Extend waypoints with WebAssembly plugins

This feature is targeted at developers / expert users and is considered Alpha.

Istio provides the ability to extend its functionality using WebAssembly (Wasm). One of the key advantages of Wasm extensibility is that extensions can be loaded dynamically at runtime. This document outlines how to extend ambient mode within Istio with Wasm features. In ambient mode, Wasm configuration must be applied to the waypoint proxy deployed in each namespace.

Before you begin

  1. Set up Istio by following the instructions in the ambient mode Getting Started guide.

  2. Deploy the Bookinfo sample application.

  3. Add the default namespace to the ambient mesh.

  4. Deploy the curl sample app to use as a test source for sending requests.

    Zip

    1. $ kubectl apply -f @samples/curl/curl.yaml@

At a gateway

With the Kubernetes Gateway API, Istio provides a centralized entry point for managing traffic into the service mesh. We will configure a WasmPlugin at the gateway level, ensuring that all traffic passing through the gateway is subject to the extended authentication rules.

Configure a WebAssembly plugin for a gateway

In this example, you will add a HTTP Basic auth module to your mesh. You will configure Istio to pull the Basic auth module from a remote image registry and load it. It will be configured to run on calls to /productpage. These steps are similar to those in Distributing WebAssembly Modules, with the difference being the use of the targetRefs field instead of label selectors.

To configure a WebAssembly filter with a remote Wasm module, create a WasmPlugin resource targeting the bookinfo-gateway:

  1. $ kubectl get gateway
  2. NAME               CLASS            ADDRESS                                            PROGRAMMED   AGE
  3. bookinfo-gateway   istio            bookinfo-gateway-istio.default.svc.cluster.local   True         42m
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: extensions.istio.io/v1alpha1
  3. kind: WasmPlugin
  4. metadata:
  5.   name: basic-auth-at-gateway
  6. spec:
  7.   targetRefs:
  8.     - kind: Gateway
  9.       group: gateway.networking.k8s.io
  10.       name: bookinfo-gateway # gateway name retrieved from previous step
  11.   url: oci://ghcr.io/istio-ecosystem/wasm-extensions/basic_auth:1.12.0
  12.   phase: AUTHN
  13.   pluginConfig:
  14.     basic_auth_rules:
  15.       - prefix: "/productpage"
  16.         request_methods:
  17.           - "GET"
  18.           - "POST"
  19.         credentials:
  20.           - "ok:test"
  21.           - "YWRtaW4zOmFkbWluMw=="
  22. EOF

An HTTP filter will be injected at the gateway as an authentication filter. The Istio agent will interpret the WasmPlugin configuration, download remote Wasm modules from the OCI image registry to a local file, and inject the HTTP filter at the gateway by referencing that file.

Verify the traffic via the Gateway

  1. Test /productpage without credentials:

    1. $ kubectl exec deploy/curl -- curl -s -w "%{http_code}" -o /dev/null "http://bookinfo-gateway-istio.default.svc.cluster.local/productpage"
    2. 401

  2. Test /productpage with the credentials configured in the WasmPlugin resource:

    1. $ kubectl exec deploy/curl -- curl -s -o /dev/null -H "Authorization: Basic YWRtaW4zOmFkbWluMw==" -w "%{http_code}" "http://bookinfo-gateway-istio.default.svc.cluster.local/productpage"
    2. 200

At a waypoint, for all services in a namespace

Waypoint proxies play a crucial role in Istio’s ambient mode, facilitating secure and efficient communication within the service mesh. Below, we will explore how to apply Wasm configuration to the waypoint, enhancing the proxy functionality dynamically.

Deploy a waypoint proxy

Follow the waypoint deployment instructions to deploy a waypoint proxy in the bookinfo namespace.

  1. $ istioctl waypoint apply --enroll-namespace --wait

Verify traffic reaches the service:

  1. $ kubectl exec deploy/curl -- curl -s -w "%{http_code}" -o /dev/null http://productpage:9080/productpage
  2. 200

Configure a WebAssembly plugin for a waypoint

To configure a WebAssembly filter with a remote Wasm module, create a WasmPlugin resource targeting the waypoint gateway:

  1. $ kubectl get gateway
  2. NAME               CLASS            ADDRESS                                            PROGRAMMED   AGE
  3. bookinfo-gateway   istio            bookinfo-gateway-istio.default.svc.cluster.local   True         23h
  4. waypoint           istio-waypoint   10.96.202.82                                       True         21h
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: extensions.istio.io/v1alpha1
  3. kind: WasmPlugin
  4. metadata:
  5.   name: basic-auth-at-waypoint
  6. spec:
  7.   targetRefs:
  8.     - kind: Gateway
  9.       group: gateway.networking.k8s.io
  10.       name: waypoint # gateway name retrieved from previous step
  11.   url: oci://ghcr.io/istio-ecosystem/wasm-extensions/basic_auth:1.12.0
  12.   phase: AUTHN
  13.   pluginConfig:
  14.     basic_auth_rules:
  15.       - prefix: "/productpage"
  16.         request_methods:
  17.           - "GET"
  18.           - "POST"
  19.         credentials:
  20.           - "ok:test"
  21.           - "YWRtaW4zOmFkbWluMw=="
  22. EOF

View the configured plugin

  1. $ kubectl get wasmplugin
  2. NAME                     AGE
  3. basic-auth-at-gateway    28m
  4. basic-auth-at-waypoint   14m

Verify the traffic via the waypoint proxy

  1. Test internal /productpage without credentials:

    1. $ kubectl exec deploy/curl -- curl -s -w "%{http_code}" -o /dev/null http://productpage:9080/productpage
    2. 401

  2. Test internal /productpage with credentials:

    1. $ kubectl exec deploy/curl -- curl -s -w "%{http_code}" -o /dev/null -H "Authorization: Basic YWRtaW4zOmFkbWluMw==" http://productpage:9080/productpage
    2. 200

At a waypoint, for a specific service

To configure a WebAssembly filter with a remote Wasm module for a specific service, create a WasmPlugin resource targeting the specific service directly.

Create a WasmPlugin targeting the reviews service so that the extension applies only to the reviews service. In this configuration, the authentication token and the prefix are tailored specifically for the reviews service, ensuring that only requests directed towards it are subjected to this authentication mechanism.

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: extensions.istio.io/v1alpha1
  3. kind: WasmPlugin
  4. metadata:
  5.   name: basic-auth-for-service
  6. spec:
  7.   targetRefs:
  8.     - kind: Service
  9.       group: ""
  10.       name: reviews
  11.   url: oci://ghcr.io/istio-ecosystem/wasm-extensions/basic_auth:1.12.0
  12.   phase: AUTHN
  13.   pluginConfig:
  14.     basic_auth_rules:
  15.       - prefix: "/reviews"
  16.         request_methods:
  17.           - "GET"
  18.           - "POST"
  19.         credentials:
  20.           - "ok:test"
  21.           - "MXQtaW4zOmFkbWluMw=="
  22. EOF

Verify the traffic targeting the Service

  1. Test the internal /productpage with the credentials configured at the generic waypoint proxy:

    1. $ kubectl exec deploy/curl -- curl -s -w "%{http_code}" -o /dev/null -H "Authorization: Basic YWRtaW4zOmFkbWluMw==" http://productpage:9080/productpage
    2. 200

  2. Test the internal /reviews with credentials configured at the specific reviews-svc-waypoint proxy:

    1. $ kubectl exec deploy/curl -- curl -s -w "%{http_code}" -o /dev/null -H "Authorization: Basic MXQtaW4zOmFkbWluMw==" http://reviews:9080/reviews/1
    2. 200

  3. Test internal /reviews without credentials:

    1. $ kubectl exec deploy/curl -- curl -s -w "%{http_code}" -o /dev/null http://reviews:9080/reviews/1
    2. 401

When executing the provided command without credentials, it verifies that accessing the internal /productpage results in a 401 unauthorized response, demonstrating the expected behavior of failing to access the resource without proper authentication credentials.

Cleanup

  1. Remove WasmPlugin configuration:

    1. $ kubectl delete wasmplugin basic-auth-at-gateway basic-auth-at-waypoint basic-auth-for-service

  2. Follow the ambient mode uninstall guide to remove Istio and sample test applications.