diff --git a/modules/ossm-configuring-the-threescale-wasm-auth-module.adoc b/modules/ossm-configuring-the-threescale-wasm-auth-module.adoc index 69fae1e26bd9..539d763501e7 100644 --- a/modules/ossm-configuring-the-threescale-wasm-auth-module.adoc +++ b/modules/ossm-configuring-the-threescale-wasm-auth-module.adoc @@ -59,5 +59,5 @@ $ oc apply -f threescale-wasm-auth-bookinfo.yaml [role="_additional-resources"] .Additional resources -* xref:../../service_mesh/v2x/ossm-extensions.adoc#ossm-extensions-deploy_ossm-extensions[Deploying extensions] +* xref:../../service_mesh/v2x/ossm-extensions.adoc#ossm-smextensions-deploy_ossm-extensions[Deploying `ServiceMeshExtension` resources] * link:https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources[Custom Resources] diff --git a/modules/ossm-extensions-overview.adoc b/modules/ossm-extensions-overview.adoc new file mode 100644 index 000000000000..af1d44feb559 --- /dev/null +++ b/modules/ossm-extensions-overview.adoc @@ -0,0 +1,50 @@ +//// +This module included in the following assemblies: +*service_mesh_/v2x/ossm-extensions.adoc +//// +:_content-type: CONCEPT +[id="ossm-extensions-overview_{context}"] += WebAssembly modules overview + +WebAssembly modules can be run on many platforms, including proxies, and have broad language support, fast execution, and a sandboxed-by-default security model. + +{SMProductName} extensions are link:https://www.envoyproxy.io/docs/envoy/v1.20.0/intro/arch_overview/http/http_filters#arch-overview-http-filters[Envoy HTTP Filters], giving them a wide range of capabilities: + +* Manipulating the body and headers of requests and responses. +* Out-of-band HTTP requests to services not in the request path, such as authentication or policy checking. +* Side-channel data storage and queues for filters to communicate with each other. + +[NOTE] +==== +When creating new WebAssembly extensions, use the WasmPlugin API. The ServiceMeshExtension API is deprecated as of {SMProductName} version 2.2 and will be removed in a future release. +==== + +There are two parts to writing a {SMProductName} extension: + +. You must write your extension using an SDK that exposes the link:https://github.com/proxy-wasm/spec[proxy-wasm API] and compile it to a WebAssembly module. +. You must then package the module into a container. + +.Supported languages + +You can use any language that compiles to WebAssembly bytecode to write a {SMProductName} extension, but the following languages have existing SDKs that expose the proxy-wasm API so that it can be consumed directly. + +.Supported languages +|=== +| Language | Maintainer | Repository + +| AssemblyScript +| solo.io +| link:https://github.com/solo-io/proxy-runtime[solo-io/proxy-runtime] + +| C++ +| proxy-wasm team (Istio Community) +| link:https://github.com/proxy-wasm/proxy-wasm-cpp-sdk[proxy-wasm/proxy-wasm-cpp-sdk] + +| Go +| tetrate.io +| link:https://github.com/tetratelabs/proxy-wasm-go-sdk[tetratelabs/proxy-wasm-go-sdk] + +| Rust +| proxy-wasm team (Istio Community) +| link:https://github.com/proxy-wasm/proxy-wasm-rust-sdk[proxy-wasm/proxy-wasm-rust-sdk] +|=== diff --git a/modules/ossm-extensions-ref-smextension.adoc b/modules/ossm-extensions-ref-smextension.adoc new file mode 100644 index 000000000000..c56d3ec9d754 --- /dev/null +++ b/modules/ossm-extensions-ref-smextension.adoc @@ -0,0 +1,42 @@ +//// +This module included in the following assemblies: +*service_mesh_/v2x/ossm-extensions.adoc +//// +:_content-type: REFERENCE +[id="ossm-wasm-ref-smextension_{context}"] += ServiceMeshExtension reference + +The ServiceMeshExtension API provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters. There are two parts to writing a WebAssembly extension: + +. Write your extension using an SDK that exposes the proxy-wasm API and compile it to a WebAssembly module. +. Package it into a container. + +[NOTE] +==== +When creating new WebAssembly extensions, use WasmPlugin. ServiceMeshExtension is deprecated as of {SMProductName} version 2.2 and will be removed in a future release. +==== + +.ServiceMeshExtension Field Reference +[options="header"] +[cols="a, a"] +|=== +| Field | Description + +|metadata.namespace +|The `metadata.namespace` field of a `ServiceMeshExtension` source has a special semantic: if it equals the Control Plane Namespace, the extension will be applied to all workloads in the Service Mesh that match its `workloadSelector` value. When deployed to any other Mesh Namespace, it will only be applied to workloads in that same Namespace. + +|spec.workloadSelector +|The `spec.workloadSelector` field has the same semantic as the `spec.selector` field of the link:https://istio.io/v1.6/docs/reference/config/networking/gateway/#Gateway[Istio Gateway resource]. It will match a workload based on its Pod labels. If no `workloadSelector` value is specified, the extension will be applied to all workloads in the namespace. + +|spec.config +|This is a structured field that will be handed over to the extension, with the semantics dependent on the extension you are deploying. + +|spec.image +|A container image URI pointing to the image that holds the extension. + +|spec.phase +|The phase determines where in the filter chain the extension is injected, in relation to existing Istio functionality like Authentication, Authorization and metrics generation. Valid values are: PreAuthN, PostAuthN, PreAuthZ, PostAuthZ, PreStats, PostStats. This field defaults to the value set in the `manifest.yaml` file of the extension, but can be overwritten by the user. + +|spec.priority +|If multiple extensions with the same `spec.phase` value are applied to the same workload instance, the `spec.priority` value determines the ordering of execution. Extensions with higher priority will be executed first. This allows for inter-dependent extensions. This field defaults to the value set in the `manifest.yaml` file of the extension, but can be overwritten by the user. +|=== diff --git a/modules/ossm-extensions-ref-wasmplugin.adoc b/modules/ossm-extensions-ref-wasmplugin.adoc new file mode 100644 index 000000000000..efd88c79f47b --- /dev/null +++ b/modules/ossm-extensions-ref-wasmplugin.adoc @@ -0,0 +1,173 @@ +//// +This module included in the following assemblies: +*service_mesh_/v2x/ossm-extensions.adoc +//// +:_content-type: REFERENCE +[id="ossm-wasm-ref-wasmplugin_{context}"] += WasmPlugin API reference + +The WasmPlugins API provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters. + +You can deploy multiple WasmPlugins. The `phase` and `priority` settings determine the order of execution (as part of Envoy's filter chain), allowing the configuration of complex interactions between user-supplied WasmPlugins and Istio’s internal filters. + +In the following example, an authentication filter implements an OpenID flow and populates the Authorization header with a JSON Web Token (JWT). Istio authentication consumes this token and deployes it to the ingress gateway. The WasmPlugin file lives in the proxy sidecar filesystem. Note the field `url`. + +[source,yaml] +---- +apiVersion: extensions.istio.io/v1alpha1 +kind: WasmPlugin +metadata: + name: openid-connect + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingressgateway + url: file:///opt/filters/openid.wasm + sha256: 1ef0c9a92b0420cf25f7fe5d481b231464bc88f486ca3b9c83ed5cc21d2f6210 + phase: AUTHN + pluginConfig: + openid_server: authn + openid_realm: ingress +---- + +Below is the same example, but this time an Open Container Initiative (OCI) image is used instead of a file in the filesystem. Note the fields `url`, `imagePullPolicy`, and `imagePullSecret`. + +[source,yaml] +---- +apiVersion: extensions.istio.io/v1alpha1 +kind: WasmPlugin +metadata: + name: openid-connect + namespace: istio-system +spec: + selector: + matchLabels: + istio: ingressgateway + url: oci://private-registry:5000/openid-connect/openid:latest + imagePullPolicy: IfNotPresent + imagePullSecret: private-registry-pull-secret + phase: AUTHN + pluginConfig: + openid_server: authn + openid_realm: ingress +---- + +.WasmPlugin Field Reference +[options="header"] +[cols="a, a, a, a"] +|=== +| Field | Type | Description | Required + +|spec.selector +|WorkloadSelector +|Criteria used to select the specific set of pods/VMs on which this plug-in configuration should be applied. If omitted, this configuration will be applied to all workload instances in the same namespace. If the `WasmPlugin` field is present in the config root namespace, it will be applied to all applicable workloads in any namespace. +|No + +|spec.url +|string +|URL of a Wasm module or OCI container. If no scheme is present, defaults to `oci://`, referencing an OCI image. Other valid schemes are `file://` for referencing .wasm module files present locally within the proxy container, and `http[s]://` for .wasm module files hosted remotely. +|No + +|spec.sha256 +|string +|SHA256 checksum that will be used to verify the Wasm module or OCI container. If the `url` field already references a SHA256 (using the `@sha256:` notation), it must match the value of this field. If an OCI image is referenced by tag and this field is set, its checksum will be verified against the contents of this field after pulling. +|No + +|spec.imagePullPolicy +|PullPolicy +|The pull behavior to be applied when fetching an OCI image. Only relevant when images are referenced by tag instead of SHA. Defaults to the value `IfNotPresent`, except when an OCI image is referenced in the `url` field and the `latest` tag is used, in which case the value `Always` is the default, mirroring K8s behavior. Setting is ignored if the `url` field is referencing a Wasm module directly using `file://` or `http[s]://`. +|No + +|spec.imagePullSecret +|string +|Credentials to use for OCI image pulling. The name of a secret in the same namespace as the `WasmPlugin` object that contains a pull secret for authenticating against the registry when pulling the image. +|No + +|spec.phase +|PluginPhase +|Determines where in the filter chain this `WasmPlugin` object is injected. +|No + +|spec.priority +|`int64` +|Determines the ordering of `WasmPlugins` objects that have the same `phase` value. When multiple `WasmPlugins` objects are applied to the same workload in the same phase, they will be applied by priority and in descending order. If the `priority` field is not set, or two `WasmPlugins` objects with the same value, the ordering will be determined from the name and namespace of the `WasmPlugins` objects. Defaults to the value `0`. +|No + +|spec.pluginName +|string +|The plug-in name used in the Envoy configuration. Some Wasm modules might require this value to select the Wasm plug-in to execute. +|No + +|spec.pluginConfig +|Struct +|The configuration that will be passed on to the plug-in. +|No + +|spec.pluginConfig.verificationKey +|string +|The public key used to verify signatures of signed OCI images or Wasm modules. Must be supplied in PEM format. +|No +|=== + +The `WorkloadSelector` object specifies the criteria used to determine if a filter can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload instance information such as labels attached to the pod/VM, or any other information that the proxy provides to Istio during the initial handshake. If multiple conditions are specified, all conditions need to match in order for the workload instance to be selected. Currently, only label based selection mechanism is supported. + +.WorkloadSelector +[options="header"] +[cols="a, a, a, a"] +|=== +| Field | Type | Description | Required +|matchLabels +|map +|One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present. +|Yes +|=== + +The `PullPolicy` object specifies the pull behavior to be applied when fetching an OCI image. + +.PullPolicy +[options="header"] +[cols="a, a"] +|=== +| Value | Description +| +|Defaults to the value `IfNotPresent`, except for OCI images with tag latest, for which the default will be the value `Always`. + +|IfNotPresent +|If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version. + +|Always +|We will always pull the latest version of an image when applying this plugin. +|=== + +`Struct` represents a structured data value, consisting of fields which map to dynamically typed values. In some languages, Struct might be supported by a native representation. For example, in scripting languages like JavaScript a struct is represented as an object. + +.Struct +[options="header"] +[cols="a, a, a"] +|=== +| Field | Type | Description +|fields +|map +|Map of dynamically typed values. +|=== + +`PluginPhase` specifies the phase in the filter chain where the plugin will be injected. + +.PluginPhase +[options="header"] +[cols="a, a"] +|=== +| Field | Description +| +|Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others. + +|AUTHN +|Insert plugin before Istio authentication filters. + +|AUTHZ +|Insert plugin before Istio authorization filters and after Istio authentication filters. + +|STATS +|Insert plugin before Istio stats filters and after Istio authorization filters. +|=== diff --git a/modules/ossm-extensions-smextension-deploy.adoc b/modules/ossm-extensions-smextension-deploy.adoc new file mode 100644 index 000000000000..51a381d28b9b --- /dev/null +++ b/modules/ossm-extensions-smextension-deploy.adoc @@ -0,0 +1,47 @@ +//// +This module included in the following assemblies: +*service_mesh_/v2x/ossm-extensions.adoc +//// +:_content-type: PROCEDURE +[id="ossm-smextensions-deploy_{context}"] += Deploying `ServiceMeshExtension` resources + +You can enable {SMProductName} extensions using the `ServiceMeshExtension` resource. In this example, `istio-system` is the name of the control plane project. + +[NOTE] +==== +When creating new WebAssembly extensions, use WasmPlugin. ServiceMeshExtension is deprecated as of {SMProductName} version 2.2 and will be removed in a future release. +==== + +For a complete example that was built using the Rust SDK, take a look at the link:https://github.com/maistra/header-append-filter[header-append-filter]. It is a simple filter that appends one or more headers to the HTTP responses, with their names and values taken out from the `config` field of the extension. See a sample configuration in the snippet below. + +.Procedure + +. Create the following example resource: ++ +.Example ServiceMeshExtension resource extension.yaml +[source,yaml] +---- +apiVersion: maistra.io/v1 +kind: ServiceMeshExtension +metadata: + name: header-append + namespace: istio-system +spec: + workloadSelector: + labels: + app: httpbin + config: + first-header: some-value + another-header: another-value + image: quay.io/maistra-dev/header-append-filter:2.1 + phase: PostAuthZ + priority: 100 +---- + +. Apply your `extension.yaml` file with the following command: ++ +[source,terminal] +---- +$ oc apply -f .yaml +---- diff --git a/modules/ossm-extensions-smextension-format.adoc b/modules/ossm-extensions-smextension-format.adoc new file mode 100644 index 000000000000..068e308789cd --- /dev/null +++ b/modules/ossm-extensions-smextension-format.adoc @@ -0,0 +1,62 @@ +//// +This module included in the following assemblies: +*service_mesh_/v2x/ossm-extensions.adoc +//// +:_content-type: REFERENCE +[id="ossm-extensions-smextension-format_{context}"] += `ServiceMeshExtension` container format + +You must have a `.wasm` file containing the bytecode of your WebAssembly module, and a `manifest.yaml` file in the root of the container filesystem to make your container image a valid extension image. + +[NOTE] +==== +When creating new WebAssembly extensions, use WasmPlugin. ServiceMeshExtension is deprecated as of {SMProductName} version 2.2 and will be removed in a future release. +==== + +.manifest.yaml +[source,yaml] +---- +schemaVersion: 1 + +name: +description: +version: 1.0.0 +phase: PreAuthZ +priority: 100 +module: extension.wasm +---- + +.Field Reference for manifest.yml +[options="header"] +[cols="a, a, a"] +|=== +| Field | Description |Required + +|schemaVersion +|Used for versioning of the manifest schema. Currently the only possible value is `1`. +|This is a required field. + +|name +|The name of your extension. +|This field is just metadata and currently unused. + +|description +|The description of your extension. +|This field is just metadata and currently unused. + +|version +|The version of your extension. +|This field is just metadata and currently unused. + +|phase +|The default execution phase of your extension. +|This is a required field. + +|priority +|The default priority of your extension. +|This is a required field. + +|module +|The relative path from the container filesystem's root to your WebAssembly module. +|This is a required field. +|=== diff --git a/modules/ossm-extensions-wasm-deploy.adoc b/modules/ossm-extensions-wasm-deploy.adoc deleted file mode 100644 index aa54ca9a7255..000000000000 --- a/modules/ossm-extensions-wasm-deploy.adoc +++ /dev/null @@ -1,36 +0,0 @@ -:_content-type: PROCEDURE -[id="ossm-extensions-deploy_{context}"] -= Deploying extensions - -{SMProductName} extensions can be enabled using the `ServiceMeshExtension` resource. In this example, `istio-system` is the name of the control plane project. - -.Procedure - -. Create the following example resource: -+ -.Example ServiceMeshExtension resource extension.yaml -[source,yaml] ----- -apiVersion: maistra.io/v1 -kind: ServiceMeshExtension -metadata: - name: header-append - namespace: istio-system -spec: - workloadSelector: - labels: - app: httpbin - config: - first-header: some-value - another-header: another-value - image: quay.io/maistra-dev/header-append-filter:2.1 - phase: PostAuthZ - priority: 100 ----- - -. Apply the `extension.yaml` file with the following command: -+ -[source,terminal] ----- -$ oc apply -f extension.yaml ----- diff --git a/modules/ossm-extensions-wasmplugin-deploy.adoc b/modules/ossm-extensions-wasmplugin-deploy.adoc new file mode 100644 index 000000000000..5ffe769c624e --- /dev/null +++ b/modules/ossm-extensions-wasmplugin-deploy.adoc @@ -0,0 +1,41 @@ +//// +This module included in the following assemblies: +*service_mesh_/v2x/ossm-extensions.adoc +//// +:_content-type: PROCEDURE +[id="ossm-wasmplugin-deploy_{context}"] += Deploying `WasmPlugin` resources + +You can enable {SMProductName} extensions using the `WasmPlugin` resource. In this example, `istio-system` is the name of the control plane project. The following example creates an `openid-connect` filter that performs an OpenID Connect flow to authenticate the user. + +.Procedure + +. Create the following example resource: ++ +.Example plugin.yaml +[source,yaml] +---- +apiVersion: extensions.istio.io/v1alpha1 +kind: WasmPlugin +metadata: + name: openid-connect + namespace: istio-system +spec: + selector: + matchLabels: + istio: ingressgateway + url: oci://private-registry:5000/openid-connect/openid:latest + imagePullPolicy: IfNotPresent + imagePullSecret: private-registry-pull-secret + phase: AUTHN + pluginConfig: + openid_server: authn + openid_realm: ingress +---- + +. Apply your `plugin.yaml` file with the following command: ++ +[source,terminal] +---- +$ oc apply -f plugin.yaml +---- diff --git a/modules/ossm-extensions-wasmplugin-format.adoc b/modules/ossm-extensions-wasmplugin-format.adoc new file mode 100644 index 000000000000..24a3159c9114 --- /dev/null +++ b/modules/ossm-extensions-wasmplugin-format.adoc @@ -0,0 +1,15 @@ +//// +This module included in the following assemblies: +*service_mesh_/v2x/ossm-extensions.adoc +//// +:_content-type: REFERENCE +[id="ossm-extensions-wasmplugin-format_{context}"] += `WasmPlugin` container format + +Istio supports Open Container Initiative (OCI) images in its Wasm Plugin mechanism. You can distribute your Wasm Plugins as a container image, and you can use the `spec.url` field to refer to a container registry location. For example, `quay.io/my-username/my-plugin:latest`. + +Because each execution environment (runtime) for a WASM module can have runtime-specific configuration parameters, a WASM image can be composed of two layers: + +* *plugin.wasm* (Required) - Content layer. This layer consists of a `.wasm` binary containing the bytecode of your WebAssembly module, to be loaded by the runtime. You must name this file `plugin.wasm`. + +* *runtime-config.json* (Optional) - Configuration layer. This layer consists of a JSON-formatted string that describes metadata about the module for the target runtime. The config layer might also contain additional data, depending on the target runtime. For example, the config for a WASM Envoy Filter contains root_ids available on the filter. diff --git a/service_mesh/v2x/ossm-extensions.adoc b/service_mesh/v2x/ossm-extensions.adoc index f02c1fc655ae..9b44a869b943 100644 --- a/service_mesh/v2x/ossm-extensions.adoc +++ b/service_mesh/v2x/ossm-extensions.adoc @@ -6,115 +6,23 @@ include::_attributes/common-attributes.adoc[] toc::[] -You can use WebAssembly extensions to add new features directly into the {SMProductName} proxies, allowing you to move even more common functionality out of your applications, and implement them in a single language that compiles to WebAssembly bytecode. +You can use WebAssembly extensions to add new features directly into the {SMProductName} proxies. This lets you move even more common functionality out of your applications, and implement them in a single language that compiles to WebAssembly bytecode. -== WebAssembly extensions +[NOTE] +==== +WebAssembly extensions are not supported on IBM Z and IBM Power Systems. +==== -WebAssembly modules can be run on many platforms, including proxies, and has broad language support, fast execution and a sandboxed-by-default security model. +include::modules/ossm-extensions-overview.adoc[leveloffset=+1] -.Extension Capabilities +include::modules/ossm-extensions-wasmplugin-format.adoc[leveloffset=+1] -{SMProductName} extensions are link:https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/http/http_filters#arch-overview-http-filters[Envoy HTTP Filters], giving them a wide range of capabilities: +include::modules/ossm-extensions-ref-wasmplugin.adoc[leveloffset=+1] -* Manipulating the body and headers of requests and responses -* Out-of-band HTTP requests to services not in the request path, such as authentication or policy checking -* Side-channel data storage and queues for filters to communicate with each other +include::modules/ossm-extensions-wasmplugin-deploy.adoc[leveloffset=+2] -There are two parts to writing a {SMProductName} extension: you'll have to write your extension using an SDK that exposes the link:https://github.com/proxy-wasm/spec[proxy-wasm API] and compile it to a WebAssembly module, and then package it into a container. +include::modules/ossm-extensions-smextension-format.adoc[leveloffset=+1] -.Supported languages +include::modules/ossm-extensions-ref-smextension.adoc[leveloffset=+1] -You can use any language that compiles to WebAssembly bytecode to write a {SMProductName} extension, but the following languages have existing SDKs that expose the proxy-wasm API so that it can be consumed directly. - -.Supported languages -|=== -| Language | Maintainer | Repository - -| AssemblyScript -| solo.io -| link:https://github.com/solo-io/proxy-runtime[solo-io/proxy-runtime] - -| C++ -| proxy-wasm team (Istio Community) -| link:https://github.com/proxy-wasm/proxy-wasm-cpp-sdk[proxy-wasm/proxy-wasm-cpp-sdk] - -| Go -| tetrate.io -| link:https://github.com/tetratelabs/proxy-wasm-go-sdk[tetratelabs/proxy-wasm-go-sdk] - -| Rust -| proxy-wasm team (Istio Community) -| link:https://github.com/proxy-wasm/proxy-wasm-rust-sdk[proxy-wasm/proxy-wasm-rust-sdk] -|=== - -=== Container Format - -You must have a `.wasm` file containing the bytecode of your WebAssembly module, and a `manifest.yaml` file in the root of the container filesystem to make your container image a valid extension image. - -.manifest.yaml -[source,yaml] ----- -schemaVersion: 1 - -name: -description: -version: 1.0.0 -phase: PreAuthZ -priority: 100 -module: extension.wasm ----- - -.Field Reference for manifest.yml -|=== -| Field | Description - -|schemaVersion -|Used for versioning of the manifest schema. Currently the only possible value is `1`. - -|name -|The name of your extension. This field is just metadata and currently unused. - -|description -|The description of your extension. This field is just metadata and currently unused. - -|version -|The version of your extension. This field is just metadata and currently unused. - -|phase -|The default execution phase of your extension. This is a required field. - -|priority -|The default priority of your extension. This is a required field. - -|module -|The relative path from the container filesystem's root to your WebAssembly module. This is a required field. -|=== - -=== Example Rust extension - -For a complete example that was built using the Rust SDK, take a look at the link:https://github.com/maistra/header-append-filter[header-append-filter]. It is a simple filter that appends one or more headers to the HTTP responses, with their names and values taken out from the `config` field of the extension. See a sample configuration in the snippet below. - -include::modules/ossm-extensions-wasm-deploy.adoc[leveloffset=+2] - -.ServiceMeshExtension Field Reference -|=== -| Field | Description - -|metadata.namespace -|The `metadata.namespace` of a `ServiceMeshExtension` source has a special semantic: if it equals the Control Plane Namespace, the extension will be applied to all workloads in the Service Mesh that match its `workloadSelector`. When deployed to any other Mesh Namespace, it will only be applied to workloads in that same Namespace. - -|spec.workloadSelector -|The `spec.workloadSelector` field has the same semantic as the `spec.selector` field of the link:https://istio.io/v1.6/docs/reference/config/networking/gateway/#Gateway[Istio Gateway resource]. It will match a workload based on its Pod labels. If no `workloadSelector` is specified, the extension will be applied to all workloads in the namespace. - -|spec.config -|This is a structured field that will be handed over to the extension, with the semantics dependent on the extension you are deploying. - -|spec.image -|A container image URI pointing to the image that holds the extension. - -|spec.phase -|This field defaults to the value set in the `manifest.yaml` of the extension, but can be overwritten by the user. The phase determines where in the filter chain the extension is injected, in relation to existing Istio functionality like Authentication, Authorization and metrics generation. Valid values are: PreAuthN, PostAuthN, PreAuthZ, PostAuthZ, PreStats, PostStats. This field defaults to the value set in the `manifest.yaml` of the extension, but can be overwritten by the user. - -|spec.priority -|If multiple extensions with the same `spec.phase` are applied to the same workload instance, the `spec.priority` determines the ordering of execution. Extensions with higher priority will be executed first. This allows for inter-dependent extensions. This field defaults to the value set in the `manifest.yaml` of the extension, but can be overwritten by the user. -|=== +include::modules/ossm-extensions-smextension-deploy.adoc[leveloffset=+2]