accuknox · charankamal20 · Dec 8, 2025
diff --git a/.github/workflows/latest-release.yaml b/.github/workflows/latest-release.yaml
@@ -42,12 +42,28 @@ jobs:
       NAME: sentryflow
     secrets: inherit
 
-  release-envoy-filter-image:
-    needs: [ files-changed ]
-    if: ${{ github.repository == 'accuknox/sentryflow' && needs.files-changed.outputs.envoyfilter == 'true' }}
-    name: Build and push envoyfilter's image
+  release-envoy-filter-sidecar-image:
+    if: ${{ github.repository == 'accuknox/sentryflow' }}
+    name: Build and push envoy sidecar filter image
+    uses: ./.github/workflows/release-image.yaml
+    with:
+      WORKING_DIRECTORY: ./filter/envoy/envoy-wasm-filters
+      NAME: sentryflow-httpfilter
+      ECR_REPOSITORY: "public.ecr.aws/k9v9d5v2/"
+      REGISTRY_TYPE: public
+      DOCKER_BUILD_ARGS: "--build-arg PLUGIN_TYPE=sidecar"
+      IMAGE_TAG: "latest-sidecar"
+    secrets: inherit
+
+  release-envoy-filter-gateway-image:
+    if: ${{ github.repository == 'accuknox/sentryflow' }}
+    name: Build and push envoy gateway filter image
     uses: ./.github/workflows/release-image.yaml
     with:
       WORKING_DIRECTORY: ./filter/envoy/envoy-wasm-filters
       NAME: sentryflow-httpfilter
+      ECR_REPOSITORY: "public.ecr.aws/k9v9d5v2/"
+      REGISTRY_TYPE: public
+      DOCKER_BUILD_ARGS: "--build-arg PLUGIN_TYPE=gateway"
+      IMAGE_TAG: "latest-gateway"
     secrets: inherit
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -100,10 +100,10 @@ jobs:
           output-format: sarif
           fail-build: false
 
-  build-envoy-filter-image:
+  build-envoy-filter-sidecar-image:
     needs: [ files-changed ]
     if: ${{ github.repository == 'accuknox/sentryflow' && needs.files-changed.outputs.envoyfilter == 'true' }}
-    name: Build Envoy WASM Filter container image
+    name: Build Envoy WASM Sidecar Filter container image
     runs-on: ubuntu-latest
     timeout-minutes: 20
     defaults:
@@ -113,13 +113,37 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@v4
 
-      - name: Build image
-        run: make image
+      - name: Build sidecar image
+        run: make image-sidecar
+
+      - name: Scan image
+        uses: anchore/scan-action@v4
+        with:
+          image: "public.ecr.aws/k9v9d5v2/sentryflow-httpfilter:latest-sidecar"
+          severity-cutoff: critical
+          output-format: sarif
+          fail-build: false
+
+  build-envoy-filter-gateway-image:
+    needs: [ files-changed ]
+    if: ${{ github.repository == 'accuknox/sentryflow' && needs.files-changed.outputs.envoyfilter == 'true' }}
+    name: Build Envoy WASM Gateway Filter container image
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    defaults:
+      run:
+        working-directory: ./filter/envoy/envoy-wasm-filters
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Build sidecar image
+        run: make image-gateway
 
       - name: Scan image
         uses: anchore/scan-action@v4
         with:
-          image: "public.ecr.aws/k9v9d5v2/sentryflow-httpfilter:latest"
+          image: "public.ecr.aws/k9v9d5v2/sentryflow-httpfilter:latest-gateway"
           severity-cutoff: critical
           output-format: sarif
           fail-build: false
diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml
@@ -26,6 +26,16 @@ on:
         required: false
         type: string
         default: 'public'
+      DOCKER_BUILD_ARGS:             
+        description: 'Additional arguments passed to docker build'
+        required: false
+        type: string
+        default: ''
+      IMAGE_TAG: 
+        description: 'Explicit image tag (optional override)'
+        required: false
+        type: string
+        default: ''
 
 env:
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
@@ -50,10 +60,14 @@ jobs:
       - name: Get tag
         id: tag
         run: |
-          if [ ${{ github.ref }} == "refs/heads/main" ]; then
-            echo "tag=latest" >> $GITHUB_OUTPUT
-          else
-            echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+          if [ ${{ inputs.IMAGE_TAG }} == "" ]; then
+            if [ ${{ github.ref }} == "refs/heads/main" ]; then
+              echo "tag=latest" >> $GITHUB_OUTPUT
+            else
+              echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+            fi
+          else 
+            echo "tag=${{ inputs.IMAGE_TAG }}" >> $GITHUB_OUTPUT
           fi
 
       - name: Docker build, scan and push to ECR
@@ -65,6 +79,7 @@ jobs:
           repository_name: ${{ inputs.ECR_REPOSITORY }}
           tag: ${{ steps.tag.outputs.tag }}
           registry_type: ${{ inputs.REGISTRY_TYPE }}
+          docker_build_args: ${{ inputs.DOCKER_BUILD_ARGS }}   
           disable_scan: true
           severity: "CRITICAL"
           exit_code: "0"

diff --git a/.github/workflows/stable-release.yaml b/.github/workflows/stable-release.yaml
@@ -27,21 +27,39 @@ jobs:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEV_SECRET_ID }}
 
-  release-envoy-filter-image:
+  release-envoy-filter-sidecar-image:
     if: ${{ github.repository == 'accuknox/sentryflow' }}
-    name: Build and push envoyfilters image
-    uses: accuknox/accuknox-jobs/.github/workflows/push-image.yaml@sentryflow-docker-push
+    name: Build and push envoy sidecar filter image
+    uses: ./.github/workflows/release-image.yaml
+    with:
+      WORKING_DIRECTORY: ./filter/envoy/envoy-wasm-filters
+      NAME: sentryflow-httpfilter
+      ECR_REPOSITORY: "public.ecr.aws/k9v9d5v2/"
+      REGISTRY_TYPE: public
+      DOCKER_BUILD_ARGS: "--build-arg PLUGIN_TYPE=sidecar"
+      IMAGE_TAG: "latest-sidecar"
+    secrets:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEV_SECRET_ID }}
+
+  release-envoy-filter-gateway-image:
+    if: ${{ github.repository == 'accuknox/sentryflow' }}
+    name: Build and push envoy gateway filter image
+    uses: ./.github/workflows/release-image.yaml
     with:
-      DOCKER_CONTEXT: filter/envoy/envoy-wasm-filters
-      DOCKERFILE: filter/envoy/envoy-wasm-filters/Dockerfile
-      IMAGE_NAME: sentryflow-httpfilter
+      WORKING_DIRECTORY: ./filter/envoy/envoy-wasm-filters
+      NAME: sentryflow-httpfilter
+      ECR_REPOSITORY: "public.ecr.aws/k9v9d5v2/"
+      REGISTRY_TYPE: public
+      DOCKER_BUILD_ARGS: "--build-arg PLUGIN_TYPE=gateway"
+      IMAGE_TAG: "latest-gateway"
     secrets:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEV_SECRET_ID }}
 
   update-image-tags-in-helm-charts:
     if: ${{ github.repository == 'accuknox/sentryflow' }}
-    needs: [ release-sentryflow-image, release-envoy-filter-image ]
+    needs: [ release-sentryflow-image, release-envoy-filter-gateway-image, release-envoy-filter-sidecar-image ]
     permissions:
       pull-requests: write
       contents: write

diff --git a/deployments/sentryflow/templates/configmap.yaml b/deployments/sentryflow/templates/configmap.yaml
@@ -22,7 +22,9 @@ data:
 
       {{- if .Values.config.receivers.istio.enabled }}
       envoy:
-        uri: {{ .Values.config.receivers.istio.envoyFilterUri | default "public.ecr.aws/k9v9d5v2/sentryflow-httpfilter:v0.1.4" }}
+        uri: {{ .Values.config.receivers.istio.envoyFilterUri | default "public.ecr.aws/k9v9d5v2/sentryflow-httpfilter" }}
+        gatewayTag: {{ .Values.config.receivers.istio.gatewayTag | default "latest-gateway" }}
+        sidecarTag: {{ .Values.config.receivers.istio.sidecarTag | default "latest-sidecar" }}
       {{- end }}
 
     receivers:
@@ -34,6 +36,8 @@ data:
 
       {{- if .Values.config.receivers.istio.enabled }}
       serviceMeshes:
+        - name: istio-gateway
+          namespace: "istio-system"
         - name: istio-sidecar
           namespace: {{ .Values.config.receivers.istio.namespace | default "istio-system" }}
       {{- end }}
@@ -51,4 +55,3 @@ data:
     exporter:
       grpc:
         port: {{ .Values.config.grpcPort | default 8080 }}
-
diff --git a/deployments/sentryflow/values.yaml b/deployments/sentryflow/values.yaml
@@ -102,7 +102,9 @@ config:
     istio:
       enabled: false
       namespace: "istio-system"
-      envoyFilterUri: "public.ecr.aws/k9v9d5v2/sentryflow-httpfilter:v0.1.4"
+      envoyFilterUri: "public.ecr.aws/k9v9d5v2/sentryflow-httpfilter" # remove tag from the uri
+      sidecarTag: "latest-sidecar"
+      gatewayTag: "latest-gateway"
 
     azureApim:
       enabled: false
@@ -118,3 +120,4 @@ volumeMounts:
   - name: sentryflow
     mountPath: "/var/lib/sentryflow/"
     readOnly: true
+
diff --git a/filter/envoy/envoy-wasm-filters/Cargo.toml b/filter/envoy/envoy-wasm-filters/Cargo.toml
@@ -1,7 +1,6 @@
 [package]
 name = "envoy-wasm-filters"
 version = "0.1.0"
-authors = ["Anurag Rajawat", "[email protected]"]
 edition = "2021"
 
 [lib]
@@ -10,11 +9,18 @@ path = "src/lib.rs"
 crate-type = ["cdylib"]
 
 [dependencies]
-proxy-wasm = "0.2.2"
-log = "0.4.22"
-serde_json = "1.0.127"
-serde = { version = "1.0.209", features = ["derive"] }
+proxy-wasm = "0.2.1"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+log = "0.4"
+
+[features]
+default = ["sidecar"]
+sidecar = []
+gateway = []
 
 [profile.release]
-# Tell `rustc` to optimize for small code size.
-opt-level = "s"
+opt-level = "s"      # Optimize for size (WASM modules should be small)
+lto = true          # Enable link-time optimization
+strip = true        # Strip debug symbols
+
diff --git a/filter/envoy/envoy-wasm-filters/Dockerfile b/filter/envoy/envoy-wasm-filters/Dockerfile
@@ -1,14 +1,25 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2024 Authors of SentryFlow
 
+ARG PLUGIN_TYPE=sidecar
+
 FROM rust:1.81.0 AS builder
 
+ARG PLUGIN_TYPE=sidecar
+
 WORKDIR /envoy-plugin
 
 COPY . .
 
-RUN make toolchain build
+RUN make toolchain
+
+# Build the plugin with appropriate feature flag
+RUN if [ "${PLUGIN_TYPE}" = "gateway" ]; then \
+        cargo build --target wasm32-wasip1 --release --no-default-features --features gateway; \
+    else \
+        cargo build --target wasm32-wasip1 --release --features sidecar; \
+    fi
 
 FROM scratch
 
-COPY --from=builder /envoy-plugin/target/wasm32-unknown-unknown/release/httpfilters.wasm ./plugin.wasm
+COPY --from=builder /envoy-plugin/target/wasm32-wasip1/release/httpfilters.wasm ./plugin.wasm
diff --git a/filter/envoy/envoy-wasm-filters/Makefile b/filter/envoy/envoy-wasm-filters/Makefile
@@ -8,31 +8,51 @@ CONTAINER_TOOL ?= docker
 
 .PHONY: help
 help: ## Display this help
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
 .DEFAULT_GOAL := help
 
 .PHONY: toolchain
 toolchain: ## Install Rust WASM toolchain
 	@test rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
-	@rustup target add wasm32-unknown-unknown
+	@rustup target add wasm32-wasip1
+
+.PHONY: build-sidecar
+build-sidecar: ## Build sidecar plugin (default)
+	@cargo build --target wasm32-wasip1 --release --features sidecar
+
+.PHONY: build-gateway
+build-gateway: ## Build gateway plugin
+	@cargo build --target wasm32-wasip1 --release --no-default-features --features gateway
 
 .PHONY: build
-build: ## Build plugin.
-	@cargo build --target wasm32-unknown-unknown --release
+build: build-sidecar ## Build plugin (alias for build-sidecar)
 
 .PHONY: clean
-clean: ## Remove generated stuff.
+clean: ## Remove generated stuff
 	@cargo clean
 
-.PHONY: image
-image: ## Build Plugin's container image
-	$(CONTAINER_TOOL) build -t ${DOCKER_IMAGE}:${DOCKER_TAG} .
+.PHONY: image-sidecar
+image-sidecar:
+	$(CONTAINER_TOOL) build --build-arg PLUGIN_TYPE=sidecar -t ${DOCKER_IMAGE}:${DOCKER_TAG}-sidecar .
+
+.PHONY: image-gateway
+image-gateway: 
+	$(CONTAINER_TOOL) build --build-arg PLUGIN_TYPE=gateway -t ${DOCKER_IMAGE}:${DOCKER_TAG}-gateway .
 
-.PHONY: push
-push: ## Push Plugin's container image
-	$(CONTAINER_TOOL) push ${DOCKER_IMAGE}:${DOCKER_TAG}
+.PHONY: push-sidecar
+push-sidecar: ## Push sidecar container image
+	$(CONTAINER_TOOL) push ${DOCKER_IMAGE}:${DOCKER_TAG}-sidecar
+
+.PHONY: push-gateway
+push-gateway: ## Push gateway container image
+	$(CONTAINER_TOOL) push ${DOCKER_IMAGE}:${DOCKER_TAG}-gateway
+
+.PHONY: all
+all: image-sidecar image-gateway ## Build both sidecar and gateway images
+
+.PHONY: image
+all: image-sidecar ## By default we make image for sidecar 
 
-.PHONY: imagex
-imagex: ## Build and push Plugin's multi-platform container image.
-	$(CONTAINER_TOOL) buildx build --push --platform=linux/arm64,linux/amd64 -t ${DOCKER_IMAGE}:${DOCKER_TAG} .
+.PHONY: push-all
+push-all: push-sidecar push-gateway ## Push both images
diff --git a/filter/envoy/envoy-wasm-filters/docker-compose.yaml b/filter/envoy/envoy-wasm-filters/docker-compose.yaml
@@ -4,7 +4,7 @@ services:
     hostname: envoy
     volumes:
       - ./envoy.yaml:/etc/envoy/envoy.yaml
-      - ./target/wasm32-unknown-unknown/release:/etc/envoy/proxy-wasm-plugins
+      - ./target/wasm32-wasip1/release:/etc/envoy/proxy-wasm-plugins
     networks:
       - envoymesh
     ports:
@@ -13,4 +13,5 @@ services:
       UPSTREAM: filterserver
 
 networks:
-  envoymesh: { }
+  envoymesh: { }
+