feat(wasm): add wasm runtime support [KS-44]#131
feat(wasm): add wasm runtime support [KS-44]#131stevensbkang wants to merge 2 commits intodevelopfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds optional WebAssembly (wasmtime) runtime support to Kubesolo by embedding and configuring the containerd wasmtime shim, enabling RuntimeClass admission, and deploying a RuntimeClass resource when the feature flag is set.
Changes:
- Introduces a
--wasm/KUBESOLO_WASMflag and corresponding embedded configuration fields. - Extends containerd config generation to register a
wasmtimeruntime when enabled. - Embeds/extracts the
containerd-shim-wasmtime-v1binary and deploys aRuntimeClassnamedwasmtime.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
types/types.go |
Adds embedded config fields for wasm shim path + enablement flag. |
types/const.go |
Adds default wasm shim binary name constant. |
pkg/runtime/containerd/service.go |
Threads wasm shim path + enable flag into the containerd service. |
pkg/runtime/containerd/config.go |
Builds containerd runtime map with optional wasmtime runtime. |
pkg/kubernetes/apiserver/flags.go |
Stops disabling RuntimeClass admission plugin. |
pkg/components/runtimeclass/runtimeclass.go |
New component to create the wasmtime RuntimeClass resource. |
internal/core/embedded/load.go |
Conditionally extracts the wasm shim from embedded bytes. |
internal/core/embedded/embedded.go |
Embeds the wasm shim for supported architectures. |
internal/core/embedded/embedded_riscv64.go |
Marks wasm shim as unavailable on riscv64. |
internal/config/flags/flags.go |
Adds --wasm CLI/env flag. |
cmd/kubesolo/main.go |
Wires the flag into bootstrap + triggers RuntimeClass deploy when enabled. |
build/wasm-shim.Dockerfile |
Adds ARM32 cross-build Dockerfile for the wasm shim. |
build/download-deps.sh |
Downloads/builds the wasm shim alongside other embedded deps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| // Deploy creates the wasmtime RuntimeClass resource in the cluster | ||
| func Deploy(ctx context.Context, adminKubeconfig string) error { | ||
| time.Sleep(types.DefaultComponentSleep) |
There was a problem hiding this comment.
Deploy accepts a caller context but immediately does an unconditional time.Sleep(...), which can delay shutdown/cancellation even if ctx is already done. Consider replacing the sleep with a ctx-aware wait (select on ctx.Done() vs time.After) so this component respects cancellation consistently.
| time.Sleep(types.DefaultComponentSleep) | |
| select { | |
| case <-ctx.Done(): | |
| return ctx.Err() | |
| case <-time.After(types.DefaultComponentSleep): | |
| } |
| if embedded.EnableWasm && len(wasmShimBinary) > 0 { | ||
| if err := filesystem.ExtractBinary(wasmShimBinary, embedded.WasmShimBinaryFile); err != nil { | ||
| return fmt.Errorf("failed to extract containerd-shim-wasmtime-v1 binary: %v", err) | ||
| } | ||
| log.Debug().Str("component", "embedded").Msg("containerd-shim-wasmtime-v1 extracted") | ||
| } |
There was a problem hiding this comment.
When embedded.EnableWasm is true but wasmShimBinary is empty (e.g. on riscv64 where it’s intentionally unavailable), this silently skips extraction and continues. Containerd will still be configured with the wasmtime runtime, leading to a missing-binary failure later. Consider returning an explicit error when EnableWasm is requested but the shim binary isn’t available, or force-disable WASM support in this case so the system boots predictably.
| if s.enableWasm { | ||
| runtimes["wasmtime"] = map[string]any{ | ||
| "runtime_type": "io.containerd.wasmtime.v1", | ||
| "runtime_path": s.wasmShimBinaryFile, | ||
| } | ||
| } |
There was a problem hiding this comment.
generateContainerdRuntimes() adds the wasmtime runtime solely based on s.enableWasm, without verifying that s.wasmShimBinaryFile exists on disk. On platforms where the shim is not embedded (e.g. riscv64) or if extraction fails, this will produce a containerd config referencing a non-existent runtime binary. Consider guarding this with a file existence check (or failing fast during validation) so containerd doesn’t start with an invalid runtime configuration.
No description provided.