diff --git a/api/v1alpha1/envoyextensionypolicy_types.go b/api/v1alpha1/envoyextensionypolicy_types.go
index 4b14955be42..5a36ff9b6c6 100644
--- a/api/v1alpha1/envoyextensionypolicy_types.go
+++ b/api/v1alpha1/envoyextensionypolicy_types.go
@@ -55,6 +55,13 @@ type EnvoyExtensionPolicySpec struct {
//
// +optional
Priority int32 `json:"priority,omitempty"`
+
+ // WASM is a list of Wasm extensions to be loaded by the Gateway.
+ // Order matters, as the extensions will be loaded in the order they are
+ // defined in this list.
+ //
+ // +optional
+ WASM []Wasm `json:"wasm,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
new file mode 100644
index 00000000000..f918f92c9e0
--- /dev/null
+++ b/api/v1alpha1/wasm_types.go
@@ -0,0 +1,127 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+ apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+ gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+// Wasm defines a wasm extension.
+//
+// Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
+// v8 is used as the VM runtime for the Wasm extensions.
+type Wasm struct {
+ // Name is a unique name for this Wasm extension. It is used to identify the
+ // Wasm extension if multiple extensions are handled by the same vm_id and root_id.
+ // It's also used for logging/debugging.
+ Name string `json:"name"`
+
+ // VMID is an ID that will be used along with a hash of the wasm code to
+ // determine which VM will be used to load the Wasm extension. All extensions
+ // that have the same vm_id and code will use the same VM.
+ //
+ // Note that sharing a VM between plugins can reduce memory utilization and
+ // make sharing of data easier, but it may have security implications.
+ // VMID *string `json:"vmID,omitempty"`
+
+ // RootID is a unique ID for a set of extensions in a VM which will share a
+ // RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
+ // If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
+ // RootID *string `json:"rootID,omitempty"`
+
+ // Code is the wasm code for the extension.
+ Code WasmCodeSource `json:"code"`
+
+ // Config is the configuration for the Wasm extension.
+ // This configuration will be passed as a JSON string to the Wasm extension.
+ Config *apiextensionsv1.JSON `json:"config"`
+
+ // FailOpen is a switch used to control the behavior when a fatal error occurs
+ // during the initialization or the execution of the Wasm extension.
+ // If FailOpen is set to true, the system bypasses the Wasm extension and
+ // allows the traffic to pass through. Otherwise, if it is set to false or
+ // not set (defaulting to false), the system blocks the traffic and returns
+ // an HTTP 5xx error.
+ //
+ // +optional
+ // +kubebuilder:default=false
+ FailOpen *bool `json:"failOpen,omitempty"`
+
+ // Priority defines the location of the Wasm extension in the HTTP filter chain.
+ // If not specified, the Wasm extension will be inserted before the router filter.
+ // Priority *uint32 `json:"priority,omitempty"`
+}
+
+// WasmCodeSource defines the source of the wasm code.
+type WasmCodeSource struct {
+ // Type is the type of the source of the wasm code.
+ // Valid WasmCodeSourceType values are "HTTP" or "Image".
+ //
+ // +kubebuilder:validation:Enum=HTTP;Image
+ // +unionDiscriminator
+ Type WasmCodeSourceType `json:"type"`
+
+ // HTTP is the HTTP URL containing the wasm code.
+ //
+ // Note that the HTTP server must be accessible from the Envoy proxy.
+ // +optional
+ HTTP *HTTPWasmCodeSource `json:"http,omitempty"`
+
+ // Image is the OCI image containing the wasm code.
+ //
+ // Note that the image must be accessible from the Envoy Gateway.
+ // +optional
+ Image *ImageWasmCodeSource `json:"image,omitempty"`
+
+ // SHA256 checksum that will be used to verify the wasm code.
+ // +optional
+ // SHA256 *string `json:"sha256,omitempty"`
+}
+
+// WasmCodeSourceType specifies the types of sources for the wasm code.
+// +kubebuilder:validation:Enum=Global;Local
+type WasmCodeSourceType string
+
+const (
+ // HTTPWasmCodeSourceType allows the user to specify the wasm code in an HTTP URL.
+ HTTPWasmCodeSourceType WasmCodeSourceType = "HTTP"
+
+ // ImageWasmCodeSourceType allows the user to specify the wasm code in an OCI image.
+ ImageWasmCodeSourceType WasmCodeSourceType = "Image"
+)
+
+// HTTPWasmCodeSource defines the HTTP URL containing the wasm code.
+type HTTPWasmCodeSource struct {
+ // URL is the URL containing the wasm code.
+ URL string `json:"url"`
+}
+
+// ImageWasmCodeSource defines the OCI image containing the wasm code.
+type ImageWasmCodeSource struct {
+ // URL is the URL of the OCI image.
+ URL string `json:"url"`
+
+ // PullSecretRef is a reference to the secret containing the credentials to pull the image.
+ PullSecretRef gwapiv1b1.SecretObjectReference `json:"pullSecret"`
+
+ // PullPolicy is the policy to use when pulling the image.
+ // If not specified, the default policy is IfNotPresent for images whose tag is not latest,
+ // and Always for images whose tag is latest.
+ // +optional
+ // PullPolicy *PullPolicy `json:"pullPolicy,omitempty"`
+}
+
+// PullPolicy defines the policy to use when pulling an OIC image.
+/* type PullPolicy string
+
+const (
+ // PullPolicyIfNotPresent will only pull the image if it does not already exist.
+ PullPolicyIfNotPresent PullPolicy = "IfNotPresent"
+
+ // PullPolicyAlways will always pull the image.
+ PullPolicyAlways PullPolicy = "Always"
+)*/
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 41a8e22eb72..2fbdb162022 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -761,6 +761,13 @@ func (in *EnvoyExtensionPolicyList) DeepCopyObject() runtime.Object {
func (in *EnvoyExtensionPolicySpec) DeepCopyInto(out *EnvoyExtensionPolicySpec) {
*out = *in
in.TargetRef.DeepCopyInto(&out.TargetRef)
+ if in.WASM != nil {
+ in, out := &in.WASM, &out.WASM
+ *out = make([]Wasm, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyExtensionPolicySpec.
@@ -1912,6 +1919,21 @@ func (in *HTTPTimeout) DeepCopy() *HTTPTimeout {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPWasmCodeSource) DeepCopyInto(out *HTTPWasmCodeSource) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPWasmCodeSource.
+func (in *HTTPWasmCodeSource) DeepCopy() *HTTPWasmCodeSource {
+ if in == nil {
+ return nil
+ }
+ out := new(HTTPWasmCodeSource)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HeaderMatch) DeepCopyInto(out *HeaderMatch) {
*out = *in
@@ -1982,6 +2004,22 @@ func (in *HealthCheck) DeepCopy() *HealthCheck {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageWasmCodeSource) DeepCopyInto(out *ImageWasmCodeSource) {
+ *out = *in
+ in.PullSecretRef.DeepCopyInto(&out.PullSecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageWasmCodeSource.
+func (in *ImageWasmCodeSource) DeepCopy() *ImageWasmCodeSource {
+ if in == nil {
+ return nil
+ }
+ out := new(ImageWasmCodeSource)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JSONPatchOperation) DeepCopyInto(out *JSONPatchOperation) {
*out = *in
@@ -3660,6 +3698,57 @@ func (in *TracingProvider) DeepCopy() *TracingProvider {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Wasm) DeepCopyInto(out *Wasm) {
+ *out = *in
+ in.Code.DeepCopyInto(&out.Code)
+ if in.Config != nil {
+ in, out := &in.Config, &out.Config
+ *out = new(apiextensionsv1.JSON)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.FailOpen != nil {
+ in, out := &in.FailOpen, &out.FailOpen
+ *out = new(bool)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm.
+func (in *Wasm) DeepCopy() *Wasm {
+ if in == nil {
+ return nil
+ }
+ out := new(Wasm)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WasmCodeSource) DeepCopyInto(out *WasmCodeSource) {
+ *out = *in
+ if in.HTTP != nil {
+ in, out := &in.HTTP, &out.HTTP
+ *out = new(HTTPWasmCodeSource)
+ **out = **in
+ }
+ if in.Image != nil {
+ in, out := &in.Image, &out.Image
+ *out = new(ImageWasmCodeSource)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WasmCodeSource.
+func (in *WasmCodeSource) DeepCopy() *WasmCodeSource {
+ if in == nil {
+ return nil
+ }
+ out := new(WasmCodeSource)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *XDSTranslatorHooks) DeepCopyInto(out *XDSTranslatorHooks) {
*out = *in
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
index 842dd9ce336..c73c4b48962 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -108,6 +108,124 @@ spec:
'TCPRoute', 'TLSRoute']
- message: this policy does not yet support the sectionName field
rule: '!has(self.sectionName)'
+ wasm:
+ description: WASM is a list of Wasm extensions to be loaded by the
+ Gateway. Order matters, as the extensions will be loaded in the
+ order they are defined in this list.
+ items:
+ description: "Wasm defines a wasm extension. \n Note: at the moment,
+ Envoy Gateway does not support configuring Wasm runtime. v8 is
+ used as the VM runtime for the Wasm extensions."
+ properties:
+ code:
+ description: Code is the wasm code for the extension.
+ properties:
+ http:
+ description: "HTTP is the HTTP URL containing the wasm code.
+ \n Note that the HTTP server must be accessible from the
+ Envoy proxy."
+ properties:
+ url:
+ description: URL is the URL containing the wasm code.
+ type: string
+ required:
+ - url
+ type: object
+ image:
+ description: "Image is the OCI image containing the wasm
+ code. \n Note that the image must be accessible from the
+ Envoy Gateway."
+ properties:
+ pullSecret:
+ description: PullSecretRef is a reference to the secret
+ containing the credentials to pull the image.
+ properties:
+ group:
+ default: ""
+ description: Group is the group of the referent.
+ For example, "gateway.networking.k8s.io". When
+ unspecified or empty string, core API group is
+ inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: "Namespace is the namespace of the
+ referenced object. When unspecified, the local
+ namespace is inferred. \n Note that when a namespace
+ different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent
+ namespace to allow that namespace's owner to accept
+ the reference. See the ReferenceGrant documentation
+ for details. \n Support: Core"
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ url:
+ description: URL is the URL of the OCI image.
+ type: string
+ required:
+ - pullSecret
+ - url
+ type: object
+ type:
+ allOf:
+ - enum:
+ - Global
+ - Local
+ - enum:
+ - HTTP
+ - Image
+ description: Type is the type of the source of the wasm
+ code. Valid WasmCodeSourceType values are "HTTP" or "Image".
+ type: string
+ required:
+ - type
+ type: object
+ config:
+ description: Config is the configuration for the Wasm extension.
+ This configuration will be passed as a JSON string to the
+ Wasm extension.
+ x-kubernetes-preserve-unknown-fields: true
+ failOpen:
+ default: false
+ description: FailOpen is a switch used to control the behavior
+ when a fatal error occurs during the initialization or the
+ execution of the Wasm extension. If FailOpen is set to true,
+ the system bypasses the Wasm extension and allows the traffic
+ to pass through. Otherwise, if it is set to false or not set
+ (defaulting to false), the system blocks the traffic and returns
+ an HTTP 5xx error.
+ type: boolean
+ name:
+ description: Name is a unique name for this Wasm extension.
+ It is used to identify the Wasm extension if multiple extensions
+ are handled by the same vm_id and root_id. It's also used
+ for logging/debugging.
+ type: string
+ required:
+ - code
+ - config
+ - name
+ type: object
+ type: array
required:
- targetRef
type: object
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 9ff59b95a79..6bd063b4d2e 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -532,6 +532,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `targetRef` | _[PolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the Gateway resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. TargetRef |
| `priority` | _integer_ | false | Priority of the EnvoyExtensionPolicy. If multiple EnvoyExtensionPolices are applied to the same TargetRef, extensions will execute in the ascending order of the priority i.e. int32.min has the highest priority and int32.max has the lowest priority. Defaults to 0. |
+| `wasm` | _[Wasm](#wasm) array_ | false | WASM is a list of Wasm extensions to be loaded by the Gateway. Order matters, as the extensions will be loaded in the order they are defined in this list. |
#### EnvoyGateway
@@ -1311,6 +1312,20 @@ _Appears in:_
| `maxConnectionDuration` | _[Duration](#duration)_ | false | The maximum duration of an HTTP connection. Default: unlimited. |
+#### HTTPWasmCodeSource
+
+
+
+HTTPWasmCodeSource defines the HTTP URL containing the wasm code.
+
+_Appears in:_
+- [WasmCodeSource](#wasmcodesource)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `url` | _string_ | true | URL is the URL containing the wasm code. |
+
+
#### HeaderMatchType
@@ -1353,6 +1368,21 @@ _Appears in:_
| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration |
+#### ImageWasmCodeSource
+
+
+
+ImageWasmCodeSource defines the OCI image containing the wasm code.
+
+_Appears in:_
+- [WasmCodeSource](#wasmcodesource)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `url` | _string_ | true | URL is the URL of the OCI image. |
+| `pullSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | PullSecretRef is a reference to the secret containing the credentials to pull the image. |
+
+
#### InfrastructureProviderType
_Underlying type:_ _string_
@@ -2611,6 +2641,51 @@ _Appears in:_
+#### Wasm
+
+
+
+Wasm defines a wasm extension.
+ Note: at the moment, Envoy Gateway does not support configuring Wasm runtime. v8 is used as the VM runtime for the Wasm extensions.
+
+_Appears in:_
+- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `name` | _string_ | true | Name is a unique name for this Wasm extension. It is used to identify the Wasm extension if multiple extensions are handled by the same vm_id and root_id. It's also used for logging/debugging. |
+| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the wasm code for the extension. |
+| `config` | _[JSON](#json)_ | true | Config is the configuration for the Wasm extension. This configuration will be passed as a JSON string to the Wasm extension. |
+| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs during the initialization or the execution of the Wasm extension. If FailOpen is set to true, the system bypasses the Wasm extension and allows the traffic to pass through. Otherwise, if it is set to false or not set (defaulting to false), the system blocks the traffic and returns an HTTP 5xx error. |
+
+
+#### WasmCodeSource
+
+
+
+WasmCodeSource defines the source of the wasm code.
+
+_Appears in:_
+- [Wasm](#wasm)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | Type is the type of the source of the wasm code. Valid WasmCodeSourceType values are "HTTP" or "Image". |
+| `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | HTTP is the HTTP URL containing the wasm code.
Note that the HTTP server must be accessible from the Envoy proxy. |
+| `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | Image is the OCI image containing the wasm code.
Note that the image must be accessible from the Envoy Gateway. |
+
+
+#### WasmCodeSourceType
+
+_Underlying type:_ _string_
+
+WasmCodeSourceType specifies the types of sources for the wasm code.
+
+_Appears in:_
+- [WasmCodeSource](#wasmcodesource)
+
+
+
#### XDSTranslatorHook
_Underlying type:_ _string_