Wasm

This extension may be referenced by the qualified name envoy.bootstrap.wasm

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

extensions.wasm.v3.VmConfig

[extensions.wasm.v3.VmConfig proto]

Configuration for a Wasm VM.

{
  "vm_id": "...",
  "runtime": "...",
  "code": "{...}",
  "configuration": "{...}",
  "allow_precompiled": "...",
  "nack_on_code_cache_miss": "..."
}
vm_id

(string) An ID which will be used along with a hash of the wasm code (or the name of the registered Null VM plugin) to determine which VM will be used for the plugin. All plugins which use the same vm_id and code will use the same VM. May be left blank. Sharing a VM between plugins can reduce memory utilization and make sharing of data easier which may have security implications. See ref: “TODO: add ref” for details.

runtime

(string, REQUIRED) The Wasm runtime type. Available Wasm runtime types are registered as extensions. The following runtimes are included in Envoy code base:

envoy.wasm.runtime.null: Null sandbox, the Wasm module must be compiled and linked into the Envoy binary. The registered name is given in the code field as inline_string.

envoy.wasm.runtime.v8: V8-based WebAssembly runtime.

envoy.wasm.runtime.wavm: WAVM-based WebAssembly runtime. This runtime is not enabled in the official build.

envoy.wasm.runtime.wasmtime: Wasmtime-based WebAssembly runtime. This runtime is not enabled in the official build.

code

(config.core.v3.AsyncDataSource) The Wasm code that Envoy will execute.

configuration

(Any) The Wasm configuration used in initialization of a new VM (proxy_on_start). google.protobuf.Struct is serialized as JSON before passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper.

allow_precompiled

(bool) Allow the wasm file to include pre-compiled code on VMs which support it. Warning: this should only be enable for trusted sources as the precompiled code is not verified.

nack_on_code_cache_miss

(bool) If true and the code needs to be remotely fetched and it is not in the cache then NACK the configuration update and do a background fetch to fill the cache, otherwise fetch the code asynchronously and enter warming state.

extensions.wasm.v3.PluginConfig

[extensions.wasm.v3.PluginConfig proto]

Base Configuration for Wasm Plugins e.g. filters and services.

{
  "name": "...",
  "root_id": "...",
  "vm_config": "{...}",
  "configuration": "{...}",
  "fail_open": "..."
}
name

(string) A unique name for a filters/services in a VM for use in identifying the filter/service if multiple filters/services are handled by the same vm_id and root_id and for logging/debugging.

root_id

(string) A unique ID for a set of filters/services in a VM which will share a RootContext and Contexts if applicable (e.g. an Wasm HttpFilter and an Wasm AccessLog). If left blank, all filters/services with a blank root_id with the same vm_id will share Context(s).

vm_config

(extensions.wasm.v3.VmConfig) Configuration for finding or starting VM.

configuration

(Any) Filter/service configuration used to configure or reconfigure a plugin (proxy_on_configuration). google.protobuf.Struct is serialized as JSON before passing it to the plugin. google.protobuf.BytesValue and google.protobuf.StringValue are passed directly without the wrapper.

fail_open

(bool) If there is a fatal error on the VM (e.g. exception, abort(), on_start or on_configure return false), then all plugins associated with the VM will either fail closed (by default), e.g. by returning an HTTP 503 error, or fail open (if ‘fail_open’ is set to true) by bypassing the filter. Note: when on_start or on_configure return false during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial startup the proxy will not start.

extensions.wasm.v3.WasmService

[extensions.wasm.v3.WasmService proto]

WasmService is configured as a built-in envoy.wasm_service WasmService This opaque configuration will be used to create a Wasm Service.

{
  "config": "{...}",
  "singleton": "..."
}
config

(extensions.wasm.v3.PluginConfig) General plugin configuration.

singleton

(bool) If true, create a single VM rather than creating one VM per worker. Such a singleton can not be used with filters.