{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://github.com/api-evangelist/istio/blob/main/json-schema/wasm-plugin.json", "title": "Istio WasmPlugin", "description": "A WasmPlugin provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters. It enables custom authentication, authorization, metrics, logging, and traffic transformation at the proxy level.", "type": "object", "properties": { "selector": { "type": "object", "properties": { "matchLabels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "One or more labels that indicate a specific set of pods/VMs on which the plugin should be applied." } }, "description": "Workload selector to apply the plugin to specific workloads." }, "targetRefs": { "type": "array", "items": { "type": "object", "properties": { "group": { "type": "string" }, "kind": { "type": "string" }, "name": { "type": "string" } } }, "description": "Target references to apply the plugin to specific resources." }, "url": { "type": "string", "description": "URL of a Wasm module or OCI container image. Supports oci://, http://, https://, and file:// schemes." }, "sha256": { "type": "string", "description": "SHA256 checksum that will be used to verify the Wasm module or OCI container." }, "imagePullPolicy": { "type": "string", "enum": ["UNSPECIFIED_POLICY", "IfNotPresent", "Always"], "description": "The pull behavior to be applied when fetching Wasm module images." }, "imagePullSecret": { "type": "string", "description": "Credentials to use for OCI image pulling. Name of a Kubernetes Secret." }, "pluginConfig": { "type": "object", "description": "The configuration that will be passed on to the plugin. Encoded as JSON and passed to the Wasm module." }, "pluginName": { "type": "string", "description": "The plugin name to be used in the Envoy configuration. Allows distinguishing between multiple uses of the same Wasm module." }, "phase": { "type": "string", "enum": ["UNSPECIFIED_PHASE", "AUTHN", "AUTHZ", "STATS"], "description": "Determines where in the filter chain this WasmPlugin is to be injected." }, "priority": { "type": "integer", "description": "Determines ordering of WasmPlugins in the same phase. Higher priority is evaluated first." }, "failStrategy": { "type": "string", "enum": ["FAIL_CLOSE", "FAIL_OPEN"], "description": "Specifies the failure behavior for the plugin. FAIL_CLOSE rejects traffic, FAIL_OPEN skips the plugin." }, "vmConfig": { "type": "object", "description": "Configuration for the Wasm VM.", "properties": { "env": { "type": "array", "items": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the environment variable." }, "valueFrom": { "type": "string", "enum": ["INLINE", "HOST"], "description": "Source for the environment variable's value." }, "value": { "type": "string", "description": "Value for the environment variable when valueFrom is INLINE." } }, "required": ["name"] }, "description": "Environment variables to pass to the VM." } } }, "match": { "type": "array", "items": { "type": "object", "properties": { "mode": { "type": "string", "enum": ["UNDEFINED", "CLIENT", "SERVER", "CLIENT_AND_SERVER"], "description": "Criteria for selecting traffic by their direction." }, "ports": { "type": "array", "items": { "type": "object", "properties": { "number": { "type": "integer" } } }, "description": "Criteria for selecting traffic by port." } } }, "description": "Specifies the criteria to determine which traffic is passed to WasmPlugin." }, "type": { "type": "string", "enum": ["UNSPECIFIED_PLUGIN_TYPE", "HTTP", "NETWORK"], "description": "Specifies the type of Wasm Extension to be used." } }, "required": ["url"] }