This is the namespace to which Gloo controllers will write their own resources, e.g. discovered Upstreams or default Gateways. If empty, this will default to “gloo-system”.
watchNamespaces
[]string
Use this setting to restrict the namespaces that Gloo controllers take into consideration when watching for resources.In a usual production scenario, RBAC policies will limit the namespaces that Gloo has access to. If watch_namespaces contains namespaces outside of this whitelist, Gloo will fail to start. If not set, this defaults to all available namespaces. Please note that, the discovery_namespace will always be included in this list.
Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API.
Enterprise-only: Partial config for GlooE’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit descriptors here, which define the limits for requests based on their descriptors. Configure rate-limits (composed of actions, which define how request characteristics get translated into descriptors) on the VirtualHost or its routes.
Enterprise-only: External auth related settings for additional auth servers This should only be used in the case where separate servers are needed to authorize separate routes. With multiple auth servers configured in Settings, multiple filters will be configured on the filter chain, but only 1 will be executed on a route. The name of the auth server (ie the key in the map) will be used to apply the configuration on the route. If an auth server name is not supplied on a route, the default auth server will be applied.
Enterprise-only: Settings for the caching server itself This may eventually be able to be set at a per listener level. At this time is used for plugin translation via the init.Params.
Default configuration to use for upstreams, when not provided by specific upstream When these properties are defined on an upstream, this configuration will be ignored.
Enterprise-only: External Processing filter settings. These settings are used as defaults globally, and can be overridden by HttpListenerOptions, VirtualHostOptions, or RouteOptions.
DEPRECATED: use field accessToken the Token used to authenticate to Vault.
address
string
address is the address of the Vault server. This should be a complete URL such as http://solo.io and include port if necessary (vault’s default port is 8200).
caCert
string
DEPRECATED: use field tls_config to configure TLS connection to Vault caCert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
caPath
string
DEPRECATED: use field tls_config to configure TLS connection to Vault caPath is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
clientCert
string
DEPRECATED: use field tls_config to configure TLS connection to Vault clientCert is the path to the certificate for Vault communication.
clientKey
string
DEPRECATED: use field tls_config to configure TLS connection to Vault clientKey is the path to the private key for Vault communication.
tlsServerName
string
DEPRECATED: use field tls_config to configure TLS connection to Vault tlsServerName, if set, is used to set the SNI host when connecting via TLS.
DEPRECATED: use field tls_config to configure TLS connection to Vault When set to true, disables TLS verification.
rootKey
string
all keys stored in Vault will begin with this Vault this can be used to run multiple instances of Gloo against the same Vault cluster defaults to gloo.
Configure TLS options for client connection to Vault. This is only available when running Gloo Edge outside of an container orchestration tool such as Kubernetes or Nomad.
"vaultRole": string"region": string"iamServerIdHeader": string"mountPath": string"accessKeyId": string"secretAccessKey": string"sessionToken": string"leaseIncrement": int
Field
Type
Description
vaultRole
string
The Vault role we are trying to authenticate to. This is not necessarily the same as the AWS role to which the Vault role is configured.
region
string
The AWS region to use for the login attempt.
iamServerIdHeader
string
The IAM Server ID Header required to be included in the request.
mountPath
string
The Vault path on which the AWS auth is mounted.
accessKeyId
string
The Access Key ID as provided by the security credentials on the AWS IAM resource. Optional: In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
secretAccessKey
string
The Secret Access Key as provided by the security credentials on the AWS IAM resource. Optional: In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
sessionToken
string
The Session Token as provided by the security credentials on the AWS IAM resource.
Use HashiCorp Consul Key-Value as storage for config data.
Configuration options for connecting to Consul can be configured in the Settings' root
consul field
"rootKey": string
Field
Type
Description
rootKey
string
all keys stored in Consul will begin with this prefix this can be used to run multiple instances of Gloo against the same Consul cluster defaults to gloo.
KubernetesConfigmaps
Use Kubernetes ConfigMaps as storage.
Field
Type
Description
Directory
As an alternative to Kubernetes CRDs, Gloo is able to store resources in a local file system.
This option determines the root of the directory tree used to this end.
Address of the clusteringress proxy. If empty, it will default to clusteringress-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.7.X or less.
knativeExternalProxyAddress
string
Address of the externally-facing knative proxy. If empty, it will default to knative-external-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.8.X or higher.
knativeInternalProxyAddress
string
Address of the internally-facing knative proxy. If empty, it will default to knative-internal-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.8.X or higher.
Enable function discovery service on GraphQL gRPC and OpenApi upstreams. Defaults to true.
FdsMode
Possible modes for running the function discovery service (FDS). FDS polls services in-cluster for Swagger
and gRPC endpoints. This behavior can be controlled with the use of annotations.
FdsMode specifies what policy FDS will use when determining which services to poll.
Name
Description
BLACKLIST
In BLACKLIST mode (default), FDS will poll all services in cluster except those services labeled with discovery.solo.io/function_discovery=disabled. This label can also be used on namespaces to apply to all services within a namespace which are not explicitly whitelisted. Note that kube-system and kube-public namespaces must be explicitly whitelisted even in blacklist mode.
WHITELIST
In WHITELIST mode, FDS will poll only services in cluster labeled with discovery.solo.io/function_discovery=enabled. This label can also be used on namespaces to apply to all services which are not explicitly blacklisted within a namespace.
DISABLED
In DISABLED mode, FDS will not run.
ConsulConfiguration
Provides overrides for the default configuration parameters used to connect to Consul.
Note: It is also possible to configure the Consul client Gloo uses via the environment variables
described here. These
need to be set on the Gloo container.
Deprecated: prefer http_address. The address of the Consul HTTP server. Used by service discovery and key-value storage (if-enabled). Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
datacenter
string
Datacenter to use. If not provided, the default agent datacenter is used.
username
string
Username to use for HTTP Basic Authentication.
password
string
Password to use for HTTP Basic Authentication.
token
string
Token is used to provide a per-request ACL token which overrides the agent’s default token.
caFile
string
caFile is the optional path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
caPath
string
caPath is the optional path to a directory of CA certificates to use for Consul communication, defaults to the system bundle if not specified.
certFile
string
CertFile is the optional path to the certificate for Consul communication. If this is set then you need to also set KeyFile.
keyFile
string
KeyFile is the optional path to the private key for Consul communication. If this is set then you need to also set CertFile.
Enable Service Discovery via Consul with this field set to empty struct {} to enable with defaults.
httpAddress
string
The address of the Consul HTTP server. Used by service discovery and key-value storage (if-enabled). Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
dnsAddress
string
The address of the DNS server used to resolve hostnames in the Consul service address. Used by service discovery (required when Consul service instances are stored as DNS names). Defaults to 127.0.0.1:8600. (the default Consul DNS server).
The polling interval for the DNS server. If there is a Consul service address with a hostname instead of an IP, Gloo will resolve the hostname with the configured frequency to update endpoints with any changes to DNS resolution. Defaults to 5s.
ServiceDiscoveryOptions
service discovery options for Consul
"dataCenters": []string
Field
Type
Description
dataCenters
[]string
Use this parameter to restrict the data centers that will be considered when discovering and routing to services. If not provided, Gloo will use all available data centers.
ConsulUpstreamDiscoveryConfiguration
Settings related to gloo’s behavior when discovering consul services and creating
upstreams to connect to those services and their instances.
If true, then gloo will add TLS to upstreams created for any consul service that has the tag specified by tlsTagName. If splitTlsServices is true, then this tag is also used to identify serviceInstances that should be tied to the TLS upstream. Requires rootCa to be set if true.
tlsTagName
string
The tag that gloo should use to make TLS upstreams from consul services, and to partition consul serviceInstances between TLS/non-TLS upstreams. Defaults to ‘glooUseTls’.
The reference for the root CA resource to be used by discovered consul TLS upstreams.
splitTlsServices
bool
If true, then create two upstreams when the tlsTagName is found on a consul service, one with tls and one without. This requires a consul service’s serviceInstances be individually tagged; servicesInstances with the tlsTagName tag are directed to the TLS upstream, while those without the tlsTagName tag are sorted into the non-TLS upstream.
Sets the consistency mode. The default is DefaultMode. Note: Gloo handles staleness well (as it runs update loops ~ once/second) but makes many requests to get consul endpoints so users may want to opt into stale reads once the implications are understood.
QueryOptions are the query options to use for all Consul queries.
serviceTagsAllowlist
[]string
All Services with tags in the allowlisted values will have endpoints and upstreams discovered. Default is all services - if values specified this will limit discovery to only services with specified tags.
Enables blocking queries for Gloo’s requests to the Consul Catalog API for each service (/catalog/service/:servicename) to get endpoints for EDS. For more on blocking queries, see https://www.consul.io/api-docs/features/blocking Enabling this feature will likely result in fewer network calls to Consul, but may also result in fewer local consul agent cache hits for Gloo’s requests to the Consul Catalog API. (see query_options above to configure caching; caching is enabled by default). Defaults to false.
KubernetesConfiguration
Provides overrides for the default configuration parameters used to interact with Kubernetes.
The maximum queries-per-second Gloo can make to the Kubernetes API Server. Defaults to 50.
burst
int
Maximum burst for throttle. When a steady state of QPS requests per second, this is an additional number of allowed, to allow for short bursts. Defaults to 100.
Enable metrics that track the configuration status of various resource types. Each (key, value) pair in the map defines a metric for a particular resource type. Configuration status metrics are not recorded by default; metrics are recorded only for the resources specified in this map. Keys specify the resource type (GroupVersionKind) to track for status changes (e.g. “VirtualService.v1.gateway.solo.io”). Values specify the labels to set on the metric.
GrafanaIntegration
Provides settings related to the observability pod’s interactions with grafana
(UInt32Value) Grafana allows dashboards to be added to specific folders by specifying that folder’s ID If unset, automatic upstream dashboards are generated in the general folder (folderId: 0). If set, the observability deployment will try to create/move all upstreams without their own folderId to the folder specified here, after verifying that a folder with such an ID exists. Be aware that grafana requires a folders ID, which should not be confused with the similarly-named and more easily accessible folder UID value. If individual upstream dashboards need to be placed specific granafa folders, they can be given their own folder IDs by annotating the upstreams. The annotation key must be ‘observability.solo.io/dashboard_folder_id’ and the value must be the folder ID. Folder IDs can be retrieved from grafana with a pair of terminal commands: 1. Port forward the grafana deployment to surface its API: kubectl -n gloo-system port-forward deployment/glooe-grafana 3000 2. Request all folder data (after admin:admin is replaced with the correct credentials): curl http://admin:admin@localhost:3000/api/folders.
dashboardPrefix
string
The prefix of the UIDs and Titles for all dashboards created on grafana. This is restricted to 20 characters.
extraMetricQueryParameters
string
Extra parameters when querying metrics from Grafana dashboards. This string will be appended to every query for metrics in the definition of all gloo managed dashboards. It can consist of multiple query parameters separated by a comma. For example cluster="some-cluster",gateway_proxy_id="proxy-2".
MetricLabels
"labelToPath": map<string, string>
Field
Type
Description
labelToPath
map<string, string>
Each (key, value) pair in the map defines a label to be applied. Keys specify the name of the label (e.g. “namespace”). Values specify the jsonpath (https://kubernetes.io/docs/reference/kubectl/jsonpath/) string corresponding to the field of a resource to use as the label value (e.g. “{.metadata.namespace}"). For example, if labelToPath = {name: ‘{.metadata.name}’, namespace: ‘{.metadata.namespace}'} for Upstream.v1.gateway.solo.io, the following metric would be produced: validation_gateway_solo_io_upstream_config_status{name=“default-petstore-8080”,namespace=“gloo-system”} 0.
UpstreamOptions
Default configuration to use for upstreams, when not provided by a specific upstream
When these properties are defined on a specific upstream, this configuration will be ignored
Timeout to get initial snapshot of resources. If set to zero, Gloo will not wait for initial snapshot - if nonzero and gloo could not fetch it’s initial snapshot before the timeout reached, gloo will panic. If unset, Gloo defaults to 5 minutes.
set these options to fine-tune the way Gloo handles invalid user configuration.
disableKubernetesDestinations
bool
Enable or disable Gloo Edge to scan Kubernetes services in the cluster and create in-memory Upstream resources to represent them. These resources enable Gloo Edge to route requests to a Kubernetes service. Note that if you have a large number of services in your cluster and you do not restrict the namespaces that Gloo Edge watches, the API snapshot increases which can have a negative impact on the Gloo Edge translation time. In addition, load balancing is done in kube-proxy which can have further performance impacts. Using Gloo Upstreams as a routing destination bypasses kube-proxy as the request is routed to the pod directly. Alternatively, you can use Kubernetes Upstream resources as a routing destination to forward requests to the pod directly. For more information, see the docs.
Default policy for grpc-web. set to true if you do not wish grpc-web to be automatically enabled. set to false if you wish grpc-web enabled unless disabled on the listener level. If not specified, defaults to false.
Set this option to determine the state of the envoy configuration when a virtual service is deleted, resulting in a proxy with no configured routes. set to true if you wish to keep envoy serving the routes from the latest valid configuration. set to false if you wish to reset the envoy configuration to a clean slate with no routes. If not specified, defaults to false.
The polling interval for the DNS server if upstream failover is configured. If there is a failover upstream address with a hostname instead of an IP, Gloo will resolve the hostname with the configured frequency to update endpoints with any changes to DNS resolution. Defaults to 10s.
By default gloo adds a series of filters to envoy to ensure that new routes are picked up Even if the listener previously did not have a filter on the chain previously. When set to true unused filters are not added to the chain by default. Defaults to false.
proxyDebugBindAddr
string
Where the gloo proxy debug server should bind. Defaults to gloo:9966.
When enabled, log the request/response body and headers before and after any transformations are applied. May be useful in the case where many transformations are applied and it is difficult to determine which are causing issues. Defaults to false.
Enable credential discovery via IAM; when this is set, there’s no need provide a secret on the upstream when running on AWS environment. Note: This should ONLY be enabled when running in an AWS environment, as the AWS code blocks the envoy main thread. This should be negligible when running inside AWS. Only one of enableCredentialsDiscovey or serviceAccountCredentials can be set.
Use projected service account token, and role arn to create temporary credentials with which to authenticate lambda requests. This functionality is meant to work along side EKS service account to IAM binding functionality as outlined here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html If the following environment values are not present in the gateway-proxy, this option cannot be used. 1. AWS_WEB_IDENTITY_TOKEN_FILE 2. AWS_ROLE_ARN The role which will be assumed by the credentials will be the one specified by AWS_ROLE_ARN, however, this can also be overwritten in the AWS Upstream spec via the role_arn field If they are not specified envoy will NACK the config update, which will show up in the logs when running OS Gloo. When running Gloo enterprise it will be reflected in the prometheus stat: “glooe.solo.io/xds/nack” In order to specify the aws sts endpoint, both the cluster and uri must be set. This is due to an envoy limitation which cannot infer the host or path from the cluster, and therefore must be explicitly specified via the uri. Only one of serviceAccountCredentials or enableCredentialsDiscovey can be set.
Sets cadence for refreshing credentials for Service Account. Does nothing if Service account is not set. Does not affect the default filewatch for service account only augments it. Defaults to not refreshing on time period. Suggested is 15 minutes.
Sets the unsafe behavior where a route can specify a lambda upstream but not set the function to target. It will use the first function which if discovery is enabled the first function is the first function name alphabetically from the last discovery run. This means that the lambda being pointed to could change. Defaults to false.
InvalidConfigPolicy
Policy for how Gloo should handle invalid config
[#next-free-field: 15]
if set to true, Gloo removes any routes from the provided configuration which point to a missing destination. Routes that are removed in this way will instead return a configurable direct response to clients. When routes are replaced, Gloo will configure Envoy with a special listener which serves direct responses. Note: enabling this option allows Gloo to accept partially valid proxy configurations.
invalidRouteResponseCode
int
replaced routes reply to clients with this response code. default is 404.
invalidRouteResponseBody
string
replaced routes reply to clients with this response body. default is ‘Gloo Gateway has invalid configuration. Administrators should run glooctl check to find and fix config errors.’.
Set to false to disable adding X-Forwarded-Host header in Istio integration Defaults to true.
VirtualServiceOptions
Default configuration to use for VirtualServices, when not provided by a specific virtual service
When these properties are defined on a specific VirtualService, this configuration will be ignored
Default one_way_tls value to use for all virtual services where one_way_tls config has not been specified. If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default. Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA.
If provided, the Gateway will perform Dynamic Admission Control of Gateways, Virtual Services, and Route Tables when running in Kubernetes.
readGatewaysFromAllNamespaces
bool
When true, the Gateway controller will consume Gateway custom resources from all watch namespaces, rather than just the Gateway CRDs in its own namespace.
alwaysSortRouteTableRoutes
bool
Deprecated. This setting is ignored. Maintained for backwards compatibility with settings exposed on 1.2.x branch of Gloo.
compressedProxySpec
bool
If set, compresses proxy space. This can help make the Proxy CRD smaller to fit in etcd. This is an advanced option. Use with care.
Default configuration to use for VirtualServices, when not provided by a specific virtual service When these properties are defined on a specific VirtualService, this configuration will be ignored.
Set this to persist the Proxy CRD to etcd By default, proxies are kept in memory to improve performance. Proxies can be persisted to etcd to allow external tools and other pods to read the contents the Proxy CRD.
If set, group virtual hosts by matching ssl config, and isolate them on separate filter chains The default behavior is to aggregate all virtual hosts, and expose them on identical filter chains, each with a FilterChainMatch that corresponds to the ssl config. Individual Gateways can override this behavior by configuring the “gateway.solo.io/isolate_vhost” annotation to be a truthy (“true”, “false”) value.
If set, gateways will be translated into Envoy listeners even if no VirtualServices exist or match a gateway. When there are no VirtualServices that implies there are no routes to serve, so all requests will return a 404. Defaults to false. The default behavior when no VirtualServices are defined or no Gateways match a VirtualService is that the gateway is not converted into an Envoy listener.
ValidationOptions
options for configuring admission control / validation
Address of the gloo proxy validation grpc server. Defaults to gloo:9988. This field is required in order to enable fine-grained admission control.
validationWebhookTlsCert
string
Path to TLS Certificate for Kubernetes Validating webhook. Defaults to /etc/gateway/validation-certs/tls.crt.
validationWebhookTlsKey
string
Path to TLS Private Key for Kubernetes Validating webhook. Defaults to /etc/gateway/validation-certs/tls.key.
ignoreGlooValidationFailure
bool
Deprecated: the Gateway and the Gloo pods are now merged together, there are no longer requests made to a Gloo Validation server. When Gateway cannot communicate with Gloo (e.g. Gloo is offline) resources will be rejected by default. Enable the ignoreGlooValidationFailure to prevent the Validation server from rejecting resources due to network errors.
Always accept resources even if validation produced an error. Validation will still log the error and increment the validation.gateway.solo.io/resources_rejected stat. Currently defaults to true - must be set to false to prevent writing invalid resources to storage.
Accept resources if validation produced a warning (defaults to true). By setting to false, this means that validation will start rejecting resources that would result in warnings, rather than just those that would result in errors.
Deprecated: See server_enabled and consider configuring it to false instead. Write a warning to route resources if validation produced a route ordering warning (defaults to false). By setting to true, this means that Gloo will start assigning warnings to resources that would result in route short-circuiting within a virtual host, for example: - prefix routes that make later routes unreachable - regex routes that make later routes unreachable - duplicate matchers.
Deprecated: See server_enabled and consider configuring it to false instead. By default gloo will attempt to validate transformations by calling out to a local envoy binary in validate mode. Calling this local envoy binary can become slow when done many times during a single validation. Setting this to true will stop gloo from calling out to envoy to validate the transformations, which may speed up the validation time considerably, but may also cause the transformation config to fail after being sent to envoy. When disabling this, ensure that your transformations are valid prior to applying them.
By default, gRPC validation messages between gateway and gloo pods have a max message size of 100 MB. Setting this value sets the gRPC max message size in bytes for the gloo validation server. This should only be changed if necessary. If not included, the gRPC max message size will be the default of 100 MB.
By providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as warn_route_short_circuiting and disable_transformation_validation. If not included, the validation server will be enabled.
If true, then custom resources can only be viewed in read-only mode in the UI. If false, then resources can be created, updated, and deleted via the UI. Currently, create/update/delete operations are only supported for GraphQL resources. This feature requires a Gloo Edge Enterprise license with GraphQL enabled. Defaults to true.
Schema definition updates can be considered safe, dangerous, or breaking. If this field is set to true, then breaking schema updates will be rejected. Defaults to false.
We use GraphQL Inspector to detect breaking changes to GraphQL schemas. This field allows for passing processing rules to GraphQL Inspector to customize how various change types are handled.
ProcessingRule
Name
Description
RULE_UNSPECIFIED
RULE_DANGEROUS_TO_BREAKING
Turn every dangerous change into a breaking change.
RULE_DEPRECATED_FIELD_REMOVAL_DANGEROUS
Treat the removal of a deprecated field as a dangerous change, instead of a breaking change.
RULE_IGNORE_DESCRIPTION_CHANGES
Ignore description changes.
RULE_IGNORE_UNREACHABLE
Ignore breaking changes on parts of the schema that are not reachable starting from the root types.
