A Gateway describes a single Listener (bind address:port)
and the routing configuration to upstreams that are reachable via a specific port on the Gateway Proxy itself.
if set to false, only use virtual services without ssl configured. if set to true, only use virtual services with ssl configured. this field is ignored if GatewayType is HybridGateway.
bindAddress
string
the bind address the gateway should serve traffic on.
bindPort
int
bind ports must not conflict across gateways for a single proxy.
Enable ProxyProtocol support for this listener. Deprecated: prefer setting the listener option. If configured, the listener option (filter config) overrides any setting here.
Only one of hybridGateway, httpGateway, or tcpGateway can be set.
proxyNames
[]string
Names of the Proxy resources to generate from this gateway. If other gateways exist which point to the same proxy, Gloo will join them together. Proxies have a one-to-many relationship with Envoy bootstrap configuration. In order to connect to Gloo, the Envoy bootstrap configuration sets a role in the node metadata Envoy instances announce their role to Gloo, which maps to the {{ .Namespace }}~{{ .Name }} of the Proxy resource. The template for this value can be seen in the Gloo Helm chart Note: this field also accepts fields written in camel-case. They will be converted to kebab-case in the Proxy name. This allows use of the Gateway Name Helm value for this field Defaults to ["gateway-proxy"].
MatchedGateways can be used to define both HttpGateways and TcpGateways directly on the Gateway resource. If MatchedGateways is provided, then DelegatedHttpGateways and DelegatedTcpGateways are ignored.
DelegatedHttpGateways can be used to configure multiple HttpGateways using the MatchableHttpGateway CR and select them on this Gateway using a resourceRef or label selection. If MatchedGateways is provided, then DelegatedHttpGateways is ignored.
DelegatedTcpGateways can be used to configure multiple TcpGateways using the MatchableTcpGateway CR and select them on this Gateway using a resourceRef or label selection. If MatchedGateways is provided, then DelegatedTcpGateways is ignored.
Delegate to the MatchableHttpGateways that match the given selector. Only one of selector or ref can be set.
preventChildOverrides
bool
Used as a meta modifier to the http_connection_manager_settings and ssl_config fields in a DelegatedHttpGateway. When set, provided ancestor config cannot be overriden by matched HttpGateways. Useful in a multi-team context, where a controlling team managing a primary Gateway file may want to lock down specific functionality from other teams. For example: (DelegatedHttpGateway, MatchableHttpGateway) = {“a”: “a1”, “b”: “b1”}, {“b”: “b2”, “c”: “c2”} When true: get_config(MatchableHttpGateway) –> {“a”: “a1”, “b”: “b1”, “c”: “c2”} When false: get_config(MatchableHttpGateway) –> {“a”: “a1”, “b”: “b2”, “c”: “c2”}.
Anscestry-level HTTP Gateway configuration. Options specified here will be passed down to each MatchableHttpGateway that is matched via selector or ref. Ultimately, said options will be consumed by instances of MatchableHttpGateway.http_gateway.
Anscestry-level TLS/SSL traffic configuration. Options specified here will be passed down to each MatchableHttpGateway that is matched via selector or ref. From there, they are passed to all VirtualServices associated with said MatchableHttpGateways.
Matchers are used to define unique matching criteria for each MatchedGateway Each MatchedGateway within a HybridGateway must have a unique Matcher If multiple matchers in a HybridGateway are identical, the HybridGateway will not be accepted Empty Matchers are effectively catch-alls, and there can be no more than one empty Matcher per HybridGateway.
Gloo use SNI domains as matching criteria for Gateway selection The other ssl_config properties will be applied to the outputFilterChain’s transport socket SslConfig from VirtualServices will be ignored in a MatchedGateway.
Enterprise-only: Passthrough cipher suites is an allow-list of OpenSSL cipher suite names for which TLS passthrough will be enabled. If a client does not support any ciphers that are natively supported by Envoy, but does support one of the ciphers in the passthrough list, then traffic will be routed via TCP Proxy to a destination specified by the TcpGateway, where TLS can then be terminated. This field is only applicable to TcpGateways.