Default gateway proxy setup
Learn about the different Gloo Gateway and Kubernetes resources that make up your gateway proxy deployment.
Keep in mind that you can only have one installation of Gloo Gateway with the Kubernetes Gateway API at a time. Installing the product twice causes required Kubernetes resources that are cluster-scoped, such as GatewayClass, to fail. You can still create multiple Gateway resources to configure HTTP and HTTPS listeners on Gloo Gateway.
GatewayClass
The GatewayClass is a Kubernetes Gateway API-native resource that defines the controller that spins up and configures gateway proxies in your environment.
When you install Gloo Gateway, a default GatewayClass resource is automatically created with the following configuration.
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: gloo-gateway
spec:
controllerName: solo.io/gloo-gateway
The solo.io/gloo-gateway controller implements the Kubernetes Gateway API and provides an abstraction of the gateway’s underlying infrastructure. The controller watches the resources in your cluster. When a Gateway resource is created that references this GatewayClass, the controller spins up an Envoy-based gateway proxy by using the configuration that is defined in the GatewayParameters resource. The controller also translates other resources, such as HTTPRoute, RouteOption, VirtualHostOption, and more, into valid Envoy configuration, and applies the configuration to the gateway proxies it manages.
Gateway proxy template
When you create a Gateway resource, a default gateway proxy template is used to automatically spin up and bootstrap a gateway proxy deployment and service in your cluster. The template includes Envoy configuration that binds the gateway proxy deployment to the Gateway resource that you created. In addition, the settings in the GatewayParameters and Settings resources are used to configure the gateway proxy.
The resulting gateway proxy is managed for you and its configuration is automatically updated based on the settings in the GatewayParameters or Settings resources. To publicly expose the gateway proxy deployment, a service of type LoadBalancer is created for you. Depending on the cloud provider that you use, the LoadBalancer service is assigned a public IP address or hostname that you can use to reach the gateway. To expose an app on the gateway, you must create an HTTPRoute resource and define the matchers and filter rules that you want to apply before forwarding the request to the app in your cluster. You can review the Get started, traffic management, security, and resiliency guides to find examples for how to route and secure traffic to an app.
You can change the default configuration of your gateway proxy by creating custom GatewayParameters resources, or updating the default GatewayParameters and Settings values in your Gloo Gateway Helm chart. If you change the values in the Helm chart, Gloo Gateway automatically applies the changes to the default GatewayParameters and Settings resources.
Do not edit or change the default GatewayParameters and Settings resources directly. Always update the values in the Gloo Gateway Helm chart so that they persist between upgrades.
If you do not want to use the default gateway proxy template to bootstrap your proxies, you can choose to create a self-managed gateway. With self-managed gateways, you are responsible for defining the proxy deployment template that you want to bootstrap your proxies with. For more information, see Self-managed gateways (BYO).
GatewayParameters
GatewayParameters is a Gloo Gateway custom resource that specifies the configuration for the gateway proxies in your cluster.
When you install Gloo Gateway, a default GatewayParameters resource is automatically created for you. You can review its configuration by using the following command:
kubectl get gatewayparameters gloo-gateway -n gloo-system -o yaml
To spin up new gateway proxies, the Gloo Gateway controller uses a gateway proxy template and the configuration in the default GatewayParameters and Settings resources. You can change the default configuration for your gateway proxies by updating the respective values in the Gloo Gateway Helm chart. You can also create additional GatewayParameters resources to spin up different types of gateway proxies.
Do not edit or change the default GatewayParameters resource directly. Always update the values in the Gloo Gateway Helm chart so that they persist between upgrades, or create your own GatewayParameters resource that holds your custom values. Note that you are responsible to maintain any GatewayParameters resources that you manually created.
For example, you might want to pair your gateway with a Network Load Balancer (NLB) instance in AWS. To properly pair and configure the gateway with an NLB, specific annotations on the gateway proxy are required. These annotations are not included in the default GatewayParameters resource. To add them, you can create a separate GatewayParameters resource where you add these annotations. For more customization options, see Customize the gateway.
Settings
Settings is a Gloo Gateway custom resource that is used to set global values for Gloo Gateway components, such as the gateway proxies or the Gloo Gateway control plane. The Settings resource is automatically created based on the values that you set in the Gloo Gateway Helm chart and enables or disables certain features in Gloo Gateway. For example, the Settings resource determines whether resource validation is enabled in your environment.
Do not edit or change the Settings resource directly. Always update the values in the Gloo Gateway Helm chart so that they persist between upgrades.
The Settings resource is shared between Gloo Gateway proxies that are based on the Kubernetes Gateway API and proxies that use the Gloo Edge API. However, some Settings fields can be set only for proxies that use the Gloo Edge API. If you run both types of proxies side-by-side in your cluster, follow these general steps:
- Ensure that you want to apply the Settings values to all of your proxies.
- Thoroughly test Settings changes for each proxy type to verify the expected behavior.
- Proceed with the update by setting these values in the Helm values file and upgrading your Gloo Gateway installation.
To view the default Settings resource, run the following command:
kubectl get settings default -n gloo-system -o yaml
When you follow the Get started guide, the following Settings resource is created for you. To understand each setting, check out the Settings custom resource documentation.
apiVersion: gloo.solo.io/v1
kind: Settings
metadata:
annotations:
meta.helm.sh/release-name: gloo-gateway
meta.helm.sh/release-namespace: gloo-system
generation: 1
labels:
app: gloo
app.kubernetes.io/managed-by: Helm
gloo: settings
name: default
namespace: gloo-system
spec:
consoleOptions:
apiExplorerEnabled: true
readOnly: false
discovery:
fdsMode: WHITELIST
discoveryNamespace: gloo-system
extauth:
extauthzServerRef:
name: extauth
namespace: gloo-system
transportApiVersion: V3
userIdHeader: x-user-id
gateway:
enableGatewayController: true
isolateVirtualHostsBySslConfig: false
readGatewaysFromAllNamespaces: false
validation:
allowWarnings: true
alwaysAccept: true
disableTransformationValidation: false
proxyValidationServerAddr: gloo:9988
serverEnabled: true
validationServerGrpcMaxSizeBytes: 104857600
warnRouteShortCircuiting: false
gloo:
disableKubernetesDestinations: false
disableProxyGarbageCollection: false
enableRestEds: false
invalidConfigPolicy:
invalidRouteResponseBody: Gloo Gateway has invalid configuration. Administrators
should run `glooctl check` to find and fix config errors.
invalidRouteResponseCode: 404
replaceInvalidRoutes: false
istioOptions:
appendXForwardedHost: true
enableAutoMtls: false
enableIntegration: false
proxyDebugBindAddr: 0.0.0.0:9966
regexMaxProgramSize: 1024
restXdsBindAddr: 0.0.0.0:9976
xdsBindAddr: 0.0.0.0:9977
graphqlOptions:
schemaChangeValidationOptions:
processingRules: []
rejectBreakingChanges: false
kubernetesArtifactSource: {}
kubernetesConfigSource: {}
kubernetesSecretSource: {}
ratelimitServer:
rateLimitBeforeAuth: false
ratelimitServerRef:
name: rate-limit
namespace: gloo-system
refreshRate: 60s
status:
statuses: {}