Navigation :
Getting Started
What is Gloo Edge?
Setup
Guides
Operations
Reference
-
Open Source Attribution
-
API Reference
-- address.proto
-- address.proto
-- advanced_http.proto
-- advanced_http.proto
-- als.proto
-- annotations.proto
-- any.proto
-- api.proto
-- apple_dns_resolver.proto
-- artifact.proto
-- aws.proto
-- aws_ec2.proto
-- azure.proto
-- backoff.proto
-- base.proto
-- base.proto
-- buffer.proto
-- caching.proto
-- cares_dns_resolver.proto
-- circuit_breaker.proto
-- cluster.proto
-- config.proto
-- config.proto
-- connection.proto
-- consul.proto
-- core.proto
-- cors.proto
-- csrf.proto
-- custom_tag.proto
-- datadog.proto
-- deprecation.proto
-- descriptor.proto
-- discovery.proto
-- dlp.proto
-- duration.proto
-- dynamic_forward_proxy.proto
-- empty.proto
-- endpoint.proto
-- envoy.glooe.solo.io.project
-- envoy_glooe_solo_io.project
-- event_service_config.proto
-- ext.proto
-- extauth.proto
-- extension.proto
-- extensions.proto
-- external_options.proto
-- failover.proto
-- failover.proto
-- fault.proto
-- field_mask.proto
-- filter.proto
-- gateway.proto
-- gateway.solo.io.project
-- gateway_solo_io.project
-- gloo.solo.io.project
-- gloo_solo_io.project
-- gloo_validation.proto
-- glooe.solo.io.project
-- glooe_solo_io.project
-- graphql.proto
-- graphql.proto
-- grpc.proto
-- grpc_json.proto
-- grpc_service.proto
-- grpc_web.proto
-- gzip.proto
-- hcm.proto
-- headers.proto
-- health_check.proto
-- health_check.proto
-- healthcheck.proto
-- http.proto
-- http.proto
-- http_gateway.proto
-- http_path.proto
-- http_uri.proto
-- http_uri.proto
-- ingress.proto
-- instance.proto
-- jwt.proto
-- kubernetes.proto
-- lbhash.proto
-- load_balancer.proto
-- matchable_http_gateway.proto
-- matchers.proto
-- metadata.proto
-- metadata.proto
-- metrics.proto
-- migrate.proto
-- opencensus.proto
-- opentelemetry.proto
-- options.proto
-- outlier_detection.proto
-- parameters.proto
-- percent.proto
-- percent.proto
-- pipe.proto
-- placement.proto
-- protocol.proto
-- protocol_upgrade.proto
-- proxy.proto
-- proxy_endpoint.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxylatency.proto
-- proxyprotocol.proto
-- query_options.proto
-- query_options.proto
-- range.proto
-- range.proto
-- ratelimit.proto
-- ratelimit.proto
-- ratelimit.proto
-- rbac.proto
-- ref.proto
-- regex.proto
-- resolver.proto
-- rest.proto
-- retries.proto
-- route.proto
-- route_components.proto
-- route_table.proto
-- sanitize.proto
-- secret.proto
-- selectors.proto
-- semantic_version.proto
-- semantic_version.proto
-- sensitive.proto
-- service.proto
-- service_spec.proto
-- settings.proto
-- shadowing.proto
-- snap.proto
-- socket_option.proto
-- socket_option.proto
-- solo-discovery-service.proto
-- solo-kit.proto
-- solo_jwt_authn.proto
-- solo_xff_offset_filter.proto
-- source_context.proto
-- ssl.proto
-- ssl.proto
-- static.proto
-- stats.proto
-- status.proto
-- status.proto
-- status.proto
-- stitching.proto
-- string.proto
-- struct.proto
-- subset.proto
-- subset_spec.proto
-- tcp.proto
-- timestamp.proto
-- trace.proto
-- tracing.proto
-- transformation.proto
-- transformation.proto
-- transformation.proto
-- type.proto
-- upstream.proto
-- version.proto
-- versioning.proto
-- virtual_service.proto
-- waf.proto
-- waf.proto
-- wasm.proto
-- wasm.proto
-- wasm.proto
-- wrappers.proto
-- xslt_transformer.proto
-- zipkin.proto
-
Command Line Reference
-
Changelog
-
Helm Chart Values
-
Security Updates
- Security Posture
- Gloo Edge Port Reference
- Release Support
-
Cheatsheets
Contributing
secret.proto
Package: gloo.solo.io
Types:
Secret
Certain features such as the AWS Lambda option require the use of secrets for authentication, configuration of SSL Certificates, and other data that should not be stored in plaintext configuration.
Gloo runs an independent (goroutine) controller to monitor secrets. Secrets are stored in their own secret storage layer. Gloo can monitor secrets stored in the following secret storage services:
Kubernetes Secrets
Hashicorp Vault
Plaintext files (recommended only for testing)
Secrets must adhere to a structure, specified by the option that requires them.
Gloo’s secret backend can be configured in Gloo’s bootstrap options
"aws": .gloo.solo.io.AwsSecret
"azure": .gloo.solo.io.AzureSecret
"tls": .gloo.solo.io.TlsSecret
"oauth": .enterprise.gloo.solo.io.OauthSecret
"apiKey": .enterprise.gloo.solo.io.ApiKey
"header": .gloo.solo.io.HeaderSecret
"credentials": .gloo.solo.io.AccountCredentialsSecret
"extensions": .gloo.solo.io.Extensions
"metadata": .core.solo.io.Metadata
Field
Type
Description
aws
.gloo.solo.io.AwsSecret
AWS credentials. Only one of aws
, azure
, tls
, oauth
, apiKey
, header
, credentials
, or extensions
can be set.
azure
.gloo.solo.io.AzureSecret
Azure credentials. Only one of azure
, aws
, tls
, oauth
, apiKey
, header
, credentials
, or extensions
can be set.
tls
.gloo.solo.io.TlsSecret
TLS secret specification. Only one of tls
, aws
, azure
, oauth
, apiKey
, header
, credentials
, or extensions
can be set.
oauth
.enterprise.gloo.solo.io.OauthSecret
Enterprise-only: OAuth secret configuration. Only one of oauth
, aws
, azure
, tls
, apiKey
, header
, credentials
, or extensions
can be set.
apiKey
.enterprise.gloo.solo.io.ApiKey
Enterprise-only: ApiKey secret configuration. Only one of apiKey
, aws
, azure
, tls
, oauth
, header
, credentials
, or extensions
can be set.
header
.gloo.solo.io.HeaderSecret
Secrets for use in header payloads (e.g. in the Envoy healthcheck API). Only one of header
, aws
, azure
, tls
, oauth
, apiKey
, credentials
, or extensions
can be set.
credentials
.gloo.solo.io.AccountCredentialsSecret
Secrets to authenticate as a service user. Only one of credentials
, aws
, azure
, tls
, oauth
, apiKey
, header
, or extensions
can be set.
extensions
.gloo.solo.io.Extensions
Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API. Only one of extensions
, aws
, azure
, tls
, oauth
, apiKey
, header
, or credentials
can be set.
metadata
.core.solo.io.Metadata
Metadata contains the object metadata for this resource.
AwsSecret
There are two ways of providing AWS secrets:
Method 1: glooctl create secret aws
glooctl create secret aws --name aws-secret-from-glooctl \
--namespace default \
--access-key $ACC \
--secret-key $SEC
will produce a Kubernetes resource similar to this (note the aws
field and resource_kind
annotation):
apiVersion: v1
data:
aws: base64EncodedStringForMachineConsumption
kind: Secret
metadata:
annotations:
resource_kind: '*v1.Secret'
creationTimestamp: "2019-08-23T15:10:20Z"
name: aws-secret-from-glooctl
namespace: default
resourceVersion: "592637"
selfLink: /api/v1/namespaces/default/secrets/secret-e2e
uid: 1f8c147f-c5b8-11e9-bbf3-42010a8001bc
type: Opaque
Method 2: kubectl apply -f resource-file.yaml
If using a git-ops flow, or otherwise creating secrets from yaml files, you may prefer to provide AWS credentials
using the format below, with aws_access_key_id
and aws_secret_access_key
fields.
This circumvents the need for the annotation, which are not supported by some tools such as
godaddy/kubernetes-external-secrets
# a sample aws secret resource-file.yaml
apiVersion : v1
data :
aws_access_key_id : some-id
aws_secret_access_key : some-secret
kind : Secret
metadata :
name : aws-secret-abcd
namespace : default
"accessKey": string
"secretKey": string
"sessionToken": string
Field
Type
Description
accessKey
string
provided by glooctl create secret aws
.
secretKey
string
provided by glooctl create secret aws
.
sessionToken
string
provided by glooctl create secret aws
.
AzureSecret
"apiKeys": map<string, string>
Field
Type
Description
apiKeys
map<string, string>
provided by glooctl create secret azure
.
TlsSecret
"certChain": string
"privateKey": string
"rootCa": string
Field
Type
Description
certChain
string
provided by glooctl create secret tls
.
privateKey
string
provided by glooctl create secret tls
.
rootCa
string
provided by glooctl create secret tls
.
"headers": map<string, string>
Field
Type
Description
headers
map<string, string>
A collection of header name to header value mappings, each representing an additional header that could be added to a request. Provided by glooctl create secret header
.
AccountCredentialsSecret
"username": string
"password": string
Field
Type
Description
username
string
password
string