On this page
Gloo Gateway API
Review the Gloo Gateway API reference docs.
Packages
gloo.solo.io/v1alpha1
Resource Types
AWSLambdaTransformFormat
Underlying type: string
AWSLambdaTransformFormat defines the format used to transform requests/responses to/from AWS Lambda functions.
Validation:
- Enum: [APIGateway]
Appears in:
| Field | Description |
|---|---|
APIGateway | AWSLambdaFormatAPIGateway transforms the request/response to/from AWS Lambda functions as if it were handled by the AWS API Gateway. |
AWSLambdaTransformation
AWSLambdaTransformation defines the AWS Lambda transformation configuration for requests and responses.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
requestFormat AWSLambdaTransformFormat | RequestFormat defines the format to transform requests to AWS Lambda functions. | Enum: [APIGateway] | |
responseFormat AWSLambdaTransformFormat | ResponseFormat defines the format to transform responses from AWS Lambda functions. | Enum: [APIGateway] |
AuthConfigRef
AuthConfigRef selects the AuthConfig resource with the external auth policy that you want to use. For more details, see the AuthConfig reference in the Gloo Edge docs.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name ObjectName | Name is the name of the AuthConfig resource. | ||
namespace Namespace | Namespace is the namespace of the AuthConfig resource. If not set, defaults to the namespace of the GlooTrafficPolicy. |
BodyTransformation
BodyTransformation defines how to transform the body.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
type BodyTransformationType | Type specifies the type of body transformation to apply. | Enum: [Body Passthrough MergeExtractorsToBody MergeJsonKeys] Required: {} | |
body InjaTemplate | Body is the request/response body to be transformed. Only use when Type is Body. | ||
mergeJsonKeys object (keys:string, values:OverridableTemplate) | MergeJsonKeys is a transformation template used to merge json keys. Only use when Type is MergeJsonKeys. A set of key-value pairs to merge into the JSON body. Each value will be rendered separately, and then placed into the JSON body at the specified key. There are a number of important caveats to using this feature: * This can only be used when the body is parsed as JSON. * This option does NOT work with advanced templates currently Map of key name -> template to render into the JSON body. Specified keys which don’t exist in the JSON body will be set, keys which do exist will be override. For example, given the following JSON body: { “key1”: “value1” } and the following MergeJsonKeys: { “key1”: “{{ header(“header1”) }}”, “key2”: “{{ header(“header2”) }}" } The resulting JSON body will be: { “key1”: “header1_value”, “key2”: “header2_value” } |
BodyTransformationType
Underlying type: string
BodyTransformationType defines the type of body transformation to apply.
Validation:
- Enum: [Body Passthrough MergeExtractorsToBody MergeJsonKeys]
Appears in:
| Field | Description |
|---|---|
Body | BodyTransformationTypeBody indicates a template-based body transformation |
Passthrough | BodyTransformationTypePassthrough indicates a passthrough body transformation |
MergeExtractorsToBody | BodyTransformationTypeMergeExtractorsToBody indicates merging extractors to body |
MergeJsonKeys | BodyTransformationTypeMergeJsonKeys indicates merging JSON keys |
ClaimToHeader
Allows copying verified claims to headers sent upstream
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
claim string | Claim name. for example, “sub” | ||
header string | The header the claim will be copied to. for example, “x-sub”. | ||
append boolean | If the header exists, append to it (true), or overwrite it (false). If omitted, will default to false. |
ContainerConfiguration
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
image Image | The image. See https://kubernetes.io/docs/concepts/containers/images for details. | ||
securityContext SecurityContext | The security context for this container. Note OmitSecurityContext and FloatingUserId, two related settings. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core for details. |
DeploymentConfiguration
DeploymentConfiguration configures the Kubernetes Deployment.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
enabled boolean | Enabled indicates whether the extension is enabled. If not enabled, then no resources for this extension will be deployed. If the extension was previously enabled and then disabled, the deployed resources will be garbage collected, regardless of whether any other configuration still depends on it. | ||
resources ResourceRequirements | |||
pod Pod | |||
container ContainerConfiguration | |||
replicas integer | The number of desired pods. If omitted, behavior will be managed by the K8s control plane, and will default to 1. If you are using an HPA, make sure to not explicitly define this. K8s reference: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#replicas | Minimum: 0 | |
strategy DeploymentStrategy | The deployment strategy to use to replace existing pods with new ones. The Kubernetes default is a RollingUpdate with 25% maxUnavailable, 25% maxSurge. E.g., to recreate pods, minimizing resources for the rollout but causing downtime: strategy: type: Recreate E.g., to roll out as a RollingUpdate but with non-default parameters: strategy: type: RollingUpdate rollingUpdate: maxSurge: 100% |
DynamicMetadataValue
DynamicMetadataValue defines an Envoy Dynamic Metadata entry.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataNamespace string | MetadataNamespace specifies the metadata namespace. Defaults to the filter namespace. | MaxLength: 4096 MinLength: 1 | |
key string | Key specifies the metadata key. | MaxLength: 4096 MinLength: 1 | |
value InjaTemplate | Value specifies the template that determines the metadata value. | ||
jsonToProto boolean | JsonToProto determines whether to parse the rendered value as a proto Struct message. |
EscapeCharactersBehavior
Underlying type: string
EscapeCharactersBehavior defines how to handle characters that need to be escaped in JSON.
Validation:
- Enum: [Escape DontEscape]
Appears in:
| Field | Description |
|---|---|
Escape | EscapeCharactersEscape always escapes characters that need to be escaped in JSON |
DontEscape | EscapeCharactersDontEscape never escapes characters |
Extensions
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
extauth DeploymentConfiguration | |||
ratelimiter DeploymentConfiguration | |||
glooExtCache DeploymentConfiguration |
Extraction
Extraction is used to define extractions to extract information from the request/response. The extracted information can then be referenced in template fields.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
body boolean | ExtractionBody specifies extracting information from the request/response body. | ||
header string | ExtractionHeader specifies extracting information from headers. | MaxLength: 4096 MinLength: 1 | |
regex string | Regex specifies the regular expression used for matching against the source content. - In Extract mode, the entire source must match the regex. subgroup selects the n-th capturing group,which determines the part of the match that you want to extract. If the regex does not match the source, the result of the extraction will be an empty value. - In SingleReplace mode, the regex also needs to match the entire source. subgroup selects the n-th capturing groupthat is replaced with the content of replacementText. If the regex does not match the source, the resultof the replacement will be the source itself. - In ReplaceAll mode, the regex is applied repeatedly to find all occurrences within the source that match. Each matching occurrence is replaced with the value in replacementText. In this mode, the configuration is rejectedif subgroup is set. If the regex does not match the source, the result of the replacement will be the source itself. | MaxLength: 4096 MinLength: 1 | |
subgroup integer | Subgroup is used to determine the group that you want to select if your regex contains capturing groups. Defaults to 0. If set in Extract and SingleReplace modes, the subgroup represents the capturinggroup that you want to extract or replace in the source. The configuration is rejected if you set subgroup to a non-zero value when using the REPLACE_ALL mode. | Minimum: 0 | |
replacementText string | ReplacementText is used to format the substitution for matched sequences in an input string. This value is only legal in SingleReplace and REPLACE_ALL modes.- In SingleReplace mode, the subgroup selects the n-th capturing group, which representsthe value that you want to replace with the string provided in replacementText.- In REPLACE_ALL mode, each sequence that matches the specified regex in the input isreplaced with the value in replacementText.The replacementText can include special syntax, such as $1, $2, etc., to refer tocapturing groups within the regular expression. The value that is specified in replacementText is treated as a string, and is passedto std::regex_replace as the replacement string.For more information, see https://en.cppreference.com/w/cpp/regex/regex_replace. | ||
mode TransformationExtractMode | Mode defines the mode of operation for the extraction. Defaults to Extract. | Extract | Enum: [Extract SingleReplace ReplaceAll] |
GlobalRateLimit
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
extensionRef NamespacedObjectReference | ExtensionRef references a GatewayExtension that provides the global rate limit service. If not set, defaults to the rate limit service named ‘rate-limit’ in the same namespace as the Gloo Gateway control plane. In this case no reference grant is required. | ||
rateLimitConfigRefs RateLimitConfigRef array | RateLimitConfigRefs is a list of references to the RateLimitConfig resources containing the rate limit configurations. | MaxItems: 16 MinItems: 1 |
GlooExtAuth
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
authConfigRef AuthConfigRef | AuthConfigRef references the AuthConfig we want the external-auth server will use to make auth decisions. | ||
extensionRef NamespacedObjectReference | ExtensionRef references a GatewayExtension that provides the external authorization service. If not set, defaults to the provisioned ext-auth-service for the GatewayClass of the parent Gateway this policy is being used in. Reference grants are not required for cross-namespace extension references. | ||
disable PolicyDisable | Disable all external authorization filters. Can be used to disable external authorization policies applied at a higher level in the config hierarchy. |
GlooGatewayParameters
GlooGatewayParameters contains configuration that is used to dynamically provision gloo-gateway’s data plane (Envoy proxy instance), and enterprise ExtAuth and RateLimiter extensions
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | gloo.solo.io/v1alpha1 | ||
kind string | GlooGatewayParameters | ||
kind string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | ||
apiVersion string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
spec GlooGatewayParametersSpec | Spec defines the desired state of the gateway parameters | ||
status GlooGatewayParametersStatus | Status is the status of the gateway parameters |
GlooGatewayParametersSpec
GlooGatewayParametersSpec defines the desired state of GlooGatewayParameters
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
kube GlooKubernetesProxyConfig | Kubernetes configuration for the proxy. |
GlooGatewayParametersStatus
Appears in:
GlooJWT
GlooJWT defines a set of providers used for JWT authentication (and an optional validation policy for these providers) or the ability to disable JWT authentication and verification.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
providers object (keys:string, values:JWTProvider) | Providers maps a provider name to a JWT provider, configuring a way to authenticate JWTs. If specified, multiple providers will be OR-ed together and will allow validation to any of the providers.Note: agentgateway only supports a single provider. If more than one provider is specified, the first provider found with a local JWKS will be used, but order is not guaranteed to be respected due to the map type. | MaxProperties: 32 | |
validationPolicy JwtValidationPolicy | Configure how JWT validation works, with the flexibility to handle requests with missing or invalid JWTs. By default, after applying a JWT policy, only requests that have been authenticated with a valid JWT are allowed. | Enum: [RequireValid AllowMissing AllowMissingOrFailed] | |
disable PolicyDisable | Disable JWT authentication for this policy scope. Note: this is not currently supported for agentgateway. |
GlooKubernetesProxyConfig
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
deployment ProxyDeployment | Use a Kubernetes deployment as the proxy workload type. Currently, this is the only supported workload type. | ||
envoyContainer EnvoyContainer | Configuration for the container running Envoy. If agentgateway is enabled, the EnvoyContainer values will be ignored. | ||
sdsContainer SdsContainer | Configuration for the container running the Secret Discovery Service (SDS). | ||
podTemplate Pod | Configuration for the pods that will be created. | ||
service Service | Configuration for the Kubernetes Service that exposes the Envoy proxy over the network. | ||
serviceAccount ServiceAccount | Configuration for the Kubernetes ServiceAccount used by the Envoy pod. | ||
istio IstioIntegration | Configuration for the Istio integration. | ||
stats StatsConfig | Configuration for the stats server. | ||
aiExtension AiExtension | Deprecated: aiExtension is deprecated in v2.1 and will be removed in v2.2.Prefer to use agentgateway instead.Configuration for the AI extension. | ||
agentgateway Agentgateway | Configure the agentgateway integration. If agentgateway is disabled, the EnvoyContainer values will be used by default to configure the data plane proxy. | ||
floatingUserId boolean | Deprecated: Prefer to use omitDefaultSecurityContext instead. Will be removed in the next release. Used to unset the runAsUser values in security contexts. | ||
omitDefaultSecurityContext boolean | OmitDefaultSecurityContext is used to control whether or notsecurityContext fields should be rendered for the various generatedDeployments/Containers that are dynamically provisioned by the deployer. When set to true, no securityContexts will be provided and will leftto the user/platform to be provided. This should be enabled on platforms such as Red Hat OpenShift where the securityContext will be dynamically added to enforce the appropriatelevel of security. | ||
sharedExtensions Extensions | SharedExtensions defines extensions that are shared across all Gateways of the same GatewayClass |
GlooRBAC
GlooRBAC defines RBAC configuration.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
disable PolicyDisable | Disable is used to explicitly disable RBAC checks for the scope of this policy. This is useful to allow access to static resources/login page without RBAC checks. | ||
policies object (keys:string, values:RBACPolicy) | Policies maps a policy name to an RBAC policy to apply. |
GlooRateLimit
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
global GlobalRateLimit | Global rate limit configuration |
GlooTrafficPolicy
GlooTrafficPolicy is a traffic policy that can be applied to a route
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | gloo.solo.io/v1alpha1 | ||
kind string | GlooTrafficPolicy | ||
kind string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | ||
apiVersion string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
spec GlooTrafficPolicySpec | Spec defines the desired state of the traffic policy | ||
status PolicyStatus | Status is the status of the traffic policy |
GlooTrafficPolicySpec
GlooTrafficPolicySpec defines the desired state of GlooTrafficPolicy
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
targetRefs LocalPolicyTargetReferenceWithSectionName array | TargetRefs specifies the target resources by reference to attach the policy to. | MaxItems: 16 MinItems: 1 | |
targetSelectors LocalPolicyTargetSelectorWithSectionName array | TargetSelectors specifies the target selectors to select resources to attach the policy to. | ||
ai AIPolicy | AI is used to configure AI-based policies for the policy. | ||
transformation TransformationPolicy | Transformation is used to mutate and transform requests and responses before forwarding them to the destination. | ||
extProc ExtProcPolicy | ExtProc specifies the external processing configuration for the policy. | ||
extAuth ExtAuthPolicy | ExtAuth specifies the external authentication configuration for the policy. This controls what external server to send requests to for authentication. | ||
rateLimit RateLimit | RateLimit specifies the rate limiting configuration for the policy. This controls the rate at which requests are allowed to be processed. | ||
cors CorsPolicy | Cors specifies the CORS configuration for the policy. | ||
csrf CSRFPolicy | Csrf specifies the Cross-Site Request Forgery (CSRF) policy for this traffic policy. | ||
headerModifiers HeaderModifiers | HeaderModifiers defines the policy to modify request and response headers. | ||
autoHostRewrite boolean | AutoHostRewrite rewrites the Host header to the DNS name of the selected upstream. NOTE: This field is only honoured for HTTPRoute targets. NOTE: If autoHostRewrite is set on a route that also has a URLRewrite filterconfigured to override the hostname, the hostname value will be used and autoHostRewrite will be ignored. | ||
buffer Buffer | Buffer can be used to set the maximum request size that will be buffered. Requests exceeding this size will return a 413 response. | ||
timeouts Timeouts | Timeouts defines the timeouts for requests It is applicable to HTTPRoutes and ignored for other targeted kinds. | ||
retry Retry | Retry defines the policy for retrying requests. It is applicable to HTTPRoutes, Gateway listeners and XListenerSets, and ignored for other targeted kinds. | ||
rbac RBAC | RBAC specifies the role-based access control configuration for the policy. This defines the rules for authorization based on roles and permissions. With an Envoy-based Gateway, RBAC policies applied at different attachment points in the configuration hierarchy are not cumulative, and only the most specific policy is enforced. In Envoy, this means an RBAC policy attached to a route will override any RBAC policies applied to the gateway or listener. In contrast, an Agentgateway-based Gateway supports cumulative RBAC policies across different attachment points, such that an RBAC policy attached to a route augments policies applied to the gateway or listener without overriding them. | ||
glooRateLimit GlooRateLimit | GlooRateLimit defines the Enterprise rate limit configuration for the traffic policy | ||
glooExtAuth GlooExtAuth | GlooExtAuth defines the Enterprise external authorization configuration for the traffic policy | ||
glooTransformation GlooTransformation | GlooTransformation defines the Enterprise transformation configuration for the traffic policy | ||
glooJWT StagedJWT | GlooJWT allows for configuration of JWT authentication | ||
glooRBAC GlooRBAC | GlooRBAC provides config for RBAC rules based on JWT claims resulting from authentication with glooJWT configs |
GlooTransformation
GlooTransformation defines the Enterprise transformation configuration.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
stages StagedTransformations | Stages defines the transformations run at different stages of the filter chain. | ||
awsLambda AWSLambdaTransformation | AWSLambda defines the AWS Lambda transformation configuration. |
HeaderToAppend
HeaderToAppend defines a header-template pair for appending headers.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
key string | Key specifies the header name. | MaxLength: 4096 MinLength: 1 | |
value InjaTemplate | Value specifies the template to apply to the header value. |
InjaTemplate
Underlying type: string
InjaTemplate defines an Inja template that will be rendered by Gloo. In addition to the core template functions, the Gloo transformation filter defines the following custom functions:
- header(header_name): returns the value of the header with the given name.
- extraction(extractor_name): returns the value of the extractor with the given name.
- env(env_var_name): returns the value of the environment variable with the given name.
- body(): returns the request/response body.
- context(): returns the base JSON context (allowing for example to range on a JSON body that is an array).
- request_header(header_name): returns the value of the request header with the given name. Use this option when you want to include request header values in response transformations.
- base64_encode(string): encodes the input string to base64.
- base64_decode(string): decodes the input string from base64.
- substring(string, start_pos, substring_len): returns a substring of the
input string, starting at
start_posand extending forsubstring_lencharacters. If nosubstring_lenis provided orsubstring_lenis <= 0, the substring extends to the end of the input string.
Appears in:
- BodyTransformation
- DynamicMetadataValue
- HeaderToAppend
- OverridableTemplate
- SpanTransformer
- TransformationTemplate
JWKS
JWKS (JSON Web Key Set) configures how to fetch the public key used for JWT verification.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
local LocalJWKS | Local is used when JWKS is local to the proxy, such as an inline string definition. | ||
remote RemoteJWKS | Remote is used when the JWKS should be fetched from a remote host Note: agentgateway does not support remote JWKS configuration. |
JWTProvider
JWTProvider defines configuration for how a JWT should be authenticated and verified.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
jwks JWKS | The source for the keys to validate JWTs. | ||
audiences string array | An incoming JWT must have an ‘aud’ claim and it must be in this list. | ||
issuer string | Issuer of the JWT. the ‘iss’ claim of the JWT must match this. | ||
tokenSource TokenSource | Where to find the JWT of the current provider. Note: agentgateway does not support token source configuration. | ||
keepToken boolean | Should the token forwarded upstream. If false, the header containing the token will be removed. If omitted, the default behavior is to remove the token and not forward | ||
claimsToHeaders ClaimToHeader array | What claims should be copied to upstream headers. Note: agentgateway does not support claimsToHeaders configuration. | ||
clockSkewSeconds integer | Used to verify time constraints, such as exp and npf. If omitted, defaults to 60sNote: agentgateway does not support clockSkewSeconds configuration. | Minimum: 0 | |
attachFailedStatusToMetadata string | When this field is set, the specified value is used as the key in DynamicMetadata to store the JWT failure status code and message under that key. This field is particularly useful when logging the failure status. Note: agentgateway does not support attachFailedStatusToMetadata configuration. For example, if the value of attach_failed_status_to_metadata is ‘custom_auth_failure_status’ thenthe failure status can be accessed in the access log as ‘%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status)’ Note: status code and message can be individually accessed as ‘%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.code)’ and ‘%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.message)’ respectively. |
JwksAsyncFetch
Fetch Jwks asynchronously in the main thread when the filter config is parsed. The listener is activated only after the Jwks is fetched. When the Jwks is expired in the cache, it is fetched again in the main thread. The fetched Jwks from the main thread can be used by all worker threads.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
fastListener boolean | If false, the listener is activated after the initial fetch is completed. The initial fetch result can be either successful or failed. If true, it is activated without waiting for the initial fetch to complete. Default is false. |
JwtValidationPolicy
Underlying type: string
Validation:
- Enum: [RequireValid AllowMissing AllowMissingOrFailed]
Appears in:
| Field | Description |
|---|---|
RequireValid | Default value. Allow only requests that authenticate with a valid JWT to succeed. |
AllowMissing | Allow requests to succeed even if JWT authentication is missing, but fail when an invalid JWT token is presented. You might use this setting when later steps depend on input from the JWT. For example, you might add claims from the JWT to request headers with the claimsToHeaders field. As such, you may want to make sure that any provided JWT is valid. If not, the request fails, which informs the requester that their JWT is not valid. Requests without a JWT, however, still succeed and skip JWT validation. |
AllowMissingOrFailed | Allow requests to succeed even when a JWT is missing or JWT verification fails. For example, you might apply multiple policies to your routes so that requests can authenticate with either a JWT or another method such as external auth. Use this value to allow a failed JWT auth request to pass through to the other authentication method. |
OverridableTemplate
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
tmpl InjaTemplate | Template to render | ||
overrideEmpty boolean | If set to true, the template will be set even if the rendered value is empty. |
QueryParameterMatcher
QueryParameterMatcher configures the query parameter matching to apply.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string | Specifies the name of a key that must be present in the requested path’s query string. | ||
value string | Specifies the value of the key. If the value is absent, a request that contains the key in its query string will match, whether the key appears with a value (e.g., “?debug=true”) or not (e.g., “?debug”) | ||
regex boolean | Specifies whether the query parameter value is a regular expression. Defaults to false. The entire query parameter value (i.e., the part to the right of the equals sign in “key=value”) must match the regex. E.g., the regex “\d+$” will match “123” but not “a123” or “123a”. |
RBACJWTPrincipal
A JWT principal. To use this, JWT authentication MUST be configured as well.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
claims object (keys:string, values:string) | Set of claims that make up this principal. Commonly, the ‘iss’ and ‘sub’ or ’email’ claims are used. If you specify the path for a nested claim, such as ‘parent.child.foo’, you must also specify a non-empty string value for the nested_claim_delimiter field in the Policy. | ||
provider string | Verify that the JWT came from a specific provider. This usually can be left empty and a provider will be chosen automatically. | MinLength: 1 | |
matcher RBACJWTPrincipalClaimMatcher | The matcher to use when evaluating this principal. If omitted, exact string comparison (ExactString) is used. | Enum: [ExactString Boolean ListContains] |
RBACJWTPrincipalClaimMatcher
Underlying type: string
Appears in:
| Field | Description |
|---|---|
ExactString | The JWT claim value is a string that exactly matches the value. |
Boolean | The JWT claim value is a boolean that matches the value. |
ListContains | The JWT claim value is a list that contains a string that exactly matches the value. |
RBACPermissions
What permissions should be granted. An empty field means allow-all. If more than one field is added, all of them need to match.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
pathPrefix string | Paths that have this prefix will be allowed. | MinLength: 1 | |
methods string array | What http methods (GET, POST, …) are allowed. |
RBACPolicy
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
principals RBACPrincipal array | Principals in this policy. | MinItems: 1 | |
permissions RBACPermissions | Permissions granted to the principals. | ||
nestedClaimDelimiter string | The delimiter to use when specifying nested claim names within principals. Default is an empty string, which disables nested claim functionality. This is commonly set to ., allowing for nested claim names of the formparent.child.grandchild |
RBACPrincipal
An RBAC principal - the identity entity (usually a user or a service account).
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
jwtPrincipal RBACJWTPrincipal | JWTPrincipal references a principal from JWT authentication. |
RateLimitConfigRef
RateLimitConfigRef selects the RateLimitConfig resource with the rate limit policy that you want to use. For more details, see the RateLimitConfig reference in the Gloo Edge docs.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name ObjectName | Name is the name of the RateLimitConfig resource. | ||
namespace Namespace | Namespace is the namespace of the RateLimitConfig resource. If not set, defaults to the namespace of the GlooTrafficPolicy. |
RegexMatcher
RegexMatcher based on https://github.com/envoyproxy/envoy/blob/4453ce1f809ec502fb2cbe0363cf5c6a971f3836/api/envoy/type/matcher/regex.proto#L19
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
regex string | The regex match string. The string must be supported by the configured engine. |
RequestBodyParse
Underlying type: string
RequestBodyParse determines how the body will be parsed.
Appears in:
| Field | Description |
|---|---|
ParseAsJson | ParseAsJson configures the transformation to attempt to parse the request/response body as JSON |
DontParse | DontParse configures the transformation request/response body will be treated as plain text |
RequestMatcher
RequestMatcher configures transformations to apply on the request.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
matcher TransformationRequestMatcher | Matcher defines the request matching parameter. Only when the match is satisfied, the “requires” field will apply. Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. For example, take the following matches configuration: <br />matches:<br />- path:<br /> value: "/foo"<br /> headers:<br /> - name: "version"<br /> value "v1"<br />- path:<br /> value: "/v2/foo"<br />For a request to match against this rule, a request must satisfy EITHER of the two conditions: - path prefixed with /foo AND contains the header version: v1- path prefix of /v2/fooFor example: following match will match all requests. matches: - path: value: “/” | ||
clearRouteCache boolean | ClearRouteCache should we clear the route cache if a transformation was matched. | ||
transformation Transformation | Transformation to apply on the request. |
RequestResponseTransformations
RequestResponseTransformations configures transformations to apply on the request and response.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
requests RequestMatcher array | Requests configures transformations to apply on the request. The first request that matches will apply. | MaxItems: 32 | |
responses ResponseMatcher array | Responses configures transformations to apply on the response. The first response transformation that matches will apply. | MaxItems: 32 |
ResponseMatcher
ResponseMatch configures transformations to apply on the response.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
matchers TransformationHeaderMatcher array | Specifies a set of headers that the route should match on. The router will check the response headers against all the specified headers in the route config. A match will happen if all the headers in the route are present in the request with the same values (or based on presence if the value field is not in the config). | MaxItems: 32 | |
responseCodeDetails string | Only match responses with non-empty response code details (this usually implies a local reply). | ||
transformation Transformation | Transformation to apply on the response. |
SpanTransformer
SpanTransformer defines a span transformer for modifying trace spans.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name InjaTemplate | Name specifies a template that sets the span name. |
StagedJWT
StagedJWT allows for configuring JWT authentication at various stages of request processing
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
afterExtAuth GlooJWT | JWT configuration to be enforced after external auth has been processed (if it is present). Note: this is not currently supported for agentgateway. | ||
beforeExtAuth GlooJWT | JWT configuration to be enforced before external auth has been processed. |
StagedTransformations
StagedTransformations configures transformations to apply for different stages of the filter chain.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
early RequestResponseTransformations | Early transformations happen before most other options (Like Auth and Rate Limit). | ||
regular RequestResponseTransformations | Regular transformations happen after Auth and Rate limit decisions have been made. | ||
postRouting RequestResponseTransformations | PostRouting happen during the router filter chain. This is important for a number of reasons 1. Retries re-trigger this filter, which might impact performance. 2. It is the only point where endpoint metadata is available. 3. clearRouteCache does NOT work in this stage as the routing decision is already made. | ||
logRequestResponseInfo boolean | When enabled, log request/response body and headers before and after all transformations defined here are applied.<br />This overrides the logRequestResponseInfo field in the Transformation message. | ||
escapeCharacters EscapeCharactersBehavior | EscapeCharacters configures the Inja behavior when rendering strings which contain characters that would need to be escaped to be valid JSON. Note that this sets the behavior for all staged transformations configured here. This setting can be overridden per-transformation using the field escapeCharacters onthe TransformationTemplate. | Enum: [Escape DontEscape] |
TlsContextMatchOptions
TlsContextMatchOptions configures the TLS context match options.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
presented boolean | If specified, the route will match against whether a certificate is presented. If not specified, certificate presentation status (true or false) will not be considered when route matching. | ||
validated boolean | If specified, the route will match against whether a certificate is validated. If not specified, certificate validation status (true or false) will not be considered when route matching. |
TokenSource
Describes the location of a JWT token
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
headers TokenSourceHeaderSource array | Try to retrieve token from these headers | ||
queryParams string array | Try to retrieve token from these query params |
Transformation
Underlying type: struct{Template *TransformationTemplate “json:"template,omitempty"”; HeaderBody *HeaderBodyTransform “json:"headerBody,omitempty"”}
Transformation defines a transformation that can be applied to requests or responses.
Appears in:
TransformationExtractMode
Underlying type: string
TransformationExtractMode represents the mode of operation for the extraction, which configures how the transformation will extract the content of a specified capturing group.
Validation:
- Enum: [Extract SingleReplace ReplaceAll]
Appears in:
| Field | Description |
|---|---|
Extract | ModeExtract configures the transformation to extract the content of a specified capturing group. In this mode,subgroup selects the n-th capturing group, which represents the value thatyou want to extract. |
SingleReplace | ModeSingleReplace configures the transformation to replace the content of a specified capturing group. In this mode, subgroup selects then-th capturing group, which represents the value that you want to replace with the string provided in replacementText.Note: replacementText must be set for this mode. |
ReplaceAll | ModeReplaceAll configures the transformation to replace all regex matches with the value provided in replacementText.Note: replacementText must be set for this mode.Note: The configuration fails if subgroup is set to a non-zero value.Note: restrictions on the regex are different for this mode. See the regex field for more details. |