This document will describe how the WASM extensions are defined in TSB and how are they assigned to the components on the hierarchy.
WASM in TSB
In order to control the extensions allowed in the mesh, avoid security leakages and ease the process of extension upgrades, TSB has a WASM extension catalog, where an administrator will register all the extensions that will be available to be used in the different components. This catalog will contain the description, image and execution properties for each extension. When a new version of the extension is available, changing the content of the WASM extension catalog record will propagate the update to all the assignments for that extension.
These extensions are packaged as OCI images, containing the WASM file, and deployed in a container images registry from where Istio will pull and extract the contents. The benefit of using OCI images in order to deliver the WASM extensions is that the security is already implemented and standardized with the same approach as with the rest of workloads images.
Extensions can be allowed to be used globally or restricted in a set of Tenants, and this will affect where the extension can be attached.
After having the extensions created in the catalog they become enabled and available to be used in the attachments for the TSB components in the same organization hierarchy. And their properties will become the configuration for the attachments. Components that can be configured with WASM extensions are : Organization, Tenant, Workspace, SecurityGroup, IngressGateway, EgressGateway and Tier1Gateway.
Using WASM extensions in the TSB resources
WASM extensions can be specified in the
defaultSecuritySettings property of OrganizationSetting, TenantSetting, WorkspaceSetting , and in the spec of SecuritySettings, and
it will affect all the workloads belonging to those resources in the hierarchy.
Also, these attachments can be specified in the IngressGateway, EgressGateway and Tier1Gateway
extension property, and only the workloads
linked to these gateways will be affected by the WASM extension. TSB will use workload selectors to specify the workloads.
extension: - fqn: "organizations/tetrate/extensions/wasm-add-header" config: header: x-wasm-header value: igw-tsb
apiVersion: istiointernal.tsb.tetrate.io/v2 kind: Group metadata: organization: tetrate tenant: mytenant workspace: myworkspace name: internal-group spec: namespaceSelector: names: - "*/httpbin"
And then creating directly the Istio WasmPlugin:
apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: demo-wasm-add-header namespace: app-namespace annotations: tsb.tetrate.io/organization: tetrate tsb.tetrate.io/tenant: mytenant tsb.tetrate.io/workspace: myworkspace tsb.tetrate.io/istioInternalGroup: internal-group spec: selector: matchLabels: app: httpbin url: oci://docker.io/tetrate/xcp-wasm-e2e:0.3 imagePullPolicy: IfNotPresent pluginConfig: header: x-wasm-header value: xcp