.
apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
organization: tse
name: wasm-auth
spec:
allowedIn:
- organizations/org/tenants/tenant1
url: oci://docker.io/example/my-wasm-extension:1.0
source: https://github.com/example/wasm-extension
description: |
Long description for the extension such as an
entire README file
phase: AUTHZ
priority: 1000
config:
some_key: some_value
WASM extensions can also reference HTTP endpoints:
apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
organization: tse
name: wasm-http
spec:
url: http://tetrate.io/my-extension.wasm
source: https://github.com/example/wasm-extension
description: |
Long description for the extension such as an
entire README file
phase: AUTHZ
priority: 1000
config:
some_key: some_value
EnvVar
Field | Description | Validation Rule |
---|---|---|
name | string | string = { |
valueFrom | tetrateio.api.tsb.extension.v2.EnvValueSource | enum = { |
value | string | – |
GlobalTrafficSelector
GlobalTrafficSelector provides a mechanism to select a specific traffic flow for which this Wasm Extension will be enabled. This setting applies to all WASM Extension attachments. These selectors can be overridden at attachments. When all the sub conditions in the TrafficSelector are satisfied, the traffic will be selected.
Field | Description | Validation Rule |
---|---|---|
mode | tetrateio.api.tsb.types.v2.WorkloadMode | – |
VmConfig
Configuration for a Wasm VM. more details can be found here.
Field | Description | Validation Rule |
---|---|---|
env | List of tetrateio.api.tsb.extension.v2.EnvVar | – |
WasmExtension
Field | Description | Validation Rule |
---|---|---|
image | string | – |
source | string | – |
phase | tetrateio.api.tsb.extension.v2.WasmExtension.PluginPhase | enum = { |
priority | int32 | – |
config | google.protobuf.Struct | – |
imagePullPolicy | tetrateio.api.tsb.extension.v2.WasmExtension.PullPolicy | enum = { |
imagePullSecret | string | – |
vmConfig | tetrateio.api.tsb.extension.v2.VmConfig | – |
url | string | string = { |
match | tetrateio.api.tsb.extension.v2.GlobalTrafficSelector | – |
EnvValueSource
Field | Number | Description |
---|---|---|
INLINE | 0 | Explicitly given key-value pairs to be injected to this VM. |
HOST | 1 | Istio-proxy's* environment variables exposed to this VM. |
PluginPhase
Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase
Field | Number | Description |
---|---|---|
UNSPECIFIED_PHASE | 0 | Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others. |
AUTHN | 1 | Insert plugin before Istio authentication filters. |
AUTHZ | 2 | Insert plugin before Istio authorization filters and after Istio authentication filters. |
STATS | 3 | Insert plugin before Istio stats filters and after Istio authorization filters. |
PullPolicy
The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour.
Field | Number | Description |
---|---|---|
UNSPECIFIED_POLICY | 0 | Defaults to IfNotPresent, except for OCI images with tag |
IfNotPresent | 1 | If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version. |
Always | 2 | We will always pull the latest version of an image when changing
this plugin. Note that the change includes |