Wasm

    Note

    This extension is functional but has not had substantial production burn time, use only with this caveat.

    This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

    Tip

    This extension extends and can be used with the following extension category:

    Configuration for restricting Proxy-Wasm capabilities available to modules.

    allowed_capabilities

    (repeated map<string, >) The Proxy-Wasm capabilities which will be allowed. Capabilities are mapped by name. The SanitizationConfig which each capability maps to is currently unimplemented and ignored, and so should be left empty.

    The capability names are given in the Proxy-Wasm ABI. Additionally, the following WASI capabilities from are implemented and can be allowed: fd_write, fd_read, fd_seek, fd_close, fd_fdstat_get, environ_get, environ_sizes_get, args_get, args_sizes_get, proc_exit, clock_time_get, random_get.

    extensions.wasm.v3.SanitizationConfig

    Configuration for sanitization of inputs to an allowed capability.

    NOTE: This is currently unimplemented.

    [extensions.wasm.v3.VmConfig proto]

    Configuration for a Wasm VM.

    vm_id

    () An ID which will be used along with a hash of the wasm code (or the name of the registered Null VM plugin) to determine which VM will be used for the plugin. All plugins which use the same vm_id and code will use the same VM. May be left blank. Sharing a VM between plugins can reduce memory utilization and make sharing of data easier which may have security implications.

    runtime

    (string, REQUIRED) The Wasm runtime type. Available Wasm runtime types are registered as extensions. The following runtimes are included in Envoy code base:

    envoy.wasm.runtime.null: Null sandbox, the Wasm module must be compiled and linked into the Envoy binary. The registered name is given in the code field as inline_string.

    envoy.wasm.runtime.v8: -based WebAssembly runtime.

    envoy.wasm.runtime.wavm: WAVM-based WebAssembly runtime. This runtime is not enabled in the official build.

    envoy.wasm.runtime.wasmtime: -based WebAssembly runtime. This runtime is not enabled in the official build.

    Tip

    This extension category has the following known extensions:

    code

    () The Wasm code that Envoy will execute.

    configuration

    (Any) The Wasm configuration used in initialization of a new VM (proxy_on_start). google.protobuf.Struct is serialized as JSON before passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper.

    allow_precompiled

    () Allow the wasm file to include pre-compiled code on VMs which support it. Warning: this should only be enable for trusted sources as the precompiled code is not verified.

    nack_on_code_cache_miss

    (bool) If true and the code needs to be remotely fetched and it is not in the cache then NACK the configuration update and do a background fetch to fill the cache, otherwise fetch the code asynchronously and enter warming state.

    environment_variables

    () Specifies environment variables to be injected to this VM which will be available through WASI’s and system calls. Note that these functions are mostly implicitly called in your language’s standard library, so you do not need to call them directly and you can access to env vars just like when you do on native platforms. Warning: Envoy rejects the configuration if there’s conflict of key space.

    extensions.wasm.v3.EnvironmentVariables

    host_env_keys

    key_values

    (repeated map<string, >) Explicitly given key-value pairs to be injected to this VM in the form of “KEY=VALUE”.

    [extensions.wasm.v3.PluginConfig proto]

    Base Configuration for Wasm Plugins e.g. filters and services.

    name

    () A unique name for a filters/services in a VM for use in identifying the filter/service if multiple filters/services are handled by the same vm_id and root_id and for logging/debugging.

    root_id

    (string) A unique ID for a set of filters/services in a VM which will share a RootContext and Contexts if applicable (e.g. an Wasm HttpFilter and an Wasm AccessLog). If left blank, all filters/services with a blank root_id with the same vm_id will share Context(s).

    vm_config

    () Configuration for finding or starting VM.

    configuration

    (Any) Filter/service configuration used to configure or reconfigure a plugin (proxy_on_configuration). google.protobuf.Struct is serialized as JSON before passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper.

    fail_open

    () If there is a fatal error on the VM (e.g. exception, abort(), on_start or on_configure return false), then all plugins associated with the VM will either fail closed (by default), e.g. by returning an HTTP 503 error, or fail open (if ‘fail_open’ is set to true) by bypassing the filter. Note: when on_start or on_configure return false during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial startup the proxy will not start.

    capability_restriction_config

    (extensions.wasm.v3.CapabilityRestrictionConfig) Configuration for restricting Proxy-Wasm capabilities available to modules.

    extensions.wasm.v3.WasmService

    [extensions.wasm.v3.WasmService proto]

    WasmService is configured as a built-in envoy.wasm_service This opaque configuration will be used to create a Wasm Service.

    config

    (extensions.wasm.v3.PluginConfig) General plugin configuration.

    singleton