Hello! I’m trying to create EnvoyFilter with WASM for pod’s outbound traffic. Here’s the example:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: wasm-filter
spec:
workloadSelector:
labels:
app: test
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.wasm
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
config:
root_id: my-wasm-root-id
vm_config:
vm_id: mw-wasm-vm-id
runtime: envoy.wasm.runtime.v8
code:
remote:
sha256: <some SHA>
http_uri:
uri: oci://my.private.registry.com/wasm-test:4
timeout: 600s
cluster: jwks_cluster # Don't know if this parameter is valid
# configuration:
# "@type": "type.googleapis.com/google.protobuf.StringValue"
# value: |
# {}
I configured default service account to use imagePullSecret for my private registry and it works for pods. But every time I try to use this filter istio-proxy sidecar shows this logs:
warning envoy wasm createWasm: failed to load (in progress) from oci://my.private.registry.com/wasm-test:4
critical envoy wasm Plugin configured to fail closed failed to load
warning envoy config Retry limit exceeded for fetching data from remote data source.
info Readiness succeeded in 3.142117581s
info Envoy proxy is ready
(I skipped some of the logs because it repeats them many times)
And all outbound traffic from pod just returns 503 error. What am I doing wrong?
My istio version is: 1.14.3
My proxyv2 version is the same