• Infrastructure as code: The common meme "infrastructure as code" is often well-intentioned but has a problem. Terraform code for DNS records shows it's more configuration than actual code. Pulumi manages infrastructure in code instead of configuration files, offering benefits like using full programming language power but with downsides like installing language runtimes and having code run on the server.
• Yoke: It takes the idea of infrastructure as code further. With Yoke, infrastructure definitions are written in Go or Rust, compiled to WebAssembly, and generate Kubernetes manifests. WebAssembly allows code to run anywhere with a WebAssembly runtime, providing better sandboxing. It's a tradeoff as WebAssembly binaries are not easy to introspect.
• Air Traffic Control: A Kubernetes operator that defines infrastructure as CustomResourceDefinitions. Data in CustomResources is passed to Flights that generate manifests. It fixes the lack of introspection in other tools like Helm and provides editor support. It's useful for deploying apps with common patterns and reducing boilerplate.
• Security: Yoke uses WebAssembly and the Wazero runtime with WASI restrictions. Flights interact with the outside world through standard input, output, error, command line flags, and cluster access (limited to managed resources). Signature validation of WebAssembly binaries may be a future solution for security.
• WebAssembly tangent: The cluster access feature uses a hack with WebAssembly's calling convention and Go's port limitations. It allows the guest to allocate memory and pass the pointer to the host for reading and writing.
• Conclusion: Yoke is exciting with potential to make infrastructure as code more like actual code. Facts and circumstances may change, and contact the author if something seems wrong. Copyright 2012-2025 Xe Iaso. Served by xesite v4 with specific source code.