• Home
• io.envoyproxy.controlplane
• api
• 1.0.42
• source code
• wasm.proto

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

envoy.extensions.wasm.v3.wasm.proto Maven / Gradle / Ivy

syntax = "proto3";

package envoy.extensions.wasm.v3;

import "envoy/config/core/v3/base.proto";

import "google/protobuf/any.proto";

import "udpa/annotations/status.proto";

option java_package = "io.envoyproxy.envoy.extensions.wasm.v3";
option java_outer_classname = "WasmProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/wasm/v3;wasmv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: Wasm]
// [#extension: envoy.bootstrap.wasm]

// Configuration for restricting Proxy-Wasm capabilities available to modules.
message CapabilityRestrictionConfig {
  // The Proxy-Wasm capabilities which will be allowed. Capabilities are mapped by
  // name. The ``SanitizationConfig`` which each capability maps to is currently unimplemented and ignored,
  // and so should be left empty.
  //
  // The capability names are given in the
  // `Proxy-Wasm ABI `_.
  // Additionally, the following WASI capabilities from
  // `this list `_
  // are implemented and can be allowed:
  // ``fd_write``, ``fd_read``, ``fd_seek``, ``fd_close``, ``fd_fdstat_get``, ``environ_get``, ``environ_sizes_get``,
  // ``args_get``, ``args_sizes_get``, ``proc_exit``, ``clock_time_get``, ``random_get``.
  map allowed_capabilities = 1;
}

// Configuration for sanitization of inputs to an allowed capability.
//
// NOTE: This is currently unimplemented.
message SanitizationConfig {
}

// Configuration for a Wasm VM.
// [#next-free-field: 8]
message VmConfig {
  // An ID which will be used along with a hash of the wasm code (or the name of the registered Null
  // VM plugin) to determine which VM will be used for the plugin. All plugins which use the same
  // ``vm_id`` and code will use the same VM. May be left blank. Sharing a VM between plugins can
  // reduce memory utilization and make sharing of data easier which may have security implications.
  // [#comment: TODO: add ref for details.]
  string vm_id = 1;

  // The Wasm runtime type, defaults to the first available Wasm engine used at Envoy build-time.
  // The priority to search for the available engine is: v8 -> wasmtime -> wamr -> wavm.
  // Available Wasm runtime types are registered as extensions. The following runtimes are included
  // in Envoy code base:
  //
  // .. _extension_envoy.wasm.runtime.null:
  //
  // **envoy.wasm.runtime.null**: Null sandbox, the Wasm module must be compiled and linked into the
  // Envoy binary. The registered name is given in the ``code`` field as ``inline_string``.
  //
  // .. _extension_envoy.wasm.runtime.v8:
  //
  // **envoy.wasm.runtime.v8**: `V8 `_-based WebAssembly runtime.
  //
  // .. _extension_envoy.wasm.runtime.wamr:
  //
  // **envoy.wasm.runtime.wamr**: `WAMR `_-based WebAssembly runtime.
  // This runtime is not enabled in the official build.
  //
  // .. _extension_envoy.wasm.runtime.wavm:
  //
  // **envoy.wasm.runtime.wavm**: `WAVM `_-based WebAssembly runtime.
  // This runtime is not enabled in the official build.
  //
  // .. _extension_envoy.wasm.runtime.wasmtime:
  //
  // **envoy.wasm.runtime.wasmtime**: `Wasmtime `_-based WebAssembly runtime.
  // This runtime is not enabled in the official build.
  //
  // [#extension-category: envoy.wasm.runtime]
  string runtime = 2;

  // The Wasm code that Envoy will execute.
  config.core.v3.AsyncDataSource code = 3;

  // The Wasm configuration used in initialization of a new VM
  // (proxy_on_start). ``google.protobuf.Struct`` is serialized as JSON before
  // passing it to the plugin. ``google.protobuf.BytesValue`` and
  // ``google.protobuf.StringValue`` are passed directly without the wrapper.
  google.protobuf.Any configuration = 4;

  // Allow the wasm file to include pre-compiled code on VMs which support it.
  // Warning: this should only be enable for trusted sources as the precompiled code is not
  // verified.
  bool allow_precompiled = 5;

  // If true and the code needs to be remotely fetched and it is not in the cache then NACK the configuration
  // update and do a background fetch to fill the cache, otherwise fetch the code asynchronously and enter
  // warming state.
  bool nack_on_code_cache_miss = 6;

  // Specifies environment variables to be injected to this VM which will be available through
  // WASI's ``environ_get`` and ``environ_get_sizes`` system calls. Note that these functions are mostly implicitly
  // called in your language's standard library, so you do not need to call them directly and you can access to env
  // vars just like when you do on native platforms.
  // Warning: Envoy rejects the configuration if there's conflict of key space.
  EnvironmentVariables environment_variables = 7;
}

message EnvironmentVariables {
  // The keys of *Envoy's* environment variables exposed to this VM. In other words, if a key exists in Envoy's environment
  // variables, then that key-value pair will be injected. Note that if a key does not exist, it will be ignored.
  repeated string host_env_keys = 1;

  // Explicitly given key-value pairs to be injected to this VM in the form of "KEY=VALUE".
  map key_values = 2;
}

// Base Configuration for Wasm Plugins e.g. filters and services.
// [#next-free-field: 7]
message PluginConfig {
  // A unique name for a filters/services in a VM for use in identifying the filter/service if
  // multiple filters/services are handled by the same ``vm_id`` and ``root_id`` and for
  // logging/debugging.
  string name = 1;

  // A unique ID for a set of filters/services in a VM which will share a RootContext and Contexts
  // if applicable (e.g. an Wasm HttpFilter and an Wasm AccessLog). If left blank, all
  // filters/services with a blank root_id with the same ``vm_id`` will share Context(s).
  string root_id = 2;

  // Configuration for finding or starting VM.
  oneof vm {
    VmConfig vm_config = 3;
    // TODO: add referential VM configurations.
  }

  // Filter/service configuration used to configure or reconfigure a plugin
  // (``proxy_on_configure``).
  // ``google.protobuf.Struct`` is serialized as JSON before
  // passing it to the plugin. ``google.protobuf.BytesValue`` and
  // ``google.protobuf.StringValue`` are passed directly without the wrapper.
  google.protobuf.Any configuration = 4;

  // If there is a fatal error on the VM (e.g. exception, abort(), on_start or on_configure return false),
  // then all plugins associated with the VM will either fail closed (by default), e.g. by returning an HTTP 503 error,
  // or fail open (if 'fail_open' is set to true) by bypassing the filter. Note: when on_start or on_configure return false
  // during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial
  // startup the proxy will not start.
  bool fail_open = 5;

  // Configuration for restricting Proxy-Wasm capabilities available to modules.
  CapabilityRestrictionConfig capability_restriction_config = 6;
}

// WasmService is configured as a built-in ``envoy.wasm_service`` :ref:`WasmService
// ` This opaque configuration will be used to create a Wasm Service.
message WasmService {
  // General plugin configuration.
  PluginConfig config = 1;

  // If true, create a single VM rather than creating one VM per worker. Such a singleton can
  // not be used with filters.
  bool singleton = 2;
}