About Gloo Gateway

Gloo Gateway is a feature-rich, fast, and flexible Kubernetes-native ingress controller and next-generation API gateway that is built on top of Envoy proxy. An API Gateway is a reverse proxy that serves as a security barrier between your clients and the microservices that make up your app. In order to access a microservice, all clients must send a request to the API Gateway. The API Gateway then verifies and routes the request to the microservice.

To let you set up and leverage advanced routing, traffic management, security, resiliency, and integration capabilities, you can choose to run a Gloo Gateway proxy with one of the following APIs: the Kubernetes Gateway API with custom Gloo Gateway extensions or the Gloo Edge API. The Gloo Gateway control plane can process custom resource requests from both APIs and translate these resources into valid Envoy configuration that the Envoy proxies can pick up and apply.

Because of that, Gloo Gateway gives you the flexibility to run both Kubernetes Gateway API and Gloo Edge API Envoy proxies in your environment at the same time so that you can customize your API gateway to the needs of your app and organization. Keep in mind that you can only have one installation of Gloo Gateway with the Kubernetes Gateway API at a time. This limitation is because some required Kubernetes resources such as GatewayClass are cluster-scoped and fail if you try to install the product twice. You can still create multiple Gateway resources to configure HTTP and HTTPS listeners on Gloo Gateway.

Gloo Gateway architecture
Figure: Gloo Gateway architecture

K8s Gateway API

Gloo Gateway is fully conformant with the Kubernetes Gateway API. The capabilities that you can leverage in your API Gateway depend on the Gloo Gateway edition that you install:

  • Open source (OSS):
    Set up an Envoy proxy that is based on the Kubernetes Gateway API and use Kubernetes Gateway API-native features to configure basic routing capabilities.

  • Enterprise Edition:
    Extend the Kubernetes Gateway API with Gloo Gateway APIs, such as RouteOption, VirtualHostOption, Upstreams, RateLimitConfig, or AuthConfig. These resources help to centrally configure routing, security, and resiliency rules for a host or a specific route. You can then use the ExtensionRef filter in the Kubernetes Gateway API to refer to these configurations and apply them. For example, you can apply features, such as the following to a host or a route. Many more features are available in the Enterprise Edition.

    In addition, several features that were previously introduced in the Gloo Edge API were improved. Examples include the developer portal that now comes with more flexible APIs and built-in Backstage support, and an improved Istio integration that allows for easier injection of Istio sidecars.

Gloo Edge API

Resource translation

The following image shows how the Gloo Gateway components interact with the Kubernetes Gateway API to configure the Gloo Gateway Envoy proxy.

Gloo Gateway resource translation process
Figure: Gloo Gateway resource translation process
  1. The config watcher component in the gloo pod watches the cluster for new Kubernetes Gateway API resources, such as gateways and HTTP routes.
  2. When the config watcher detects new or updated Kubernetes Gateway API resources, it sends the Kubernetes configuration to the Gloo Gateway translation engine.
  3. The translation engine translates Kubernetes Gateway API resources into Envoy configuration. All Envoy configuration is consolidated into an xDS snapshot.
  4. The reporter receives a status report for every Kubernetes Gateway API resource that is processed by the translator.
  5. The reporter writes the resource status back to the Kubernetes Gateway API.
  6. The xDS snapshot is provided to the Gloo xDS server.
  7. Proxies in the cluster pull the latest Envoy configuration from the Gloo xDS server.