diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go
index 66c0e1fc84fa..8913486d6f16 100644
--- a/api/v1alpha1/wasm_types.go
+++ b/api/v1alpha1/wasm_types.go
@@ -10,6 +10,14 @@ import (
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
)
+// WasmEnv defines the environment variables for the VM of a Wasm extension
+type WasmEnv struct {
+ // HostKeys is a list of keys for environment variables from the host envoy process
+ // that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+ // +optional
+ HostKeys []string `json:"hostKeys,omitempty"`
+}
+
// Wasm defines a Wasm extension.
//
// Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
@@ -52,6 +60,10 @@ type Wasm struct {
// Priority defines the location of the Wasm extension in the HTTP filter chain.
// If not specified, the Wasm extension will be inserted before the router filter.
// Priority *uint32 `json:"priority,omitempty"`
+
+ // Env configures the environment for the Wasm extension
+ // +optional
+ Env *WasmEnv `json:"env,omitempty"`
}
// WasmCodeSource defines the source of the Wasm code.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 3368e73dd707..12f634586c69 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -5479,6 +5479,11 @@ func (in *Wasm) DeepCopyInto(out *Wasm) {
*out = new(bool)
**out = **in
}
+ if in.Env != nil {
+ in, out := &in.Env, &out.Env
+ *out = new(WasmEnv)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm.
@@ -5521,6 +5526,26 @@ func (in *WasmCodeSource) DeepCopy() *WasmCodeSource {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WasmEnv) DeepCopyInto(out *WasmEnv) {
+ *out = *in
+ if in.HostKeys != nil {
+ in, out := &in.HostKeys, &out.HostKeys
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WasmEnv.
+func (in *WasmEnv) DeepCopy() *WasmEnv {
+ if in == nil {
+ return nil
+ }
+ out := new(WasmEnv)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *XDSTranslatorHooks) DeepCopyInto(out *XDSTranslatorHooks) {
*out = *in
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
index 6baa2842c0c5..e6cb298d3a8e 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -1232,6 +1232,17 @@ spec:
Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension.
x-kubernetes-preserve-unknown-fields: true
+ env:
+ description: Env configures the environment for the Wasm extension
+ properties:
+ hostKeys:
+ description: |-
+ HostKeys is a list of keys for environment variables from the host envoy process
+ that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+ items:
+ type: string
+ type: array
+ type: object
failOpen:
default: false
description: |-
diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go
index 9ba561f1b5d8..64e0f9e9a2a1 100644
--- a/internal/gatewayapi/envoyextensionpolicy.go
+++ b/internal/gatewayapi/envoyextensionpolicy.go
@@ -675,6 +675,10 @@ func (t *Translator) buildWasm(
Code: code,
}
+ if config.Env != nil && len(config.Env.HostKeys) > 0 {
+ wasmIR.HostKeys = config.Env.HostKeys
+ }
+
return wasmIR, nil
}
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml
new file mode 100644
index 000000000000..c4184d15476d
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml
@@ -0,0 +1,123 @@
+secrets:
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ namespace: envoy-gateway
+ name: my-pull-secret
+ data:
+ .dockerconfigjson: VGhpc0lzTm90QVJlYWxEb2NrZXJDb25maWdKc29u
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-1
+ spec:
+ hostnames:
+ - www.example.com
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: "/foo"
+ backendRefs:
+ - name: service-1
+ port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ namespace: default
+ name: httproute-2
+ spec:
+ hostnames:
+ - www.example.com
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ sectionName: http
+ rules:
+ - matches:
+ - path:
+ value: "/bar"
+ backendRefs:
+ - name: service-1
+ port: 8080
+envoyextensionpolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: envoy-gateway
+ name: policy-for-gateway # This policy should attach httproute-2
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ wasm:
+ - name: wasm-filter-1
+ code:
+ type: HTTP
+ http:
+ url: https://www.example.com/wasm-filter-1.wasm
+ sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4
+ env:
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ - name: wasm-filter-2
+ rootID: "my-root-id"
+ code:
+ type: Image
+ image:
+ url: oci://www.example.com/wasm-filter-2:v1.0.0
+ pullSecretRef:
+ name: my-pull-secret
+ sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46
+ env:
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ - code:
+ type: Image
+ image:
+ url: www.example.com:8080/wasm-filter-3
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ namespace: default
+ name: policy-for-http-route # This policy should attach httproute-1
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ wasm:
+ - name: wasm-filter-4
+ code:
+ type: HTTP
+ http:
+ url: https://www.test.com/wasm-filter-4.wasm
+ sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463
+ failOpen: true
+ env:
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml
new file mode 100644
index 000000000000..4a19852eea0e
--- /dev/null
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml
@@ -0,0 +1,342 @@
+envoyExtensionPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-http-route
+ namespace: default
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: httproute-1
+ wasm:
+ - code:
+ http:
+ sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463
+ url: https://www.test.com/wasm-filter-4.wasm
+ type: HTTP
+ env:
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ failOpen: true
+ name: wasm-filter-4
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyExtensionPolicy
+ metadata:
+ creationTimestamp: null
+ name: policy-for-gateway
+ namespace: envoy-gateway
+ spec:
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ wasm:
+ - code:
+ http:
+ sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4
+ url: https://www.example.com/wasm-filter-1.wasm
+ type: HTTP
+ env:
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ name: wasm-filter-1
+ - code:
+ image:
+ pullSecretRef:
+ group: null
+ kind: null
+ name: my-pull-secret
+ sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46
+ url: oci://www.example.com/wasm-filter-2:v1.0.0
+ type: Image
+ env:
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ name: wasm-filter-2
+ rootID: my-root-id
+ - code:
+ image:
+ sha256: null
+ url: www.example.com:8080/wasm-filter-3
+ type: Image
+ status:
+ ancestors:
+ - ancestorRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: 'This policy is being overridden by other envoyExtensionPolicies
+ for these routes: [default/httproute-1]'
+ reason: Overridden
+ status: "True"
+ type: Overridden
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ creationTimestamp: null
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ status:
+ listeners:
+ - attachedRoutes: 2
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: http
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-1
+ namespace: default
+ spec:
+ hostnames:
+ - www.example.com
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /foo
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: HTTPRoute
+ metadata:
+ creationTimestamp: null
+ name: httproute-2
+ namespace: default
+ spec:
+ hostnames:
+ - www.example.com
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ matches:
+ - path:
+ value: /bar
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/http
+ ports:
+ - containerPort: 10080
+ name: http-80
+ protocol: HTTP
+ servicePort: 80
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ name: envoy-gateway/gateway-1
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ text:
+ - path: /dev/stdout
+ http:
+ - address: 0.0.0.0
+ hostnames:
+ - '*'
+ isHTTP2: false
+ metadata:
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: http
+ name: envoy-gateway/gateway-1/http
+ path:
+ escapedSlashesAction: UnescapeAndRedirect
+ mergeSlashes: true
+ port: 10080
+ routes:
+ - destination:
+ name: httproute/default/httproute-1/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ envoyExtensions:
+ wasms:
+ - config: null
+ failOpen: true
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ httpWasmCode:
+ originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm
+ servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm
+ sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463
+ name: envoyextensionpolicy/default/policy-for-http-route/wasm/0
+ wasmName: wasm-filter-4
+ hostname: www.example.com
+ isHTTP2: false
+ metadata:
+ kind: HTTPRoute
+ name: httproute-1
+ namespace: default
+ name: httproute/default/httproute-1/rule/0/match/0/www_example_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /foo
+ - destination:
+ name: httproute/default/httproute-2/rule/0
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ protocol: HTTP
+ weight: 1
+ envoyExtensions:
+ wasms:
+ - config: null
+ failOpen: false
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ httpWasmCode:
+ originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm
+ servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm
+ sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4
+ name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0
+ wasmName: wasm-filter-1
+ - config: null
+ failOpen: false
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
+ httpWasmCode:
+ originalDownloadingURL: oci://www.example.com/wasm-filter-2:v1.0.0
+ servingURL: https://envoy-gateway:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm
+ sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46
+ name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1
+ rootID: my-root-id
+ wasmName: wasm-filter-2
+ - config: null
+ failOpen: false
+ httpWasmCode:
+ originalDownloadingURL: oci://www.example.com:8080/wasm-filter-3:latest
+ servingURL: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm
+ sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee
+ name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2
+ wasmName: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2
+ hostname: www.example.com
+ isHTTP2: false
+ metadata:
+ kind: HTTPRoute
+ name: httproute-2
+ namespace: default
+ name: httproute/default/httproute-2/rule/0/match/0/www_example_com
+ pathMatch:
+ distinct: false
+ name: ""
+ prefix: /bar
diff --git a/internal/ir/xds.go b/internal/ir/xds.go
index 5103d3ea81a3..b0b9a1594b1d 100644
--- a/internal/ir/xds.go
+++ b/internal/ir/xds.go
@@ -2634,6 +2634,10 @@ type Wasm struct {
// original URL(either an HTTP URL or an OCI image) and serves it through the
// local HTTP server.
Code *HTTPWasmCode `json:"httpWasmCode,omitempty"`
+
+ // HostKeys is a list of keys for environment variables from the host envoy process
+ // that should be passed into the Wasm VM.
+ HostKeys []string `json:"hostKeys,omitempty"`
}
// HTTPWasmCode holds the information associated with the HTTP Wasm code source.
diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go
index 59f1973b22a5..de0be09ff0fe 100644
--- a/internal/ir/zz_generated.deepcopy.go
+++ b/internal/ir/zz_generated.deepcopy.go
@@ -3425,6 +3425,11 @@ func (in *Wasm) DeepCopyInto(out *Wasm) {
*out = new(HTTPWasmCode)
**out = **in
}
+ if in.HostKeys != nil {
+ in, out := &in.HostKeys, &out.HostKeys
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm.
diff --git a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml
index 9afa2c97c9c4..756e38952fa6 100644
--- a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml
@@ -89,3 +89,6 @@ http:
sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee
name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2
wasmName: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2
+ hostKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml
index a4545e62e2cd..e3a679d1ae0d 100755
--- a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml
@@ -90,6 +90,10 @@
timeout: 10s
uri: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm
sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee
+ environmentVariables:
+ hostEnvKeys:
+ - SOME_KEY
+ - ANOTHER_KEY
runtime: envoy.wasm.runtime.v8
vmId: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2
- name: envoy.filters.http.router
diff --git a/internal/xds/translator/wasm.go b/internal/xds/translator/wasm.go
index b8777e3805cb..34b1087d5ccc 100644
--- a/internal/xds/translator/wasm.go
+++ b/internal/xds/translator/wasm.go
@@ -118,30 +118,38 @@ func wasmConfig(wasm ir.Wasm) (*wasmfilterv3.Wasm, error) {
return nil, err
}
+ vmConfig := &wasmv3.VmConfig{
+ VmId: wasm.Name, // Do not share VMs across different filters
+ Runtime: vmRuntimeV8,
+ Code: &corev3.AsyncDataSource{
+ Specifier: &corev3.AsyncDataSource_Remote{
+ Remote: &corev3.RemoteDataSource{
+ HttpUri: &corev3.HttpUri{
+ Uri: wasm.Code.ServingURL,
+ HttpUpstreamType: &corev3.HttpUri_Cluster{
+ Cluster: wasmHTTPServerCluster,
+ },
+ Timeout: &durationpb.Duration{
+ Seconds: defaultExtServiceRequestTimeout,
+ },
+ },
+ Sha256: wasm.Code.SHA256,
+ },
+ },
+ },
+ }
+
+ if wasm.HostKeys != nil {
+ vmConfig.EnvironmentVariables = &wasmv3.EnvironmentVariables{
+ HostEnvKeys: wasm.HostKeys,
+ }
+ }
+
filterConfig = &wasmfilterv3.Wasm{
Config: &wasmv3.PluginConfig{
Name: wasm.WasmName,
Vm: &wasmv3.PluginConfig_VmConfig{
- VmConfig: &wasmv3.VmConfig{
- VmId: wasm.Name, // Do not share VMs across different filters
- Runtime: vmRuntimeV8,
- Code: &corev3.AsyncDataSource{
- Specifier: &corev3.AsyncDataSource_Remote{
- Remote: &corev3.RemoteDataSource{
- HttpUri: &corev3.HttpUri{
- Uri: wasm.Code.ServingURL,
- HttpUpstreamType: &corev3.HttpUri_Cluster{
- Cluster: wasmHTTPServerCluster,
- },
- Timeout: &durationpb.Duration{
- Seconds: defaultExtServiceRequestTimeout,
- },
- },
- Sha256: wasm.Code.SHA256,
- },
- },
- },
- },
+ VmConfig: vmConfig,
},
Configuration: configAny,
FailOpen: wasm.FailOpen,
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 6855d7a0dedb..54d5948c927a 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -4004,6 +4004,7 @@ _Appears in:_
| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. |
| `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. |
| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. |
+| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension |
#### WasmCodeSource
@@ -4038,6 +4039,20 @@ _Appears in:_
| `Image` | ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
|
+#### WasmEnv
+
+
+
+WasmEnv defines the environment variables for the VM of a Wasm extension
+
+_Appears in:_
+- [Wasm](#wasm)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. |
+
+
#### WithUnderscoresAction
_Underlying type:_ _string_
diff --git a/site/content/en/v1.1/tasks/extensibility/wasm.md b/site/content/en/v1.1/tasks/extensibility/wasm.md
index 1b1d32f9ecbe..5d2495cf5667 100644
--- a/site/content/en/v1.1/tasks/extensibility/wasm.md
+++ b/site/content/en/v1.1/tasks/extensibility/wasm.md
@@ -90,7 +90,7 @@ spec:
Verify the EnvoyExtensionPolicy status:
```shell
-kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml
+kubectl get envoyextensionpolicy/wasm-test -o yaml
```
### Image Wasm Extension
@@ -151,9 +151,148 @@ spec:
Verify the EnvoyExtensionPolicy status:
```shell
-kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml
+kubectl get envoyextensionpolicy/wasm-test -o yaml
```
+### Wasm Extension Configuration
+
+This [EnvoyExtensionPolicy][] configuration fetches the Wasm extension from an OCI image and uses a config block to pass parameters to the extension when it's loaded.
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <}}
+
+Verify the EnvoyExtensionPolicy status:
+
+```shell
+kubectl get envoyextensionpolicy/wasm-test-o yaml
+```
+
+### Wasm Extension Configuration through Environment variables
+
+It is also possible to configure a wasm extension using environment variables from the host envoy process. Keys for the env vars to be shared are defined in a `hostKeys` block.
+
+This is especially useful for sharing secure data from environment vars on the envoy process set using [valueFrom](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) a Kubernetes secret.
+
+Note that setting an env var on the envoy process requires a custom [EnvoyProxy](../../api/extension_types#envoyproxy) configuration.
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <}}
+
+
### Testing
Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index 6855d7a0dedb..54d5948c927a 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -4004,6 +4004,7 @@ _Appears in:_
| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. |
| `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. |
| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. |
+| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension |
#### WasmCodeSource
@@ -4038,6 +4039,20 @@ _Appears in:_
| `Image` | ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
|
+#### WasmEnv
+
+
+
+WasmEnv defines the environment variables for the VM of a Wasm extension
+
+_Appears in:_
+- [Wasm](#wasm)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. |
+
+
#### WithUnderscoresAction
_Underlying type:_ _string_