From 393086c343ad02f5ceb598414ffbb7fece2b092b Mon Sep 17 00:00:00 2001
From: hejianpeng <hejianpeng2@huawei.com>
Date: Thu, 10 Feb 2022 09:09:12 +0800
Subject: [PATCH 1/2] WasmPlugin add VmConfig

---
 extensions/v1alpha1/wasm.gen.json             |  39 +
 extensions/v1alpha1/wasm.pb.go                | 723 +++++++++++++++++-
 extensions/v1alpha1/wasm.pb.html              | 150 +++-
 extensions/v1alpha1/wasm.proto                |  64 ++
 extensions/v1alpha1/wasm_deepcopy.gen.go      |  69 ++
 extensions/v1alpha1/wasm_json.gen.go          |  49 ++
 kubernetes/customresourcedefinitions.gen.yaml |  20 +
 .../istio_api/extensions/v1alpha1/wasm_pb2.py | 158 +++-
 8 files changed, 1225 insertions(+), 47 deletions(-)

diff --git a/extensions/v1alpha1/wasm.gen.json b/extensions/v1alpha1/wasm.gen.json
index dca8259415e..5adca8879e8 100644
--- a/extensions/v1alpha1/wasm.gen.json
+++ b/extensions/v1alpha1/wasm.gen.json
@@ -6,6 +6,29 @@
   },
   "components": {
     "schemas": {
+      "istio.extensions.v1alpha1.EnvValueSource": {
+        "type": "string",
+        "enum": [
+          "INLINE",
+          "HOST"
+        ]
+      },
+      "istio.extensions.v1alpha1.EnvVar": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "description": "Required Name of the environment variable. Must be a C_IDENTIFIER.",
+            "type": "string"
+          },
+          "valueFrom": {
+            "$ref": "#/components/schemas/istio.extensions.v1alpha1.EnvValueSource"
+          },
+          "value": {
+            "description": "Variable references $(VAR_NAME) are expanded Note that if `value_from` is `HOST`, it will be ignored. Defaults to \"\". +optional",
+            "type": "string"
+          }
+        }
+      },
       "istio.extensions.v1alpha1.PluginPhase": {
         "description": "The phase in the filter chain where the plugin will be injected.",
         "type": "string",
@@ -25,6 +48,19 @@
           "Always"
         ]
       },
+      "istio.extensions.v1alpha1.VmConfig": {
+        "description": "Configuration for a Wasm VM. more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).",
+        "type": "object",
+        "properties": {
+          "env": {
+            "description": "Specifies environment variables to be injected to this VM. Note that if a key does not exist, it will be ignored.",
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/istio.extensions.v1alpha1.EnvVar"
+            }
+          }
+        }
+      },
       "istio.extensions.v1alpha1.WasmPlugin": {
         "description": "WasmPlugins provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters.",
         "type": "object",
@@ -66,6 +102,9 @@
             "description": "Determines ordering of `WasmPlugins` in the same `phase`. When multiple `WasmPlugins` are applied to the same workload in the same `phase`, they will be applied by priority, in descending order. If `priority` is not set, or two `WasmPlugins` exist with the same value, the ordering will be deterministically derived from name and namespace of the `WasmPlugins`. Defaults to `0`.",
             "type": "integer",
             "nullable": true
+          },
+          "vmConfig": {
+            "$ref": "#/components/schemas/istio.extensions.v1alpha1.VmConfig"
           }
         }
       },
diff --git a/extensions/v1alpha1/wasm.pb.go b/extensions/v1alpha1/wasm.pb.go
index cdb7a5d4e8a..29bfcef255a 100644
--- a/extensions/v1alpha1/wasm.pb.go
+++ b/extensions/v1alpha1/wasm.pb.go
@@ -54,6 +54,33 @@
 //     openid_realm: ingress
 // ```
 //
+// This is the same as the last example, but using VmConfig to configure environment variables in the VM.
+//
+// ```yaml
+// apiVersion: extensions.istio.io/v1alpha1
+// kind: WasmPlugin
+// metadata:
+//   name: openid-connect
+//   namespace: istio-ingress
+// spec:
+//   selector:
+//     labels:
+//       istio: ingressgateway
+//   url: oci://private-registry:5000/openid-connect/openid:latest
+//   imagePullPolicy: IfNotPresent
+//   imagePullSecret: private-registry-pull-secret
+//   phase: AUTHN
+//   pluginConfig:
+//     openid_server: authn
+//     openid_realm: ingress
+//   vmConfig:
+//     env:
+//     - name: POD_NAME
+//       valueFrom: HOST
+//     - name: TRUST_DOMAIN
+//       value: "cluster.local"
+// ```
+//
 // And a more complex example that deploys three WasmPlugins and orders them
 // using `phase` and `priority`. The (hypothetical) setup is that the
 // `openid-connect` filter performs an OpenID Connect flow to authenticate the
@@ -232,6 +259,33 @@ func (PullPolicy) EnumDescriptor() ([]byte, []int) {
 	return fileDescriptor_4d60b240916c4e18, []int{1}
 }
 
+type EnvValueSource int32
+
+const (
+	// Explicitly given key-value pairs to be injected to this VM
+	EnvValueSource_INLINE EnvValueSource = 0
+	// *Istio-proxy's* environment variables exposed to this VM.
+	EnvValueSource_HOST EnvValueSource = 1
+)
+
+var EnvValueSource_name = map[int32]string{
+	0: "INLINE",
+	1: "HOST",
+}
+
+var EnvValueSource_value = map[string]int32{
+	"INLINE": 0,
+	"HOST":   1,
+}
+
+func (x EnvValueSource) String() string {
+	return proto.EnumName(EnvValueSource_name, int32(x))
+}
+
+func (EnvValueSource) EnumDescriptor() ([]byte, []int) {
+	return fileDescriptor_4d60b240916c4e18, []int{2}
+}
+
 // WasmPlugins provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
@@ -307,10 +361,13 @@ type WasmPlugin struct {
 	// If `priority` is not set, or two `WasmPlugins` exist with the same
 	// value, the ordering will be deterministically derived from name and
 	// namespace of the `WasmPlugins`. Defaults to `0`.
-	Priority             *types.Int64Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
+	Priority *types.Int64Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
+	// Configuration for a Wasm VM.
+	// more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).
+	VmConfig             *VmConfig `protobuf:"bytes,11,opt,name=vm_config,json=vmConfig,proto3" json:"vm_config,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
+	XXX_unrecognized     []byte    `json:"-"`
+	XXX_sizecache        int32     `json:"-"`
 }
 
 func (m *WasmPlugin) Reset()         { *m = WasmPlugin{} }
@@ -416,49 +473,214 @@ func (m *WasmPlugin) GetPriority() *types.Int64Value {
 	return nil
 }
 
+func (m *WasmPlugin) GetVmConfig() *VmConfig {
+	if m != nil {
+		return m.VmConfig
+	}
+	return nil
+}
+
+// Configuration for a Wasm VM.
+// more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).
+type VmConfig struct {
+	// Specifies environment variables to be injected to this VM.
+	// Note that if a key does not exist, it will be ignored.
+	Env                  []*EnvVar `protobuf:"bytes,1,rep,name=env,proto3" json:"env,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
+	XXX_unrecognized     []byte    `json:"-"`
+	XXX_sizecache        int32     `json:"-"`
+}
+
+func (m *VmConfig) Reset()         { *m = VmConfig{} }
+func (m *VmConfig) String() string { return proto.CompactTextString(m) }
+func (*VmConfig) ProtoMessage()    {}
+func (*VmConfig) Descriptor() ([]byte, []int) {
+	return fileDescriptor_4d60b240916c4e18, []int{1}
+}
+func (m *VmConfig) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *VmConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_VmConfig.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *VmConfig) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_VmConfig.Merge(m, src)
+}
+func (m *VmConfig) XXX_Size() int {
+	return m.Size()
+}
+func (m *VmConfig) XXX_DiscardUnknown() {
+	xxx_messageInfo_VmConfig.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_VmConfig proto.InternalMessageInfo
+
+func (m *VmConfig) GetEnv() []*EnvVar {
+	if m != nil {
+		return m.Env
+	}
+	return nil
+}
+
+type EnvVar struct {
+	// Required
+	// Name of the environment variable. Must be a C_IDENTIFIER.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Required
+	// Source for the environment variable's value.
+	ValueFrom EnvValueSource `protobuf:"varint,3,opt,name=value_from,json=valueFrom,proto3,enum=istio.extensions.v1alpha1.EnvValueSource" json:"value_from,omitempty"`
+	// Types that are valid to be assigned to XValue:
+	//	*EnvVar_Value
+	XValue               isEnvVar_XValue `protobuf_oneof:"_value"`
+	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
+	XXX_unrecognized     []byte          `json:"-"`
+	XXX_sizecache        int32           `json:"-"`
+}
+
+func (m *EnvVar) Reset()         { *m = EnvVar{} }
+func (m *EnvVar) String() string { return proto.CompactTextString(m) }
+func (*EnvVar) ProtoMessage()    {}
+func (*EnvVar) Descriptor() ([]byte, []int) {
+	return fileDescriptor_4d60b240916c4e18, []int{2}
+}
+func (m *EnvVar) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *EnvVar) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_EnvVar.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *EnvVar) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_EnvVar.Merge(m, src)
+}
+func (m *EnvVar) XXX_Size() int {
+	return m.Size()
+}
+func (m *EnvVar) XXX_DiscardUnknown() {
+	xxx_messageInfo_EnvVar.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_EnvVar proto.InternalMessageInfo
+
+type isEnvVar_XValue interface {
+	isEnvVar_XValue()
+	MarshalTo([]byte) (int, error)
+	Size() int
+}
+
+type EnvVar_Value struct {
+	Value string `protobuf:"bytes,2,opt,name=value,proto3,oneof" json:"value,omitempty"`
+}
+
+func (*EnvVar_Value) isEnvVar_XValue() {}
+
+func (m *EnvVar) GetXValue() isEnvVar_XValue {
+	if m != nil {
+		return m.XValue
+	}
+	return nil
+}
+
+func (m *EnvVar) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *EnvVar) GetValueFrom() EnvValueSource {
+	if m != nil {
+		return m.ValueFrom
+	}
+	return EnvValueSource_INLINE
+}
+
+func (m *EnvVar) GetValue() string {
+	if x, ok := m.GetXValue().(*EnvVar_Value); ok {
+		return x.Value
+	}
+	return ""
+}
+
+// XXX_OneofWrappers is for the internal use of the proto package.
+func (*EnvVar) XXX_OneofWrappers() []interface{} {
+	return []interface{}{
+		(*EnvVar_Value)(nil),
+	}
+}
+
 func init() {
 	proto.RegisterEnum("istio.extensions.v1alpha1.PluginPhase", PluginPhase_name, PluginPhase_value)
 	proto.RegisterEnum("istio.extensions.v1alpha1.PullPolicy", PullPolicy_name, PullPolicy_value)
+	proto.RegisterEnum("istio.extensions.v1alpha1.EnvValueSource", EnvValueSource_name, EnvValueSource_value)
 	proto.RegisterType((*WasmPlugin)(nil), "istio.extensions.v1alpha1.WasmPlugin")
+	proto.RegisterType((*VmConfig)(nil), "istio.extensions.v1alpha1.VmConfig")
+	proto.RegisterType((*EnvVar)(nil), "istio.extensions.v1alpha1.EnvVar")
 }
 
 func init() { proto.RegisterFile("extensions/v1alpha1/wasm.proto", fileDescriptor_4d60b240916c4e18) }
 
 var fileDescriptor_4d60b240916c4e18 = []byte{
-	// 520 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x93, 0xdf, 0x6e, 0x12, 0x41,
-	0x14, 0xc6, 0xbb, 0xc5, 0x22, 0x1c, 0xaa, 0x6e, 0x27, 0xb1, 0xae, 0xad, 0x41, 0x62, 0xd4, 0x20,
-	0x17, 0xb3, 0x01, 0xb5, 0xde, 0xf4, 0x42, 0x8a, 0x98, 0x12, 0x0d, 0xae, 0xbb, 0xd4, 0xc6, 0xde,
-	0x90, 0x61, 0x1d, 0x60, 0xd2, 0x61, 0x67, 0x33, 0x33, 0x0b, 0xee, 0x1b, 0x7a, 0xe9, 0x23, 0x18,
-	0x9e, 0xc2, 0x4b, 0xc3, 0x2c, 0x14, 0xea, 0xbf, 0xbb, 0xc3, 0x39, 0xbf, 0xef, 0x9b, 0x73, 0x3e,
-	0xb2, 0x50, 0xa6, 0x5f, 0x35, 0x8d, 0x14, 0x13, 0x91, 0x72, 0xa7, 0x75, 0xc2, 0xe3, 0x31, 0xa9,
-	0xbb, 0x33, 0xa2, 0x26, 0x38, 0x96, 0x42, 0x0b, 0x74, 0x9f, 0x29, 0xcd, 0x04, 0x5e, 0x53, 0x78,
-	0x45, 0x1d, 0x94, 0x47, 0x42, 0x8c, 0x38, 0x75, 0x0d, 0x38, 0x48, 0x86, 0xee, 0x4c, 0x92, 0x38,
-	0xa6, 0x52, 0x65, 0xd2, 0x83, 0x07, 0xbf, 0xcf, 0x95, 0x96, 0x49, 0xa8, 0x97, 0xd3, 0x43, 0x9d,
-	0xc6, 0xd4, 0x9d, 0xd6, 0x07, 0x54, 0x93, 0xba, 0xab, 0x28, 0xa7, 0xa1, 0x16, 0x32, 0x1b, 0x3e,
-	0xfa, 0x99, 0x03, 0x38, 0x27, 0x6a, 0xe2, 0xf1, 0x64, 0xc4, 0x22, 0xf4, 0x1a, 0x0a, 0x2b, 0xc0,
-	0xb1, 0x2a, 0x56, 0xb5, 0xd4, 0x78, 0x8c, 0xb3, 0xbd, 0x16, 0x26, 0x78, 0x69, 0x82, 0xcf, 0x85,
-	0xbc, 0xe4, 0x82, 0x7c, 0x09, 0x96, 0xac, 0x7f, 0xa5, 0x42, 0x36, 0xe4, 0x12, 0xc9, 0x9d, 0xed,
-	0x8a, 0x55, 0x2d, 0xfa, 0x8b, 0x12, 0xed, 0x43, 0x5e, 0x8d, 0x49, 0xe3, 0xe5, 0x91, 0x93, 0x33,
-	0xcd, 0xe5, 0x2f, 0xf4, 0x11, 0xf6, 0xd8, 0x84, 0x8c, 0x68, 0x3f, 0x4e, 0x38, 0xef, 0xc7, 0x82,
-	0xb3, 0x30, 0x75, 0x6e, 0x54, 0xac, 0xea, 0xed, 0xc6, 0x13, 0xfc, 0xcf, 0x30, 0xb0, 0x97, 0x70,
-	0xee, 0x19, 0xd8, 0xbf, 0x63, 0xf4, 0xeb, 0x06, 0xaa, 0x5d, 0xb3, 0x54, 0x34, 0x94, 0x54, 0x3b,
-	0x3b, 0xe6, 0xd5, 0x35, 0x1b, 0x98, 0x36, 0x7a, 0x06, 0xf6, 0x94, 0x4a, 0x36, 0x64, 0x21, 0xd1,
-	0x4c, 0x44, 0xfd, 0x4b, 0x9a, 0x3a, 0xf9, 0x0c, 0xdd, 0xec, 0xbf, 0xa3, 0x29, 0x3a, 0x86, 0x5b,
-	0xb1, 0xc9, 0xa7, 0x1f, 0x8a, 0x68, 0xc8, 0x46, 0xce, 0x4d, 0x13, 0xcd, 0x3d, 0x9c, 0xe5, 0x8e,
-	0x57, 0xb9, 0xe3, 0xc0, 0xe4, 0xee, 0xef, 0x66, 0x74, 0xcb, 0xc0, 0xe8, 0x21, 0x94, 0x96, 0xea,
-	0x88, 0x4c, 0xa8, 0x53, 0x30, 0x6f, 0x40, 0xd6, 0xea, 0x92, 0x09, 0x45, 0xc7, 0xb0, 0x13, 0x8f,
-	0x89, 0xa2, 0x4e, 0xd1, 0x1c, 0xff, 0xf4, 0x7f, 0xc7, 0x1b, 0x95, 0xb7, 0xa0, 0xfd, 0x4c, 0x84,
-	0x5e, 0x41, 0x21, 0x96, 0x4c, 0x48, 0xa6, 0x53, 0x07, 0xcc, 0x5e, 0x87, 0x7f, 0xec, 0xd5, 0x89,
-	0xf4, 0xd1, 0x8b, 0x4f, 0x84, 0x27, 0xd4, 0xbf, 0x82, 0x6b, 0x6d, 0x28, 0x6d, 0xd8, 0xa1, 0xbb,
-	0xb0, 0x77, 0xd6, 0x0d, 0xbc, 0x76, 0xab, 0xf3, 0xb6, 0xd3, 0x7e, 0xd3, 0xf7, 0x4e, 0x9b, 0x41,
-	0xdb, 0xde, 0x42, 0x45, 0xd8, 0x69, 0x9e, 0xf5, 0x4e, 0xbb, 0xb6, 0xb5, 0x2a, 0x2f, 0xec, 0xed,
-	0x45, 0x19, 0xf4, 0x9a, 0xbd, 0xc0, 0xce, 0xd5, 0x4e, 0x00, 0x36, 0xfe, 0x81, 0x7d, 0x40, 0xd7,
-	0x5c, 0x3e, 0xbc, 0xef, 0xb4, 0x3e, 0xdb, 0x5b, 0xc8, 0x86, 0xdd, 0xce, 0xb0, 0x2b, 0xb4, 0x27,
-	0xa9, 0xa2, 0x91, 0xb6, 0x2d, 0x04, 0x90, 0x6f, 0xf2, 0x19, 0x49, 0x95, 0xbd, 0x7d, 0x82, 0xbf,
-	0xcd, 0xcb, 0xd6, 0xf7, 0x79, 0xd9, 0xfa, 0x31, 0x2f, 0x5b, 0x17, 0x95, 0xec, 0x7e, 0x26, 0x5c,
-	0x12, 0x33, 0xf7, 0x2f, 0x9f, 0xcd, 0x20, 0x6f, 0x2e, 0x7b, 0xfe, 0x2b, 0x00, 0x00, 0xff, 0xff,
-	0x4c, 0xa9, 0xbd, 0xec, 0x54, 0x03, 0x00, 0x00,
+	// 666 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x54, 0xdd, 0x4e, 0x13, 0x41,
+	0x14, 0x66, 0xe8, 0x8f, 0xed, 0x29, 0xe2, 0x32, 0x89, 0xb8, 0x80, 0xa9, 0x15, 0x95, 0x94, 0x5e,
+	0xec, 0xa6, 0x45, 0xf1, 0x86, 0x44, 0x0a, 0x96, 0xb4, 0x91, 0x94, 0xba, 0x5b, 0x20, 0x72, 0xd3,
+	0x0c, 0x75, 0x5a, 0x36, 0xcc, 0xee, 0x6c, 0x66, 0x67, 0x17, 0xfb, 0x06, 0x26, 0xbe, 0x91, 0x4f,
+	0xe0, 0xa5, 0x8f, 0x60, 0x78, 0x12, 0xb3, 0xb3, 0x5b, 0xfe, 0x54, 0xbc, 0x3b, 0x3f, 0xdf, 0xf7,
+	0xcd, 0x39, 0x5f, 0x4e, 0x06, 0xca, 0xf4, 0x8b, 0xa4, 0x5e, 0xe0, 0x70, 0x2f, 0x30, 0xa3, 0x3a,
+	0x61, 0xfe, 0x19, 0xa9, 0x9b, 0x17, 0x24, 0x70, 0x0d, 0x5f, 0x70, 0xc9, 0xf1, 0x92, 0x13, 0x48,
+	0x87, 0x1b, 0xd7, 0x28, 0x63, 0x8a, 0x5a, 0x5e, 0x1a, 0x73, 0x3e, 0x66, 0xd4, 0x54, 0xc0, 0xd3,
+	0x70, 0x64, 0x12, 0x6f, 0x92, 0xb0, 0x96, 0xcb, 0x77, 0x5b, 0x17, 0x82, 0xf8, 0x3e, 0x15, 0x41,
+	0xda, 0x7f, 0x7a, 0xb7, 0x1f, 0x48, 0x11, 0x0e, 0x65, 0xda, 0x5d, 0x91, 0x13, 0x9f, 0x9a, 0x51,
+	0xfd, 0x94, 0x4a, 0x52, 0x37, 0x03, 0xca, 0xe8, 0x50, 0x72, 0x91, 0x34, 0x57, 0xbf, 0x67, 0x01,
+	0x8e, 0x49, 0xe0, 0xf6, 0x58, 0x38, 0x76, 0x3c, 0xbc, 0x0d, 0x85, 0x29, 0x40, 0x47, 0x15, 0x54,
+	0x2d, 0x35, 0x5e, 0x1a, 0xc9, 0xc8, 0xb1, 0x88, 0x91, 0x8a, 0x18, 0xc7, 0x5c, 0x9c, 0x33, 0x4e,
+	0x3e, 0xdb, 0x29, 0xd6, 0xba, 0x62, 0x61, 0x0d, 0x32, 0xa1, 0x60, 0xfa, 0x6c, 0x05, 0x55, 0x8b,
+	0x56, 0x1c, 0xe2, 0x45, 0xc8, 0x07, 0x67, 0xa4, 0xf1, 0x66, 0x53, 0xcf, 0xa8, 0x62, 0x9a, 0xe1,
+	0x8f, 0xb0, 0xe0, 0xb8, 0x64, 0x4c, 0x07, 0x7e, 0xc8, 0xd8, 0xc0, 0xe7, 0xcc, 0x19, 0x4e, 0xf4,
+	0x6c, 0x05, 0x55, 0xe7, 0x1b, 0xaf, 0x8c, 0x7f, 0xfa, 0x64, 0xf4, 0x42, 0xc6, 0x7a, 0x0a, 0x6c,
+	0x3d, 0x52, 0xfc, 0xeb, 0x02, 0xae, 0xdd, 0x92, 0x0c, 0xe8, 0x50, 0x50, 0xa9, 0xe7, 0xd4, 0xab,
+	0xd7, 0x58, 0x5b, 0x95, 0xf1, 0x3a, 0x68, 0x11, 0x15, 0xce, 0xc8, 0x19, 0x12, 0xe9, 0x70, 0x6f,
+	0x70, 0x4e, 0x27, 0x7a, 0x3e, 0x81, 0xde, 0xac, 0x7f, 0xa0, 0x13, 0xbc, 0x05, 0x0f, 0x7d, 0xe5,
+	0xcf, 0x60, 0xc8, 0xbd, 0x91, 0x33, 0xd6, 0x1f, 0x28, 0x6b, 0x9e, 0x18, 0x89, 0xef, 0xc6, 0xd4,
+	0x77, 0xc3, 0x56, 0xbe, 0x5b, 0x73, 0x09, 0x7a, 0x57, 0x81, 0xf1, 0x33, 0x28, 0xa5, 0x6c, 0x8f,
+	0xb8, 0x54, 0x2f, 0xa8, 0x37, 0x20, 0x29, 0x75, 0x89, 0x4b, 0xf1, 0x16, 0xe4, 0xfc, 0x33, 0x12,
+	0x50, 0xbd, 0xa8, 0x96, 0x5f, 0xbb, 0x6f, 0x79, 0xc5, 0xea, 0xc5, 0x68, 0x2b, 0x21, 0xe1, 0xb7,
+	0x50, 0xf0, 0x85, 0xc3, 0x85, 0x23, 0x27, 0x3a, 0xa8, 0xb9, 0x56, 0xfe, 0x98, 0xab, 0xe3, 0xc9,
+	0xcd, 0xd7, 0x47, 0x84, 0x85, 0xd4, 0xba, 0x02, 0xe3, 0x6d, 0x28, 0x46, 0xee, 0x74, 0xa3, 0x92,
+	0x62, 0xbe, 0xb8, 0xe7, 0xe9, 0x23, 0x37, 0xd9, 0xc7, 0x2a, 0x44, 0x69, 0xb4, 0xfa, 0x0e, 0x0a,
+	0xd3, 0x2a, 0xde, 0x80, 0x0c, 0xf5, 0x22, 0x1d, 0x55, 0x32, 0xd5, 0x52, 0xe3, 0xf9, 0x3d, 0x3a,
+	0x2d, 0x2f, 0x3a, 0x22, 0xc2, 0x8a, 0xd1, 0xab, 0xdf, 0x10, 0xe4, 0x93, 0x1c, 0x63, 0xc8, 0x2a,
+	0x7b, 0x90, 0xb2, 0x47, 0xc5, 0xb8, 0x0d, 0x10, 0xc5, 0x43, 0x0f, 0x46, 0x82, 0xbb, 0xea, 0x7a,
+	0xe6, 0x1b, 0xeb, 0xff, 0x93, 0x66, 0x21, 0xb5, 0x79, 0x28, 0x86, 0xd4, 0x2a, 0x2a, 0xf2, 0x9e,
+	0xe0, 0x2e, 0x5e, 0x82, 0x9c, 0x4a, 0x92, 0xbb, 0x6c, 0xcf, 0x58, 0x49, 0xfa, 0x15, 0xa1, 0x9d,
+	0x02, 0xe4, 0x07, 0x2a, 0xa9, 0xb5, 0xa0, 0x74, 0xc3, 0x5f, 0xfc, 0x18, 0x16, 0x0e, 0xbb, 0x76,
+	0xaf, 0xb5, 0xdb, 0xd9, 0xeb, 0xb4, 0xde, 0x0f, 0x7a, 0xed, 0xa6, 0xdd, 0xd2, 0x66, 0x70, 0x11,
+	0x72, 0xcd, 0xc3, 0x7e, 0xbb, 0xab, 0xa1, 0x69, 0x78, 0xa2, 0xcd, 0xc6, 0xa1, 0xdd, 0x6f, 0xf6,
+	0x6d, 0x2d, 0x53, 0xdb, 0x01, 0xb8, 0x71, 0x92, 0x8b, 0x80, 0x6f, 0xa9, 0x1c, 0xec, 0x77, 0x76,
+	0x3f, 0x69, 0x33, 0x58, 0x83, 0xb9, 0xce, 0xa8, 0xcb, 0x65, 0x4f, 0xd0, 0x80, 0x7a, 0x52, 0x43,
+	0x18, 0x20, 0xdf, 0x64, 0x17, 0x64, 0x12, 0x68, 0xb3, 0xb5, 0x35, 0x98, 0xbf, 0xbd, 0x4c, 0xdc,
+	0xed, 0x74, 0xf7, 0x3b, 0xdd, 0x78, 0x84, 0x02, 0x64, 0xdb, 0x07, 0x76, 0x5f, 0x43, 0x3b, 0xc6,
+	0x8f, 0xcb, 0x32, 0xfa, 0x79, 0x59, 0x46, 0xbf, 0x2e, 0xcb, 0xe8, 0xa4, 0x92, 0x58, 0xe3, 0x70,
+	0x93, 0xf8, 0x8e, 0xf9, 0x97, 0xaf, 0xe8, 0x34, 0xaf, 0x4e, 0x62, 0xe3, 0x77, 0x00, 0x00, 0x00,
+	0xff, 0xff, 0x0e, 0x37, 0x9b, 0xc9, 0xa8, 0x04, 0x00, 0x00,
 }
 
 func (m *WasmPlugin) Marshal() (dAtA []byte, err error) {
@@ -485,6 +707,18 @@ func (m *WasmPlugin) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.VmConfig != nil {
+		{
+			size, err := m.VmConfig.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintWasm(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x5a
+	}
 	if m.Priority != nil {
 		{
 			size, err := m.Priority.MarshalToSizedBuffer(dAtA[:i])
@@ -569,6 +803,109 @@ func (m *WasmPlugin) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *VmConfig) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VmConfig) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *VmConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if len(m.Env) > 0 {
+		for iNdEx := len(m.Env) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Env[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintWasm(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
+func (m *EnvVar) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EnvVar) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *EnvVar) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if m.ValueFrom != 0 {
+		i = encodeVarintWasm(dAtA, i, uint64(m.ValueFrom))
+		i--
+		dAtA[i] = 0x18
+	}
+	if m.XValue != nil {
+		{
+			size := m.XValue.Size()
+			i -= size
+			if _, err := m.XValue.MarshalTo(dAtA[i:]); err != nil {
+				return 0, err
+			}
+		}
+	}
+	if len(m.Name) > 0 {
+		i -= len(m.Name)
+		copy(dAtA[i:], m.Name)
+		i = encodeVarintWasm(dAtA, i, uint64(len(m.Name)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
+func (m *EnvVar_Value) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *EnvVar_Value) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	i -= len(m.Value)
+	copy(dAtA[i:], m.Value)
+	i = encodeVarintWasm(dAtA, i, uint64(len(m.Value)))
+	i--
+	dAtA[i] = 0x12
+	return len(dAtA) - i, nil
+}
 func encodeVarintWasm(dAtA []byte, offset int, v uint64) int {
 	offset -= sovWasm(v)
 	base := offset
@@ -624,12 +961,67 @@ func (m *WasmPlugin) Size() (n int) {
 		l = m.Priority.Size()
 		n += 1 + l + sovWasm(uint64(l))
 	}
+	if m.VmConfig != nil {
+		l = m.VmConfig.Size()
+		n += 1 + l + sovWasm(uint64(l))
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
+func (m *VmConfig) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.Env) > 0 {
+		for _, e := range m.Env {
+			l = e.Size()
+			n += 1 + l + sovWasm(uint64(l))
+		}
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
+func (m *EnvVar) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Name)
+	if l > 0 {
+		n += 1 + l + sovWasm(uint64(l))
+	}
+	if m.XValue != nil {
+		n += m.XValue.Size()
+	}
+	if m.ValueFrom != 0 {
+		n += 1 + sovWasm(uint64(m.ValueFrom))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
 	return n
 }
 
+func (m *EnvVar_Value) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Value)
+	n += 1 + l + sovWasm(uint64(l))
+	return n
+}
+
 func sovWasm(x uint64) (n int) {
 	return (math_bits.Len64(x|1) + 6) / 7
 }
@@ -971,6 +1363,261 @@ func (m *WasmPlugin) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VmConfig", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWasm
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthWasm
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.VmConfig == nil {
+				m.VmConfig = &VmConfig{}
+			}
+			if err := m.VmConfig.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipWasm(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthWasm
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VmConfig) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowWasm
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VmConfig: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VmConfig: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Env", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWasm
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthWasm
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Env = append(m.Env, &EnvVar{})
+			if err := m.Env[len(m.Env)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipWasm(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthWasm
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EnvVar) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowWasm
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EnvVar: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EnvVar: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthWasm
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthWasm
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthWasm
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthWasm
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XValue = &EnvVar_Value{string(dAtA[iNdEx:postIndex])}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ValueFrom", wireType)
+			}
+			m.ValueFrom = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ValueFrom |= EnvValueSource(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipWasm(dAtA[iNdEx:])
diff --git a/extensions/v1alpha1/wasm.pb.html b/extensions/v1alpha1/wasm.pb.html
index b06220b9868..53aeec39ccb 100644
--- a/extensions/v1alpha1/wasm.pb.html
+++ b/extensions/v1alpha1/wasm.pb.html
@@ -6,7 +6,7 @@
 generator: protoc-gen-docs
 schema: istio.extensions.v1alpha1.WasmPlugin
 aliases: [/docs/reference/config/extensions/v1alpha1/wasm-plugin]
-number_of_entries: 3
+number_of_entries: 6
 ---
 <p>WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
@@ -59,6 +59,32 @@
     openid_realm: ingress
 </code></pre>
 
+<p>This is the same as the last example, but using VmConfig to configure environment variables in the VM.</p>
+
+<pre><code class="language-yaml">apiVersion: extensions.istio.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: openid-connect
+  namespace: istio-ingress
+spec:
+  selector:
+    labels:
+      istio: ingressgateway
+  url: oci://private-registry:5000/openid-connect/openid:latest
+  imagePullPolicy: IfNotPresent
+  imagePullSecret: private-registry-pull-secret
+  phase: AUTHN
+  pluginConfig:
+    openid_server: authn
+    openid_realm: ingress
+  vmConfig:
+    env:
+    - name: POD_NAME
+      valueFrom: HOST
+    - name: TRUST_DOMAIN
+      value: &quot;cluster.local&quot;
+</code></pre>
+
 <p>And a more complex example that deploys three WasmPlugins and orders them
 using <code>phase</code> and <code>priority</code>. The (hypothetical) setup is that the
 <code>openid-connect</code> filter performs an OpenID Connect flow to authenticate the
@@ -281,6 +307,101 @@ <h2 id="WasmPlugin">WasmPlugin</h2>
 value, the ordering will be deterministically derived from name and
 namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="WasmPlugin-vm_config">
+<td><code>vmConfig</code></td>
+<td><code><a href="#VmConfig">VmConfig</a></code></td>
+<td>
+<p>Configuration for a Wasm VM.
+more details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig">here</a>.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="VmConfig">VmConfig</h2>
+<section>
+<p>Configuration for a Wasm VM.
+more details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig">here</a>.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+<th>Required</th>
+</tr>
+</thead>
+<tbody>
+<tr id="VmConfig-env">
+<td><code>env</code></td>
+<td><code><a href="#EnvVar">EnvVar[]</a></code></td>
+<td>
+<p>Specifies environment variables to be injected to this VM.
+Note that if a key does not exist, it will be ignored.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="EnvVar">EnvVar</h2>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+<th>Required</th>
+</tr>
+</thead>
+<tbody>
+<tr id="EnvVar-name">
+<td><code>name</code></td>
+<td><code>string</code></td>
+<td>
+<p>Required
+Name of the environment variable. Must be a C_IDENTIFIER.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="EnvVar-value_from">
+<td><code>valueFrom</code></td>
+<td><code><a href="#EnvValueSource">EnvValueSource</a></code></td>
+<td>
+<p>Required
+Source for the environment variable&rsquo;s value.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="EnvVar-value" class="oneof oneof-start">
+<td><code>value</code></td>
+<td><code>string (oneof)</code></td>
+<td>
+<p>Variable references $(VAR_NAME) are expanded
+Note that if <code>value_from</code> is <code>HOST</code>, it will be ignored.
+Defaults to &ldquo;&rdquo;.
++optional</p>
+
 </td>
 <td>
 No
@@ -375,3 +496,30 @@ <h2 id="PullPolicy">PullPolicy</h2>
 </tbody>
 </table>
 </section>
+<h2 id="EnvValueSource">EnvValueSource</h2>
+<section>
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="EnvValueSource-INLINE">
+<td><code>INLINE</code></td>
+<td>
+<p>Explicitly given key-value pairs to be injected to this VM</p>
+
+</td>
+</tr>
+<tr id="EnvValueSource-HOST">
+<td><code>HOST</code></td>
+<td>
+<p><em>Istio-proxy&rsquo;s</em> environment variables exposed to this VM.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto
index fe1ca7d19a6..faf588443cf 100644
--- a/extensions/v1alpha1/wasm.proto
+++ b/extensions/v1alpha1/wasm.proto
@@ -14,6 +14,7 @@
 
 syntax = "proto3";
 
+import "google/protobuf/any.proto";
 import "google/protobuf/wrappers.proto";
 import "google/protobuf/struct.proto";
 import "type/v1beta1/selector.proto";
@@ -77,6 +78,33 @@ import "type/v1beta1/selector.proto";
 //     openid_realm: ingress
 // ```
 //
+// This is the same as the last example, but using VmConfig to configure environment variables in the VM.
+//
+// ```yaml
+// apiVersion: extensions.istio.io/v1alpha1
+// kind: WasmPlugin
+// metadata:
+//   name: openid-connect
+//   namespace: istio-ingress
+// spec:
+//   selector:
+//     labels:
+//       istio: ingressgateway
+//   url: oci://private-registry:5000/openid-connect/openid:latest
+//   imagePullPolicy: IfNotPresent
+//   imagePullSecret: private-registry-pull-secret
+//   phase: AUTHN
+//   pluginConfig:
+//     openid_server: authn
+//     openid_realm: ingress
+//   vmConfig:
+//     env:
+//     - name: POD_NAME
+//       valueFrom: HOST
+//     - name: TRUST_DOMAIN
+//       value: "cluster.local"
+// ```
+//
 // And a more complex example that deploys three WasmPlugins and orders them
 // using `phase` and `priority`. The (hypothetical) setup is that the
 // `openid-connect` filter performs an OpenID Connect flow to authenticate the
@@ -241,6 +269,10 @@ message WasmPlugin {
   // value, the ordering will be deterministically derived from name and
   // namespace of the `WasmPlugins`. Defaults to `0`.
   google.protobuf.Int64Value priority = 10;
+
+  // Configuration for a Wasm VM.
+  // more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).
+  VmConfig vm_config = 11;
 }
 
 // The phase in the filter chain where the plugin will be injected.
@@ -280,3 +312,35 @@ enum PullPolicy {
   // this plugin.
   Always = 2;
 }
+
+// Configuration for a Wasm VM.
+// more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).
+message VmConfig {
+  // Specifies environment variables to be injected to this VM.
+  // Note that if a key does not exist, it will be ignored.
+  repeated EnvVar env = 1;
+}
+
+message EnvVar {
+  // Required
+  // Name of the environment variable. Must be a C_IDENTIFIER.
+  string name = 1;
+
+  // Required
+  // Source for the environment variable's value.
+  EnvValueSource value_from = 3;
+
+  // Variable references $(VAR_NAME) are expanded
+  // Note that if `value_from` is `HOST`, it will be ignored.
+  // Defaults to "". 
+  // +optional
+  optional string value = 2;
+}
+
+enum EnvValueSource {
+  // Explicitly given key-value pairs to be injected to this VM
+  INLINE = 0;
+
+  // *Istio-proxy's* environment variables exposed to this VM.
+  HOST = 1;
+}
diff --git a/extensions/v1alpha1/wasm_deepcopy.gen.go b/extensions/v1alpha1/wasm_deepcopy.gen.go
index ec5bd7371fc..5d36ba98480 100644
--- a/extensions/v1alpha1/wasm_deepcopy.gen.go
+++ b/extensions/v1alpha1/wasm_deepcopy.gen.go
@@ -54,6 +54,33 @@
 //     openid_realm: ingress
 // ```
 //
+// This is the same as the last example, but using VmConfig to configure environment variables in the VM.
+//
+// ```yaml
+// apiVersion: extensions.istio.io/v1alpha1
+// kind: WasmPlugin
+// metadata:
+//   name: openid-connect
+//   namespace: istio-ingress
+// spec:
+//   selector:
+//     labels:
+//       istio: ingressgateway
+//   url: oci://private-registry:5000/openid-connect/openid:latest
+//   imagePullPolicy: IfNotPresent
+//   imagePullSecret: private-registry-pull-secret
+//   phase: AUTHN
+//   pluginConfig:
+//     openid_server: authn
+//     openid_realm: ingress
+//   vmConfig:
+//     env:
+//     - name: POD_NAME
+//       valueFrom: HOST
+//     - name: TRUST_DOMAIN
+//       value: "cluster.local"
+// ```
+//
 // And a more complex example that deploys three WasmPlugins and orders them
 // using `phase` and `priority`. The (hypothetical) setup is that the
 // `openid-connect` filter performs an OpenID Connect flow to authenticate the
@@ -165,3 +192,45 @@ func (in *WasmPlugin) DeepCopy() *WasmPlugin {
 func (in *WasmPlugin) DeepCopyInterface() interface{} {
 	return in.DeepCopy()
 }
+
+// DeepCopyInto supports using VmConfig within kubernetes types, where deepcopy-gen is used.
+func (in *VmConfig) DeepCopyInto(out *VmConfig) {
+	p := proto.Clone(in).(*VmConfig)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VmConfig. Required by controller-gen.
+func (in *VmConfig) DeepCopy() *VmConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(VmConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new VmConfig. Required by controller-gen.
+func (in *VmConfig) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using EnvVar within kubernetes types, where deepcopy-gen is used.
+func (in *EnvVar) DeepCopyInto(out *EnvVar) {
+	p := proto.Clone(in).(*EnvVar)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvVar. Required by controller-gen.
+func (in *EnvVar) DeepCopy() *EnvVar {
+	if in == nil {
+		return nil
+	}
+	out := new(EnvVar)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new EnvVar. Required by controller-gen.
+func (in *EnvVar) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
diff --git a/extensions/v1alpha1/wasm_json.gen.go b/extensions/v1alpha1/wasm_json.gen.go
index 7a019e63430..aeb4a7c05a8 100644
--- a/extensions/v1alpha1/wasm_json.gen.go
+++ b/extensions/v1alpha1/wasm_json.gen.go
@@ -54,6 +54,33 @@
 //     openid_realm: ingress
 // ```
 //
+// This is the same as the last example, but using VmConfig to configure environment variables in the VM.
+//
+// ```yaml
+// apiVersion: extensions.istio.io/v1alpha1
+// kind: WasmPlugin
+// metadata:
+//   name: openid-connect
+//   namespace: istio-ingress
+// spec:
+//   selector:
+//     labels:
+//       istio: ingressgateway
+//   url: oci://private-registry:5000/openid-connect/openid:latest
+//   imagePullPolicy: IfNotPresent
+//   imagePullSecret: private-registry-pull-secret
+//   phase: AUTHN
+//   pluginConfig:
+//     openid_server: authn
+//     openid_realm: ingress
+//   vmConfig:
+//     env:
+//     - name: POD_NAME
+//       valueFrom: HOST
+//     - name: TRUST_DOMAIN
+//       value: "cluster.local"
+// ```
+//
 // And a more complex example that deploys three WasmPlugins and orders them
 // using `phase` and `priority`. The (hypothetical) setup is that the
 // `openid-connect` filter performs an OpenID Connect flow to authenticate the
@@ -158,6 +185,28 @@ func (this *WasmPlugin) UnmarshalJSON(b []byte) error {
 	return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }
 
+// MarshalJSON is a custom marshaler for VmConfig
+func (this *VmConfig) MarshalJSON() ([]byte, error) {
+	str, err := WasmMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for VmConfig
+func (this *VmConfig) UnmarshalJSON(b []byte) error {
+	return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for EnvVar
+func (this *EnvVar) MarshalJSON() ([]byte, error) {
+	str, err := WasmMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for EnvVar
+func (this *EnvVar) UnmarshalJSON(b []byte) error {
+	return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
 var (
 	WasmMarshaler   = &github_com_gogo_protobuf_jsonpb.Marshaler{}
 	WasmUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{AllowUnknownFields: true}
diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
index 06513a445d8..8f43dc933d7 100644
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
@@ -85,6 +85,26 @@ spec:
                 type: string
               verificationKey:
                 type: string
+              vmConfig:
+                description: Configuration for a Wasm VM.
+                properties:
+                  env:
+                    description: Specifies environment variables to be injected to
+                      this VM.
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        value:
+                          type: string
+                        valueFrom:
+                          enum:
+                          - INLINE
+                          - HOST
+                          type: string
+                      type: object
+                    type: array
+                type: object
             type: object
           status:
             type: object
diff --git a/python/istio_api/extensions/v1alpha1/wasm_pb2.py b/python/istio_api/extensions/v1alpha1/wasm_pb2.py
index c587dc3efc3..b46a3f635e7 100644
--- a/python/istio_api/extensions/v1alpha1/wasm_pb2.py
+++ b/python/istio_api/extensions/v1alpha1/wasm_pb2.py
@@ -12,6 +12,7 @@
 _sym_db = _symbol_database.Default()
 
 
+from google.protobuf import any_pb2 as google_dot_protobuf_dot_any__pb2
 from google.protobuf import wrappers_pb2 as google_dot_protobuf_dot_wrappers__pb2
 from google.protobuf import struct_pb2 as google_dot_protobuf_dot_struct__pb2
 from type.v1beta1 import selector_pb2 as type_dot_v1beta1_dot_selector__pb2
@@ -23,9 +24,9 @@
   syntax='proto3',
   serialized_options=b'Z istio.io/api/extensions/v1alpha1',
   create_key=_descriptor._internal_create_key,
-  serialized_pb=b'\n\x1e\x65xtensions/v1alpha1/wasm.proto\x12\x19istio.extensions.v1alpha1\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1btype/v1beta1/selector.proto\"\xf8\x03\n\nWasmPlugin\x12@\n\x08selector\x18\x01 \x01(\x0b\x32$.istio.type.v1beta1.WorkloadSelectorR\x08selector\x12\x10\n\x03url\x18\x02 \x01(\tR\x03url\x12\x16\n\x06sha256\x18\x03 \x01(\tR\x06sha256\x12Q\n\x11image_pull_policy\x18\x04 \x01(\x0e\x32%.istio.extensions.v1alpha1.PullPolicyR\x0fimagePullPolicy\x12*\n\x11image_pull_secret\x18\x05 \x01(\tR\x0fimagePullSecret\x12)\n\x10verification_key\x18\x06 \x01(\tR\x0fverificationKey\x12<\n\rplugin_config\x18\x07 \x01(\x0b\x32\x17.google.protobuf.StructR\x0cpluginConfig\x12\x1f\n\x0bplugin_name\x18\x08 \x01(\tR\npluginName\x12<\n\x05phase\x18\t \x01(\x0e\x32&.istio.extensions.v1alpha1.PluginPhaseR\x05phase\x12\x37\n\x08priority\x18\n \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x08priority*E\n\x0bPluginPhase\x12\x15\n\x11UNSPECIFIED_PHASE\x10\x00\x12\t\n\x05\x41UTHN\x10\x01\x12\t\n\x05\x41UTHZ\x10\x02\x12\t\n\x05STATS\x10\x03*B\n\nPullPolicy\x12\x16\n\x12UNSPECIFIED_POLICY\x10\x00\x12\x10\n\x0cIfNotPresent\x10\x01\x12\n\n\x06\x41lways\x10\x02\x42\"Z istio.io/api/extensions/v1alpha1b\x06proto3'
+  serialized_pb=b'\n\x1e\x65xtensions/v1alpha1/wasm.proto\x12\x19istio.extensions.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1btype/v1beta1/selector.proto\"\xba\x04\n\nWasmPlugin\x12@\n\x08selector\x18\x01 \x01(\x0b\x32$.istio.type.v1beta1.WorkloadSelectorR\x08selector\x12\x10\n\x03url\x18\x02 \x01(\tR\x03url\x12\x16\n\x06sha256\x18\x03 \x01(\tR\x06sha256\x12Q\n\x11image_pull_policy\x18\x04 \x01(\x0e\x32%.istio.extensions.v1alpha1.PullPolicyR\x0fimagePullPolicy\x12*\n\x11image_pull_secret\x18\x05 \x01(\tR\x0fimagePullSecret\x12)\n\x10verification_key\x18\x06 \x01(\tR\x0fverificationKey\x12<\n\rplugin_config\x18\x07 \x01(\x0b\x32\x17.google.protobuf.StructR\x0cpluginConfig\x12\x1f\n\x0bplugin_name\x18\x08 \x01(\tR\npluginName\x12<\n\x05phase\x18\t \x01(\x0e\x32&.istio.extensions.v1alpha1.PluginPhaseR\x05phase\x12\x37\n\x08priority\x18\n \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x08priority\x12@\n\tvm_config\x18\x0b \x01(\x0b\x32#.istio.extensions.v1alpha1.VmConfigR\x08vmConfig\"?\n\x08VmConfig\x12\x33\n\x03\x65nv\x18\x01 \x03(\x0b\x32!.istio.extensions.v1alpha1.EnvVarR\x03\x65nv\"\x8b\x01\n\x06\x45nvVar\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\x12H\n\nvalue_from\x18\x03 \x01(\x0e\x32).istio.extensions.v1alpha1.EnvValueSourceR\tvalueFrom\x12\x19\n\x05value\x18\x02 \x01(\tH\x00R\x05value\x88\x01\x01\x42\x08\n\x06_value*E\n\x0bPluginPhase\x12\x15\n\x11UNSPECIFIED_PHASE\x10\x00\x12\t\n\x05\x41UTHN\x10\x01\x12\t\n\x05\x41UTHZ\x10\x02\x12\t\n\x05STATS\x10\x03*B\n\nPullPolicy\x12\x16\n\x12UNSPECIFIED_POLICY\x10\x00\x12\x10\n\x0cIfNotPresent\x10\x01\x12\n\n\x06\x41lways\x10\x02*&\n\x0e\x45nvValueSource\x12\n\n\x06INLINE\x10\x00\x12\x08\n\x04HOST\x10\x01\x42\"Z istio.io/api/extensions/v1alpha1b\x06proto3'
   ,
-  dependencies=[google_dot_protobuf_dot_wrappers__pb2.DESCRIPTOR,google_dot_protobuf_dot_struct__pb2.DESCRIPTOR,type_dot_v1beta1_dot_selector__pb2.DESCRIPTOR,])
+  dependencies=[google_dot_protobuf_dot_any__pb2.DESCRIPTOR,google_dot_protobuf_dot_wrappers__pb2.DESCRIPTOR,google_dot_protobuf_dot_struct__pb2.DESCRIPTOR,type_dot_v1beta1_dot_selector__pb2.DESCRIPTOR,])
 
 _PLUGINPHASE = _descriptor.EnumDescriptor(
   name='PluginPhase',
@@ -57,8 +58,8 @@
   ],
   containing_type=None,
   serialized_options=None,
-  serialized_start=659,
-  serialized_end=728,
+  serialized_start=959,
+  serialized_end=1028,
 )
 _sym_db.RegisterEnumDescriptor(_PLUGINPHASE)
 
@@ -88,12 +89,38 @@
   ],
   containing_type=None,
   serialized_options=None,
-  serialized_start=730,
-  serialized_end=796,
+  serialized_start=1030,
+  serialized_end=1096,
 )
 _sym_db.RegisterEnumDescriptor(_PULLPOLICY)
 
 PullPolicy = enum_type_wrapper.EnumTypeWrapper(_PULLPOLICY)
+_ENVVALUESOURCE = _descriptor.EnumDescriptor(
+  name='EnvValueSource',
+  full_name='istio.extensions.v1alpha1.EnvValueSource',
+  filename=None,
+  file=DESCRIPTOR,
+  create_key=_descriptor._internal_create_key,
+  values=[
+    _descriptor.EnumValueDescriptor(
+      name='INLINE', index=0, number=0,
+      serialized_options=None,
+      type=None,
+      create_key=_descriptor._internal_create_key),
+    _descriptor.EnumValueDescriptor(
+      name='HOST', index=1, number=1,
+      serialized_options=None,
+      type=None,
+      create_key=_descriptor._internal_create_key),
+  ],
+  containing_type=None,
+  serialized_options=None,
+  serialized_start=1098,
+  serialized_end=1136,
+)
+_sym_db.RegisterEnumDescriptor(_ENVVALUESOURCE)
+
+EnvValueSource = enum_type_wrapper.EnumTypeWrapper(_ENVVALUESOURCE)
 UNSPECIFIED_PHASE = 0
 AUTHN = 1
 AUTHZ = 2
@@ -101,6 +128,8 @@
 UNSPECIFIED_POLICY = 0
 IfNotPresent = 1
 Always = 2
+INLINE = 0
+HOST = 1
 
 
 
@@ -182,6 +211,13 @@
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       serialized_options=None, json_name='priority', file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+    _descriptor.FieldDescriptor(
+      name='vm_config', full_name='istio.extensions.v1alpha1.WasmPlugin.vm_config', index=10,
+      number=11, type=11, cpp_type=10, label=1,
+      has_default_value=False, default_value=None,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, json_name='vmConfig', file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
   ],
   extensions=[
   ],
@@ -194,8 +230,91 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=153,
-  serialized_end=657,
+  serialized_start=180,
+  serialized_end=750,
+)
+
+
+_VMCONFIG = _descriptor.Descriptor(
+  name='VmConfig',
+  full_name='istio.extensions.v1alpha1.VmConfig',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  create_key=_descriptor._internal_create_key,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='env', full_name='istio.extensions.v1alpha1.VmConfig.env', index=0,
+      number=1, type=11, cpp_type=10, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, json_name='env', file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  serialized_options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=752,
+  serialized_end=815,
+)
+
+
+_ENVVAR = _descriptor.Descriptor(
+  name='EnvVar',
+  full_name='istio.extensions.v1alpha1.EnvVar',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  create_key=_descriptor._internal_create_key,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='name', full_name='istio.extensions.v1alpha1.EnvVar.name', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=b"".decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, json_name='name', file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+    _descriptor.FieldDescriptor(
+      name='value_from', full_name='istio.extensions.v1alpha1.EnvVar.value_from', index=1,
+      number=3, type=14, cpp_type=8, label=1,
+      has_default_value=False, default_value=0,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, json_name='valueFrom', file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+    _descriptor.FieldDescriptor(
+      name='value', full_name='istio.extensions.v1alpha1.EnvVar.value', index=2,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=b"".decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, json_name='value', file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  serialized_options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+    _descriptor.OneofDescriptor(
+      name='_value', full_name='istio.extensions.v1alpha1.EnvVar._value',
+      index=0, containing_type=None,
+      create_key=_descriptor._internal_create_key,
+    fields=[]),
+  ],
+  serialized_start=818,
+  serialized_end=957,
 )
 
 _WASMPLUGIN.fields_by_name['selector'].message_type = type_dot_v1beta1_dot_selector__pb2._WORKLOADSELECTOR
@@ -203,9 +322,18 @@
 _WASMPLUGIN.fields_by_name['plugin_config'].message_type = google_dot_protobuf_dot_struct__pb2._STRUCT
 _WASMPLUGIN.fields_by_name['phase'].enum_type = _PLUGINPHASE
 _WASMPLUGIN.fields_by_name['priority'].message_type = google_dot_protobuf_dot_wrappers__pb2._INT64VALUE
+_WASMPLUGIN.fields_by_name['vm_config'].message_type = _VMCONFIG
+_VMCONFIG.fields_by_name['env'].message_type = _ENVVAR
+_ENVVAR.fields_by_name['value_from'].enum_type = _ENVVALUESOURCE
+_ENVVAR.oneofs_by_name['_value'].fields.append(
+  _ENVVAR.fields_by_name['value'])
+_ENVVAR.fields_by_name['value'].containing_oneof = _ENVVAR.oneofs_by_name['_value']
 DESCRIPTOR.message_types_by_name['WasmPlugin'] = _WASMPLUGIN
+DESCRIPTOR.message_types_by_name['VmConfig'] = _VMCONFIG
+DESCRIPTOR.message_types_by_name['EnvVar'] = _ENVVAR
 DESCRIPTOR.enum_types_by_name['PluginPhase'] = _PLUGINPHASE
 DESCRIPTOR.enum_types_by_name['PullPolicy'] = _PULLPOLICY
+DESCRIPTOR.enum_types_by_name['EnvValueSource'] = _ENVVALUESOURCE
 _sym_db.RegisterFileDescriptor(DESCRIPTOR)
 
 WasmPlugin = _reflection.GeneratedProtocolMessageType('WasmPlugin', (_message.Message,), {
@@ -215,6 +343,20 @@
   })
 _sym_db.RegisterMessage(WasmPlugin)
 
+VmConfig = _reflection.GeneratedProtocolMessageType('VmConfig', (_message.Message,), {
+  'DESCRIPTOR' : _VMCONFIG,
+  '__module__' : 'extensions.v1alpha1.wasm_pb2'
+  # @@protoc_insertion_point(class_scope:istio.extensions.v1alpha1.VmConfig)
+  })
+_sym_db.RegisterMessage(VmConfig)
+
+EnvVar = _reflection.GeneratedProtocolMessageType('EnvVar', (_message.Message,), {
+  'DESCRIPTOR' : _ENVVAR,
+  '__module__' : 'extensions.v1alpha1.wasm_pb2'
+  # @@protoc_insertion_point(class_scope:istio.extensions.v1alpha1.EnvVar)
+  })
+_sym_db.RegisterMessage(EnvVar)
+
 
 DESCRIPTOR._options = None
 # @@protoc_insertion_point(module_scope)

From 4b9d82b0c18f6b360fc3e75c0e43296b788ce1f2 Mon Sep 17 00:00:00 2001
From: hejianpeng <hejianpeng2@huawei.com>
Date: Thu, 10 Feb 2022 09:47:03 +0800
Subject: [PATCH 2/2] update comment

---
 extensions/v1alpha1/wasm.gen.json             | 2 +-
 extensions/v1alpha1/wasm.pb.html              | 2 +-
 extensions/v1alpha1/wasm.proto                | 2 +-
 kubernetes/customresourcedefinitions.gen.yaml | 1 +
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/extensions/v1alpha1/wasm.gen.json b/extensions/v1alpha1/wasm.gen.json
index 5adca8879e8..c44869f5ece 100644
--- a/extensions/v1alpha1/wasm.gen.json
+++ b/extensions/v1alpha1/wasm.gen.json
@@ -24,7 +24,7 @@
             "$ref": "#/components/schemas/istio.extensions.v1alpha1.EnvValueSource"
           },
           "value": {
-            "description": "Variable references $(VAR_NAME) are expanded Note that if `value_from` is `HOST`, it will be ignored. Defaults to \"\". +optional",
+            "description": "Value for the environment variable. Note that if `value_from` is `HOST`, it will be ignored. Defaults to \"\". +optional",
             "type": "string"
           }
         }
diff --git a/extensions/v1alpha1/wasm.pb.html b/extensions/v1alpha1/wasm.pb.html
index 53aeec39ccb..504e916278b 100644
--- a/extensions/v1alpha1/wasm.pb.html
+++ b/extensions/v1alpha1/wasm.pb.html
@@ -397,7 +397,7 @@ <h2 id="EnvVar">EnvVar</h2>
 <td><code>value</code></td>
 <td><code>string (oneof)</code></td>
 <td>
-<p>Variable references $(VAR_NAME) are expanded
+<p>Value for the environment variable.
 Note that if <code>value_from</code> is <code>HOST</code>, it will be ignored.
 Defaults to &ldquo;&rdquo;.
 +optional</p>
diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto
index faf588443cf..d4ccb1fdca4 100644
--- a/extensions/v1alpha1/wasm.proto
+++ b/extensions/v1alpha1/wasm.proto
@@ -330,7 +330,7 @@ message EnvVar {
   // Source for the environment variable's value.
   EnvValueSource value_from = 3;
 
-  // Variable references $(VAR_NAME) are expanded
+  // Value for the environment variable.
   // Note that if `value_from` is `HOST`, it will be ignored.
   // Defaults to "". 
   // +optional
diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
index 8f43dc933d7..b91df13eb55 100644
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
@@ -96,6 +96,7 @@ spec:
                         name:
                           type: string
                         value:
+                          description: Value for the environment variable.
                           type: string
                         valueFrom:
                           enum: