背景
在使用 istio 时候,有时候 ingressgateway/envoy 满足不了业务需求,此时 wasm 是 istio 的一个内置方式,可以用于扩展 ingressgateway/envoy 的功能
demo
准备环境
istioctl install
kubectl create ns demo-1
kubectl label ns demo-1 istio-injection=enabled
kubectl run demo-1 -n demo-1 --image=nginx
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: demo-1
namespace: demo-1
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 8080
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: demo-1
namespace: demo-1
spec:
hosts:
- "*"
gateways:
- demo-1
http:
- match:
- uri:
prefix: /
route:
- destination:
host: demo-1
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: demo-1
namespace: demo-1
spec:
ports:
- port: 80
name: http
selector:
run: demo-1
EOF
准备代码
git clone https://github.com/wsc-2025/wasmplugindemo.git
编译 wasmplugin
cargo build --target=wasm32-wasip1 --release
准备 Dockerfile
FROM scratch
ADD target/wasm32-wasip1/release/wasmplugindemo.wasm ./plugin.wasm
构建镜像
docker build -t wasmplugindemo:v0.1 .
docker push your-registry/wasmplugindemo:v0.1
创建 wasmplugin cr
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: wasmplugindemo
namespace: istio-system
spec:
imagePullPolicy: IfNotPresent
selector:
matchLabels:
istio: ingressgateway
url: oci://your-registry/wasmplugindemo:v0.1
phase: AUTHN
pluginConfig:
adds:
hello: world
测试
host=$(kubectl get svc -n istio-system istio-ingressgateway -ojsonpath={.spec.clusterIP})
curl http://$host:80-v
得到如下
* Trying 10.96.18.236:80...
* Connected to 10.96.18.236 (10.96.18.236) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.96.18.236
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< server: istio-envoy
< date: Sun, 04 Jan 2026 09:25:25 GMT
< content-type: text/html
< content-length: 615
< last-modified: Tue, 09 Dec 2025 18:28:10 GMT
< etag: "69386a3a-267"
< accept-ranges: bytes
< x-envoy-upstream-service-time: 4
< hello: world
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host 10.96.18.236 left intact
发现响应 header 中多了我们期望的 hello: world
