FEAT: CNAPP-23269 Add wasm-plugin support for istio-ingressgateway ,…

[charankamal20]

Description

1. PR changes the target compiler from wasm32-unknown-unknown to wasm32-wasip1` to integrate wasm-plugin in istio-gateway with sentryflow.
2. Adds a plugin for logging all inbound traffic through istio-ingressgateway
3. This PR implements Cargo feature flags to support building two distinct versions of the SentryFlow WASM HTTP filter plugin for Istio: one for Sidecar proxies and one for Gateway proxies. Previously, the receiver_name was hardcoded, requiring code duplication or manual modifications to build different variants.

Key Achievement: A single codebase now compiles to both sidecar and gateway versions with zero runtime overhead via compile-time feature flags.

Ticket # (ticket)

What's New

1. Feature Flags (Cargo.toml):

   • sidecar (default) - Compiles with receiver_name = "Istio-Sidecar"
   • gateway - Compiles with receiver_name = "Istio-Gateway"
   • Release optimizations: LTO, stripping, size optimization

2. Conditional Compilation (src/lib.rs):

   • Modified update_metadata() to use #[cfg(feature = "...")] attributes
   • Compile-time proxy_type selection
   • Comprehensive logging (config, requests, responses, metadata)

3. Build Automation (Makefile):

   • make build-sidecar / make build-gateway - Build binaries
   • make image-sidecar / make image-gateway - Build Docker images
   • make all - Build both variants
   • make push-all - Push both to ECR (v0.4-sidecar, v0.4-gateway)

4. Multi-stage Docker Build (Dockerfile):

   • ARG PLUGIN_TYPE=sidecar for build-time variant selection
   • Conditional feature flag application during compilation
   • Minimal scratch image with compiled WASM binary only

5. Kubernetes Deployment (New manifests):

   • wasm-plugin-sidecar.yaml - Deploys to client-side workload proxies
   • wasm-plugin-gateway.yaml - Deploys to ingress gateways

Does this PR introduce a breaking change? No

Additional information for reviewer

Usage

# Build both variants
make all

# Push both to ECR
make push-all

# Deploy to Kubernetes
kubectl apply -f wasm-plugin-sidecar.yaml
kubectl apply -f wasm-plugin-gateway.yaml

Approach for adding both plugins for sidecar and gateway:

• Plugin 1 with tag v0.1-gateway and plugin 2 with tag v0.1-sidecar. (the two different tags just basically have different hard coded release names and/or different target compilers)
• Apply two different plugins, one with selector as ingressgateway (runs in SERVER mode), and the other has no selector(runs in CLIENT mode)

The gateway has now two plugins,

• one gateway plugin and the other is the sidecar plugin as well.
• Gateway has two plugins, one gateway and other sidecar plugin.
• Gateway plugin runs as expected and runs in SERVER mode(incoming traffic)
• but the sidecar plugin runs in CLIENT mode, since it is the ingress gateway, it wont have any outbound traffic hence that plugin is never triggered(also if we choose to have the existing compiler for sidecar plugin then even if it is triggered, it fails silently and is not able to send any alert to sentryflow, while our gateway plugin works fine).

Sidecars for rest of the pods only get the sidecar plugin as the gateway plugin has the ingressgateway selector.