settings.proto

Package: gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto

Settings

Represents global settings for all the Gloo components.

"discoveryNamespace": string
"watchNamespaces": []string
"kubernetesConfigSource": .gloo.solo.io.Settings.KubernetesCrds
"directoryConfigSource": .gloo.solo.io.Settings.Directory
"consulKvSource": .gloo.solo.io.Settings.ConsulKv
"kubernetesSecretSource": .gloo.solo.io.Settings.KubernetesSecrets
"vaultSecretSource": .gloo.solo.io.Settings.VaultSecrets
"directorySecretSource": .gloo.solo.io.Settings.Directory
"secretOptions": .gloo.solo.io.Settings.SecretOptions
"kubernetesArtifactSource": .gloo.solo.io.Settings.KubernetesConfigmaps
"directoryArtifactSource": .gloo.solo.io.Settings.Directory
"consulKvArtifactSource": .gloo.solo.io.Settings.ConsulKv
"refreshRate": .google.protobuf.Duration
"devMode": bool
"linkerd": bool
"knative": .gloo.solo.io.Settings.KnativeOptions
"discovery": .gloo.solo.io.Settings.DiscoveryOptions
"gloo": .gloo.solo.io.GlooOptions
"gateway": .gloo.solo.io.GatewayOptions
"consul": .gloo.solo.io.Settings.ConsulConfiguration
"consulDiscovery": .gloo.solo.io.Settings.ConsulUpstreamDiscoveryConfiguration
"kubernetes": .gloo.solo.io.Settings.KubernetesConfiguration
"extensions": .gloo.solo.io.Extensions
"ratelimit": .ratelimit.options.gloo.solo.io.ServiceSettings
"ratelimitServer": .ratelimit.options.gloo.solo.io.Settings
"rbac": .rbac.options.gloo.solo.io.Settings
"extauth": .enterprise.gloo.solo.io.Settings
"namedExtauth": map<string, .enterprise.gloo.solo.io.Settings>
"cachingServer": .caching.options.gloo.solo.io.Settings
"metadata": .core.solo.io.Metadata
"namespacedStatuses": .core.solo.io.NamespacedStatuses
"observabilityOptions": .gloo.solo.io.Settings.ObservabilityOptions
"upstreamOptions": .gloo.solo.io.UpstreamOptions
"consoleOptions": .gloo.solo.io.ConsoleOptions
"graphqlOptions": .gloo.solo.io.GraphqlOptions
"extProc": .extproc.options.gloo.solo.io.Settings
"watchNamespaceSelectors": []gloo.solo.io.LabelSelector

Field Type Description
discoveryNamespace string This is the namespace to which Gloo controllers will write their own resources, e.g. discovered Upstreams or default Gateways. If empty, this will default to “gloo-system”.
watchNamespaces []string Use this setting to restrict the namespaces that Gloo controllers take into consideration when watching for resources.In a usual production scenario, RBAC policies will limit the namespaces that Gloo has access to. If watch_namespaces contains namespaces outside of this whitelist, Gloo will fail to start. If not set, this defaults to all available namespaces. Please note that, the discovery_namespace will always be included in this list. If this is specified, it overwrites the watch_namespace_selectors specified.
kubernetesConfigSource .gloo.solo.io.Settings.KubernetesCrds Only one of kubernetesConfigSource, directoryConfigSource, or consulKvSource can be set.
directoryConfigSource .gloo.solo.io.Settings.Directory Only one of directoryConfigSource, kubernetesConfigSource, or consulKvSource can be set.
consulKvSource .gloo.solo.io.Settings.ConsulKv Only one of consulKvSource, kubernetesConfigSource, or directoryConfigSource can be set.
kubernetesSecretSource .gloo.solo.io.Settings.KubernetesSecrets Only one of kubernetesSecretSource, vaultSecretSource, or directorySecretSource can be set.
vaultSecretSource .gloo.solo.io.Settings.VaultSecrets Only one of vaultSecretSource, kubernetesSecretSource, or directorySecretSource can be set.
directorySecretSource .gloo.solo.io.Settings.Directory Only one of directorySecretSource, kubernetesSecretSource, or vaultSecretSource can be set.
secretOptions .gloo.solo.io.Settings.SecretOptions Settings for secrets storage. This API is beta and should be tested thoroughly before production use.
kubernetesArtifactSource .gloo.solo.io.Settings.KubernetesConfigmaps Only one of kubernetesArtifactSource, directoryArtifactSource, or consulKvArtifactSource can be set.
directoryArtifactSource .gloo.solo.io.Settings.Directory Only one of directoryArtifactSource, kubernetesArtifactSource, or consulKvArtifactSource can be set.
consulKvArtifactSource .gloo.solo.io.Settings.ConsulKv Only one of consulKvArtifactSource, kubernetesArtifactSource, or directoryArtifactSource can be set.
refreshRate .google.protobuf.Duration How frequently to resync watches, etc.
devMode bool DEPRECATED: In the past DevMode was used to expose endpoints that behave as an Admin API https://github.com/solo-io/gloo/issues/6494 We now support an Admin API on port 9091. See the following guide for more details https://docs.solo.io/gloo-edge/latest/operations/debugging_gloo/#debugging-the-control-plane.
linkerd bool Enable automatic linkerd upstream header addition for easier routing to linkerd services.
knative .gloo.solo.io.Settings.KnativeOptions Configuration options for the Clusteringress Controller (for Knative). Deprecated: Will not be available in Gloo Gateway 1.11.
discovery .gloo.solo.io.Settings.DiscoveryOptions Options for configuring Gloo’s Discovery service.
gloo .gloo.solo.io.GlooOptions Options for configuring gloo, the core Gloo controller, which serves dynamic configuration to Envoy.
gateway .gloo.solo.io.GatewayOptions Options for configuring gateway, the Gateway Gloo controller, which enables the VirtualService/Gateway API in Gloo.
consul .gloo.solo.io.Settings.ConsulConfiguration Options to configure Gloo’s integration with HashiCorp Consul.
consulDiscovery .gloo.solo.io.Settings.ConsulUpstreamDiscoveryConfiguration
kubernetes .gloo.solo.io.Settings.KubernetesConfiguration Options to configure Gloo’s integration with Kubernetes.
extensions .gloo.solo.io.Extensions Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API.
ratelimit .ratelimit.options.gloo.solo.io.ServiceSettings Enterprise-only: Partial config for GlooE’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit descriptors here, which define the limits for requests based on their descriptors. Configure rate-limits (composed of actions, which define how request characteristics get translated into descriptors) on the VirtualHost or its routes.
ratelimitServer .ratelimit.options.gloo.solo.io.Settings Enterprise-only: Settings for the rate limiting server itself.
rbac .rbac.options.gloo.solo.io.Settings Enterprise-only: Settings for RBAC across all Gloo resources (VirtualServices, Routes, etc.).
extauth .enterprise.gloo.solo.io.Settings Enterprise-only: External auth related settings.
namedExtauth map<string, .enterprise.gloo.solo.io.Settings> Enterprise-only: External auth related settings for additional auth servers This should only be used in the case where separate servers are needed to authorize separate routes. With multiple auth servers configured in Settings, multiple filters will be configured on the filter chain, but only 1 will be executed on a route. The name of the auth server (ie the key in the map) will be used to apply the configuration on the route. If an auth server name is not supplied on a route, the default auth server will be applied.
cachingServer .caching.options.gloo.solo.io.Settings Enterprise-only: Settings for the caching server itself This may eventually be able to be set at a per listener level. At this time is used for plugin translation via the init.Params.
metadata .core.solo.io.Metadata Metadata contains the object metadata for this resource.
namespacedStatuses .core.solo.io.NamespacedStatuses NamespacedStatuses indicates the validation status of this resource. NamespacedStatuses is read-only by clients, and set by gloo during validation.
observabilityOptions .gloo.solo.io.Settings.ObservabilityOptions Provides settings related to the observability deployment (enterprise only).
upstreamOptions .gloo.solo.io.UpstreamOptions Default configuration to use for upstreams, when not provided by specific upstream When these properties are defined on an upstream, this configuration will be ignored.
consoleOptions .gloo.solo.io.ConsoleOptions Enterprise-only: Settings for the Gloo Gateway Enterprise Console (UI).
graphqlOptions .gloo.solo.io.GraphqlOptions Enterprise-only: GraphQL settings.
extProc .extproc.options.gloo.solo.io.Settings Enterprise-only: External Processing filter settings. These settings are used as defaults globally, and can be overridden by HttpListenerOptions, VirtualHostOptions, or RouteOptions.
watchNamespaceSelectors []gloo.solo.io.LabelSelector A list of Kubernetes selectors that specify the set of namespaces to restrict the namespaces that Gloo controllers take into consideration when watching for resources. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. The following example selects any namespace that matches either below: 1. The namespace has both of these labels: env: prod and region: us-east1 2. The namespace has label app equal to cassandra or spark. yaml watchNamespaceSelectors: - matchLabels: env: prod region: us-east1 - matchExpressions: - key: app operator: In values: - cassandra - spark However, if the match conditions are part of the same same list item, the namespace must match all conditions. yaml watchNamespaceSelectors: - matchLabels: env: prod region: us-east1 matchExpressions: - key: app operator: In values: - cassandra - spark Refer to the Kubernetes selector docs for additional detail on selector semantics.

SecretOptions

"sources": []gloo.solo.io.Settings.SecretOptions.Source

Field Type Description
sources []gloo.solo.io.Settings.SecretOptions.Source Required. List of configured secret sources. These clients will be sorted and initialized in a stable order kubernetes > directory > vault.

Source

"kubernetes": .gloo.solo.io.Settings.KubernetesSecrets
"vault": .gloo.solo.io.Settings.VaultSecrets
"directory": .gloo.solo.io.Settings.Directory

Field Type Description
kubernetes .gloo.solo.io.Settings.KubernetesSecrets Only one of kubernetes, vault, or directory can be set.
vault .gloo.solo.io.Settings.VaultSecrets Only one of vault, kubernetes, or directory can be set.
directory .gloo.solo.io.Settings.Directory Only one of directory, kubernetes, or vault can be set.

KubernetesCrds

Use Kubernetes CRDs as storage.


Field Type Description

KubernetesSecrets

Use Kubernetes as storage for secret data.


Field Type Description

VaultSecrets

Use HashiCorp Vault as storage for secret data.

"token": string
"address": string
"caCert": string
"caPath": string
"clientCert": string
"clientKey": string
"tlsServerName": string
"insecure": .google.protobuf.BoolValue
"rootKey": string
"pathPrefix": string
"tlsConfig": .gloo.solo.io.Settings.VaultTlsConfig
"accessToken": string
"aws": .gloo.solo.io.Settings.VaultAwsAuth

Field Type Description
token string DEPRECATED: use field accessToken the Token used to authenticate to Vault.
address string address is the address of the Vault server. This should be a complete URL such as http://solo.io and include port if necessary (vault’s default port is 8200).
caCert string DEPRECATED: use field tls_config to configure TLS connection to Vault caCert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
caPath string DEPRECATED: use field tls_config to configure TLS connection to Vault caPath is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
clientCert string DEPRECATED: use field tls_config to configure TLS connection to Vault clientCert is the path to the certificate for Vault communication.
clientKey string DEPRECATED: use field tls_config to configure TLS connection to Vault clientKey is the path to the private key for Vault communication.
tlsServerName string DEPRECATED: use field tls_config to configure TLS connection to Vault tlsServerName, if set, is used to set the SNI host when connecting via TLS.
insecure .google.protobuf.BoolValue DEPRECATED: use field tls_config to configure TLS connection to Vault When set to true, disables TLS verification.
rootKey string all keys stored in Vault will begin with this Vault this can be used to run multiple instances of Gloo against the same Vault cluster defaults to gloo.
pathPrefix string Optional: The name of a Vault Secrets Engine to which Vault should route traffic. For more info see https://learn.hashicorp.com/tutorials/vault/getting-started-secrets-engines. Defaults to ‘secret’.
tlsConfig .gloo.solo.io.Settings.VaultTlsConfig Configure TLS options for client connection to Vault. This is only available when running Gloo Gateway outside of an container orchestration tool such as Kubernetes or Nomad.
accessToken string Only one of accessToken or aws can be set.
aws .gloo.solo.io.Settings.VaultAwsAuth Only one of aws or accessToken can be set.

VaultAwsAuth

Configure Vault client to authenticate to server via AWS auth (IAM only). For more info see https://developer.hashicorp.com/vault/docs/auth/aws

"vaultRole": string
"region": string
"iamServerIdHeader": string
"mountPath": string
"accessKeyId": string
"secretAccessKey": string
"sessionToken": string
"leaseIncrement": int

Field Type Description
vaultRole string The Vault role we are trying to authenticate to. This is not necessarily the same as the AWS role to which the Vault role is configured.
region string The AWS region to use for the login attempt.
iamServerIdHeader string The IAM Server ID Header required to be included in the request.
mountPath string The Vault path on which the AWS auth is mounted.
accessKeyId string The Access Key ID as provided by the security credentials on the AWS IAM resource. Optional: In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
secretAccessKey string The Secret Access Key as provided by the security credentials on the AWS IAM resource. Optional: In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
sessionToken string The Session Token as provided by the security credentials on the AWS IAM resource.
leaseIncrement int The time increment, in seconds, used in renewing the lease of the Vault token. See: https://developer.hashicorp.com/vault/docs/concepts/lease#lease-durations-and-renewal. Defaults to 0, which causes the default TTL to be used.

VaultTlsConfig

Settings to configure TLS-enabled Vault as a secret store

"caCert": string
"caPath": string
"clientCert": string
"clientKey": string
"tlsServerName": string
"insecure": .google.protobuf.BoolValue

Field Type Description
caCert string caCert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
caPath string caPath is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
clientCert string clientCert is the path to the certificate for Vault communication.
clientKey string clientKey is the path to the private key for Vault communication.
tlsServerName string tlsServerName, if set, is used to set the SNI host when connecting via TLS.
insecure .google.protobuf.BoolValue When set to true, disables TLS verification.

ConsulKv

Use HashiCorp Consul Key-Value as storage for config data. Configuration options for connecting to Consul can be configured in the Settings' root consul field

"rootKey": string

Field Type Description
rootKey string all keys stored in Consul will begin with this prefix this can be used to run multiple instances of Gloo against the same Consul cluster defaults to gloo.

KubernetesConfigmaps

Use Kubernetes ConfigMaps as storage.


Field Type Description

Directory

As an alternative to Kubernetes CRDs, Gloo is able to store resources in a local file system. This option determines the root of the directory tree used to this end.

"directory": string

Field Type Description
directory string

KnativeOptions

"clusterIngressProxyAddress": string
"knativeExternalProxyAddress": string
"knativeInternalProxyAddress": string

Field Type Description
clusterIngressProxyAddress string Address of the clusteringress proxy. If empty, it will default to clusteringress-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.7.X or less.
knativeExternalProxyAddress string Address of the externally-facing knative proxy. If empty, it will default to knative-external-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.8.X or higher.
knativeInternalProxyAddress string Address of the internally-facing knative proxy. If empty, it will default to knative-internal-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.8.X or higher.

DiscoveryOptions

"fdsMode": .gloo.solo.io.Settings.DiscoveryOptions.FdsMode
"udsOptions": .gloo.solo.io.Settings.DiscoveryOptions.UdsOptions
"fdsOptions": .gloo.solo.io.Settings.DiscoveryOptions.FdsOptions

Field Type Description
fdsMode .gloo.solo.io.Settings.DiscoveryOptions.FdsMode
udsOptions .gloo.solo.io.Settings.DiscoveryOptions.UdsOptions
fdsOptions .gloo.solo.io.Settings.DiscoveryOptions.FdsOptions

UdsOptions

"enabled": .google.protobuf.BoolValue
"watchLabels": map<string, string>

Field Type Description
enabled .google.protobuf.BoolValue Enable upstream discovery service. Defaults to true.
watchLabels map<string, string> Map of labels to watch. Only services which match all of the selectors specified here will be discovered by UDS.

FdsOptions

"graphqlEnabled": .google.protobuf.BoolValue

Field Type Description
graphqlEnabled .google.protobuf.BoolValue Enable function discovery service on GraphQL gRPC and OpenApi upstreams. Defaults to true.

FdsMode

Possible modes for running the function discovery service (FDS). FDS polls services in-cluster for Swagger and gRPC endpoints. This behavior can be controlled with the use of annotations. FdsMode specifies what policy FDS will use when determining which services to poll.

Name Description
BLACKLIST In BLACKLIST mode (default), FDS will poll all services in cluster except those services labeled with discovery.solo.io/function_discovery=disabled. This label can also be used on namespaces to apply to all services within a namespace which are not explicitly whitelisted. Note that kube-system and kube-public namespaces must be explicitly whitelisted even in blacklist mode.
WHITELIST In WHITELIST mode, FDS will poll only services in cluster labeled with discovery.solo.io/function_discovery=enabled. This label can also be used on namespaces to apply to all services which are not explicitly blacklisted within a namespace.
DISABLED In DISABLED mode, FDS will not run.

ConsulConfiguration

Provides overrides for the default configuration parameters used to connect to Consul.

Note: It is also possible to configure the Consul client Gloo uses via the environment variables described here. These need to be set on the Gloo container.

"address": string
"datacenter": string
"username": string
"password": string
"token": string
"caFile": string
"caPath": string
"certFile": string
"keyFile": string
"insecureSkipVerify": .google.protobuf.BoolValue
"waitTime": .google.protobuf.Duration
"serviceDiscovery": .gloo.solo.io.Settings.ConsulConfiguration.ServiceDiscoveryOptions
"httpAddress": string
"dnsAddress": string
"dnsPollingInterval": .google.protobuf.Duration

Field Type Description
address string Deprecated: prefer http_address. The address of the Consul HTTP server. Used by service discovery and key-value storage (if-enabled). Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
datacenter string Datacenter to use. If not provided, the default agent datacenter is used.
username string Username to use for HTTP Basic Authentication.
password string Password to use for HTTP Basic Authentication.
token string Token is used to provide a per-request ACL token which overrides the agent’s default token.
caFile string caFile is the optional path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
caPath string caPath is the optional path to a directory of CA certificates to use for Consul communication, defaults to the system bundle if not specified.
certFile string CertFile is the optional path to the certificate for Consul communication. If this is set then you need to also set KeyFile.
keyFile string KeyFile is the optional path to the private key for Consul communication. If this is set then you need to also set CertFile.
insecureSkipVerify .google.protobuf.BoolValue InsecureSkipVerify if set to true will disable TLS host verification.
waitTime .google.protobuf.Duration WaitTime limits how long a watches for Consul resources will block. If not provided, the agent default values will be used.
serviceDiscovery .gloo.solo.io.Settings.ConsulConfiguration.ServiceDiscoveryOptions Enable Service Discovery via Consul with this field set to empty struct {} to enable with defaults.
httpAddress string The address of the Consul HTTP server. Used by service discovery and key-value storage (if-enabled). Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
dnsAddress string The address of the DNS server used to resolve hostnames in the Consul service address. Used by service discovery (required when Consul service instances are stored as DNS names). Defaults to 127.0.0.1:8600. (the default Consul DNS server).
dnsPollingInterval .google.protobuf.Duration The polling interval for the DNS server. If there is a Consul service address with a hostname instead of an IP, Gloo will resolve the hostname with the configured frequency to update endpoints with any changes to DNS resolution. Defaults to 5s.

ServiceDiscoveryOptions

service discovery options for Consul

"dataCenters": []string

Field Type Description
dataCenters []string Use this parameter to restrict the data centers that will be considered when discovering and routing to services. If not provided, Gloo will use all available data centers.

ConsulUpstreamDiscoveryConfiguration

Settings related to gloo’s behavior when discovering consul services and creating upstreams to connect to those services and their instances.

"useTlsTagging": bool
"tlsTagName": string
"rootCa": .core.solo.io.ResourceRef
"splitTlsServices": bool
"consistencyMode": .consul.options.gloo.solo.io.ConsulConsistencyModes
"queryOptions": .consul.options.gloo.solo.io.QueryOptions
"serviceTagsAllowlist": []string
"edsBlockingQueries": .google.protobuf.BoolValue

Field Type Description
useTlsTagging bool If true, then gloo will add TLS to upstreams created for any consul service that has the tag specified by tlsTagName. If splitTlsServices is true, then this tag is also used to identify serviceInstances that should be tied to the TLS upstream. Requires rootCa to be set if true.
tlsTagName string The tag that gloo should use to make TLS upstreams from consul services, and to partition consul serviceInstances between TLS/non-TLS upstreams. Defaults to ‘glooUseTls’.
rootCa .core.solo.io.ResourceRef The reference for the root CA resource to be used by discovered consul TLS upstreams.
splitTlsServices bool If true, then create two upstreams when the tlsTagName is found on a consul service, one with tls and one without. This requires a consul service’s serviceInstances be individually tagged; servicesInstances with the tlsTagName tag are directed to the TLS upstream, while those without the tlsTagName tag are sorted into the non-TLS upstream.
consistencyMode .consul.options.gloo.solo.io.ConsulConsistencyModes Sets the consistency mode. The default is DefaultMode. Note: Gloo handles staleness well (as it runs update loops ~ once/second) but makes many requests to get consul endpoints so users may want to opt into stale reads once the implications are understood.
queryOptions .consul.options.gloo.solo.io.QueryOptions QueryOptions are the query options to use for all Consul queries.
serviceTagsAllowlist []string All Services with tags in the allowlisted values will have endpoints and upstreams discovered. Default is all services - if values specified this will limit discovery to only services with specified tags.
edsBlockingQueries .google.protobuf.BoolValue Enables blocking queries for Gloo’s requests to the Consul Catalog API for each service (/catalog/service/:servicename) to get endpoints for EDS. For more on blocking queries, see https://www.consul.io/api-docs/features/blocking Enabling this feature will likely result in fewer network calls to Consul, but may also result in fewer local consul agent cache hits for Gloo’s requests to the Consul Catalog API. (see query_options above to configure caching; caching is enabled by default). Defaults to false.

KubernetesConfiguration

Provides overrides for the default configuration parameters used to interact with Kubernetes.

"rateLimits": .gloo.solo.io.Settings.KubernetesConfiguration.RateLimits

Field Type Description
rateLimits .gloo.solo.io.Settings.KubernetesConfiguration.RateLimits Rate limits for the kubernetes clients.

RateLimits

"qPS": float
"burst": int

Field Type Description
qPS float The maximum queries-per-second Gloo can make to the Kubernetes API Server. Defaults to 50.
burst int Maximum burst for throttle. When a steady state of QPS requests per second, this is an additional number of allowed, to allow for short bursts. Defaults to 100.

ObservabilityOptions

"grafanaIntegration": .gloo.solo.io.Settings.ObservabilityOptions.GrafanaIntegration
"configStatusMetricLabels": map<string, .gloo.solo.io.Settings.ObservabilityOptions.MetricLabels>

Field Type Description
grafanaIntegration .gloo.solo.io.Settings.ObservabilityOptions.GrafanaIntegration Options to configure Gloo’s integration with Kubernetes.
configStatusMetricLabels map<string, .gloo.solo.io.Settings.ObservabilityOptions.MetricLabels> Enable metrics that track the configuration status of various resource types. Each (key, value) pair in the map defines a metric for a particular resource type. Configuration status metrics are not recorded by default; metrics are recorded only for the resources specified in this map. Keys specify the resource type (GroupVersionKind) to track for status changes (e.g. “VirtualService.v1.gateway.solo.io”). Values specify the labels to set on the metric.

GrafanaIntegration

Provides settings related to the observability pod’s interactions with grafana

"defaultDashboardFolderId": .google.protobuf.UInt32Value
"dashboardPrefix": string
"extraMetricQueryParameters": string

Field Type Description
defaultDashboardFolderId .google.protobuf.UInt32Value (UInt32Value) Grafana allows dashboards to be added to specific folders by specifying that folder’s ID If unset, automatic upstream dashboards are generated in the general folder (folderId: 0). If set, the observability deployment will try to create/move all upstreams without their own folderId to the folder specified here, after verifying that a folder with such an ID exists. Be aware that grafana requires a folders ID, which should not be confused with the similarly-named and more easily accessible folder UID value. If individual upstream dashboards need to be placed specific granafa folders, they can be given their own folder IDs by annotating the upstreams. The annotation key must be ‘observability.solo.io/dashboard_folder_id’ and the value must be the folder ID. Folder IDs can be retrieved from grafana with a pair of terminal commands: 1. Port forward the grafana deployment to surface its API: kubectl -n gloo-system port-forward deployment/glooe-grafana 3000 2. Request all folder data (after admin:admin is replaced with the correct credentials): curl http://admin:admin@localhost:3000/api/folders.
dashboardPrefix string The prefix of the UIDs and Titles for all dashboards created on grafana. This is restricted to 20 characters.
extraMetricQueryParameters string Extra parameters when querying metrics from Grafana dashboards. This string will be appended to every query for metrics in the definition of all gloo managed dashboards. It can consist of multiple query parameters separated by a comma. For example cluster="some-cluster",gateway_proxy_id="proxy-2".

MetricLabels

"labelToPath": map<string, string>

Field Type Description
labelToPath map<string, string> Each (key, value) pair in the map defines a label to be applied. Keys specify the name of the label (e.g. “namespace”). Values specify the jsonpath (https://kubernetes.io/docs/reference/kubectl/jsonpath/) string corresponding to the field of a resource to use as the label value (e.g. “{.metadata.namespace}"). For example, if labelToPath = {name: ‘{.metadata.name}’, namespace: ‘{.metadata.namespace}'} for Upstream.v1.gateway.solo.io, the following metric would be produced: validation_gateway_solo_io_upstream_config_status{name=“default-petstore-8080”,namespace=“gloo-system”} 0.

LabelSelector

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries. Ref: https://github.com/kubernetes/apimachinery/blob/f7615f37d717297aca51101478406af712553c5b/pkg/apis/meta/v1/generated.proto#L442-L453

"matchLabels": map<string, string>
"matchExpressions": []gloo.solo.io.LabelSelectorRequirement

Field Type Description
matchLabels map<string, string> matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed. +optional.
matchExpressions []gloo.solo.io.LabelSelectorRequirement matchExpressions is a list of label selector requirements. The requirements are ANDed. +optional.

LabelSelectorRequirement

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries. Ref: https://github.com/kubernetes/apimachinery/blob/f7615f37d717297aca51101478406af712553c5b/pkg/apis/meta/v1/generated.proto#L455-L472

"key": string
"operator": string
"values": []string

Field Type Description
key string key is the label key that the selector applies to. +patchMergeKey=key +patchStrategy=merge.
operator string operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. +optional.

UpstreamOptions

Default configuration to use for upstreams, when not provided by a specific upstream When these properties are defined on a specific upstream, this configuration will be ignored

"sslParameters": .gloo.solo.io.SslParameters
"globalAnnotations": map<string, string>

Field Type Description
sslParameters .gloo.solo.io.SslParameters Default ssl parameter configuration to use for upstreams.
globalAnnotations map<string, string> Annotations to apply to all upstreams.

GlooOptions

Settings specific to the gloo (Envoy xDS server) controller

"xdsBindAddr": string
"validationBindAddr": string
"circuitBreakers": .gloo.solo.io.CircuitBreakerConfig
"endpointsWarmingTimeout": .google.protobuf.Duration
"awsOptions": .gloo.solo.io.GlooOptions.AWSOptions
"invalidConfigPolicy": .gloo.solo.io.GlooOptions.InvalidConfigPolicy
"disableKubernetesDestinations": bool
"disableGrpcWeb": .google.protobuf.BoolValue
"disableProxyGarbageCollection": .google.protobuf.BoolValue
"regexMaxProgramSize": .google.protobuf.UInt32Value
"restXdsBindAddr": string
"enableRestEds": .google.protobuf.BoolValue
"failoverUpstreamDnsPollingInterval": .google.protobuf.Duration
"removeUnusedFilters": .google.protobuf.BoolValue
"proxyDebugBindAddr": string
"logTransformationRequestResponseInfo": .google.protobuf.BoolValue
"transformationEscapeCharacters": .google.protobuf.BoolValue
"istioOptions": .gloo.solo.io.GlooOptions.IstioOptions

Field Type Description
xdsBindAddr string Where the gloo xDS server should bind. Defaults to 0.0.0.0:9977.
validationBindAddr string Where the gloo validation server should bind. Defaults to 0.0.0.0:9988.
circuitBreakers .gloo.solo.io.CircuitBreakerConfig Default circuit breaker configuration to use for upstream requests, when not provided by specific upstream.
endpointsWarmingTimeout .google.protobuf.Duration Timeout to get initial snapshot of resources. If set to zero, Gloo will not wait for initial snapshot - if nonzero and gloo could not fetch it’s initial snapshot before the timeout reached, gloo will panic. If unset, Gloo defaults to 5 minutes.
awsOptions .gloo.solo.io.GlooOptions.AWSOptions
invalidConfigPolicy .gloo.solo.io.GlooOptions.InvalidConfigPolicy set these options to fine-tune the way Gloo handles invalid user configuration.
disableKubernetesDestinations bool Enable or disable Gloo Gateway to scan Kubernetes services in the cluster and create in-memory Upstream resources to represent them. These resources enable Gloo Gateway to route requests to a Kubernetes service. Note that if you have a large number of services in your cluster and you do not restrict the namespaces that Gloo Gateway watches, the API snapshot increases which can have a negative impact on the Gloo Gateway translation time. In addition, load balancing is done in kube-proxy which can have further performance impacts. Using Gloo Upstreams as a routing destination bypasses kube-proxy as the request is routed to the pod directly. Alternatively, you can use Kubernetes Upstream resources as a routing destination to forward requests to the pod directly. For more information, see the docs.
disableGrpcWeb .google.protobuf.BoolValue Default policy for grpc-web. set to true if you do not wish grpc-web to be automatically enabled. set to false if you wish grpc-web enabled unless disabled on the listener level. If not specified, defaults to false.
disableProxyGarbageCollection .google.protobuf.BoolValue Set this option to determine the state of the envoy configuration when a virtual service is deleted, resulting in a proxy with no configured routes. set to true if you wish to keep envoy serving the routes from the latest valid configuration. set to false if you wish to reset the envoy configuration to a clean slate with no routes. If not specified, defaults to false.
regexMaxProgramSize .google.protobuf.UInt32Value Set this option to specify the default max program size for regexes. If not specified, defaults to 100.
restXdsBindAddr string Where the gloo REST xDS server should bind. Defaults to 0.0.0.0:9976.
enableRestEds .google.protobuf.BoolValue Whether or not to use rest xds for all EDS by default. Rest XDS, as opposed to grpc, uses http polling rather than streaming It is strongly recommended that this field be set to false, due to the superior performance of GRPC XDS.
failoverUpstreamDnsPollingInterval .google.protobuf.Duration The polling interval for the DNS server if upstream failover is configured. If there is a failover upstream address with a hostname instead of an IP, Gloo will resolve the hostname with the configured frequency to update endpoints with any changes to DNS resolution. Defaults to 10s.
removeUnusedFilters .google.protobuf.BoolValue By default gloo adds a series of filters to envoy to ensure that new routes are picked up Even if the listener previously did not have a filter on the chain previously. When set to true unused filters are not added to the chain by default. Defaults to false.
proxyDebugBindAddr string Where the gloo proxy debug server should bind. Defaults to gloo:9966.
logTransformationRequestResponseInfo .google.protobuf.BoolValue When enabled, log the request/response body and headers before and after any transformations are applied. May be useful in the case where many transformations are applied and it is difficult to determine which are causing issues. Defaults to false.
transformationEscapeCharacters .google.protobuf.BoolValue Set escapeCharacters for all TransformationTemplates on all vhosts and routes. This setting can be overridden in individual TransformationTemplates.
istioOptions .gloo.solo.io.GlooOptions.IstioOptions

AWSOptions

"enableCredentialsDiscovey": bool
"serviceAccountCredentials": .envoy.config.filter.http.aws_lambda.v2.AWSLambdaConfig.ServiceAccountCredentials
"propagateOriginalRouting": .google.protobuf.BoolValue
"credentialRefreshDelay": .google.protobuf.Duration
"fallbackToFirstFunction": .google.protobuf.BoolValue

Field Type Description
enableCredentialsDiscovey bool Enable credential discovery via IAM; when this is set, there’s no need provide a secret on the upstream when running on AWS environment. Note: This should ONLY be enabled when running in an AWS environment, as the AWS code blocks the envoy main thread. This should be negligible when running inside AWS. Only one of enableCredentialsDiscovey or serviceAccountCredentials can be set.
serviceAccountCredentials .envoy.config.filter.http.aws_lambda.v2.AWSLambdaConfig.ServiceAccountCredentials Use projected service account token, and role arn to create temporary credentials with which to authenticate lambda requests. This functionality is meant to work along side EKS service account to IAM binding functionality as outlined here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html If the following environment values are not present in the gateway-proxy, this option cannot be used. 1. AWS_WEB_IDENTITY_TOKEN_FILE 2. AWS_ROLE_ARN The role which will be assumed by the credentials will be the one specified by AWS_ROLE_ARN, however, this can also be overwritten in the AWS Upstream spec via the role_arn field If they are not specified envoy will NACK the config update, which will show up in the logs when running OS Gloo. When running Gloo enterprise it will be reflected in the prometheus stat: “glooe.solo.io/xds/nack” In order to specify the aws sts endpoint, both the cluster and uri must be set. This is due to an envoy limitation which cannot infer the host or path from the cluster, and therefore must be explicitly specified via the uri. Only one of serviceAccountCredentials or enableCredentialsDiscovey can be set.
propagateOriginalRouting .google.protobuf.BoolValue Send downstream path and method as x-envoy-original-path and x-envoy-original-method headers on the request to AWS lambda. Defaults to false.
credentialRefreshDelay .google.protobuf.Duration Sets cadence for refreshing credentials for Service Account. Does nothing if Service account is not set. Does not affect the default filewatch for service account only augments it. Defaults to not refreshing on time period. Suggested is 15 minutes.
fallbackToFirstFunction .google.protobuf.BoolValue Sets the unsafe behavior where a route can specify a lambda upstream but not set the function to target. It will use the first function which if discovery is enabled the first function is the first function name alphabetically from the last discovery run. This means that the lambda being pointed to could change. Defaults to false.

InvalidConfigPolicy

Policy for how Gloo should handle invalid config [#next-free-field: 15]

"replaceInvalidRoutes": bool
"invalidRouteResponseCode": int
"invalidRouteResponseBody": string

Field Type Description
replaceInvalidRoutes bool if set to true, Gloo removes any routes from the provided configuration which point to a missing destination. Routes that are removed in this way will instead return a configurable direct response to clients. When routes are replaced, Gloo will configure Envoy with a special listener which serves direct responses. Note: enabling this option allows Gloo to accept partially valid proxy configurations.
invalidRouteResponseCode int replaced routes reply to clients with this response code. default is 404.
invalidRouteResponseBody string replaced routes reply to clients with this response body. default is ‘Gloo Gateway has invalid configuration. Administrators should run glooctl check to find and fix config errors.’.

IstioOptions

"appendXForwardedHost": .google.protobuf.BoolValue
"enableAutoMtls": .google.protobuf.BoolValue
"enableIntegration": .google.protobuf.BoolValue

Field Type Description
appendXForwardedHost .google.protobuf.BoolValue Set to false to disable adding X-Forwarded-Host header in Istio integration Defaults to true Warning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy.
enableAutoMtls .google.protobuf.BoolValue Set to true to enable automatic mTLS for all upstreams. Istio integration must be enabled for this to take effect. Defaults to false.
enableIntegration .google.protobuf.BoolValue Istio integration is enabled via global.istioIntegration.enabled on the helm chart. If enabled, an istio-proxy container and sds container are assumed to exist alongside the gateway proxy. These containers are created by enabling the istioIntegration.enabled option in the helm chart. Defaults to false.

VirtualServiceOptions

Default configuration to use for VirtualServices, when not provided by a specific virtual service When these properties are defined on a specific VirtualService, this configuration will be ignored

"oneWayTls": .google.protobuf.BoolValue

Field Type Description
oneWayTls .google.protobuf.BoolValue Default one_way_tls value to use for all virtual services where one_way_tls config has not been specified. If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default. Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA.

GatewayOptions

Settings specific to the Gateway controller

"validationServerAddr": string
"validation": .gloo.solo.io.GatewayOptions.ValidationOptions
"readGatewaysFromAllNamespaces": bool
"alwaysSortRouteTableRoutes": bool
"compressedProxySpec": bool
"virtualServiceOptions": .gloo.solo.io.VirtualServiceOptions
"persistProxySpec": .google.protobuf.BoolValue
"enableGatewayController": .google.protobuf.BoolValue
"isolateVirtualHostsBySslConfig": .google.protobuf.BoolValue
"translateEmptyGateways": .google.protobuf.BoolValue

Field Type Description
validationServerAddr string Address of the gloo config validation server. Defaults to gloo:9988.
validation .gloo.solo.io.GatewayOptions.ValidationOptions If provided, the Gateway will perform Dynamic Admission Control of Gateways, Virtual Services, and Route Tables when running in Kubernetes.
readGatewaysFromAllNamespaces bool When true, the Gateway controller will consume Gateway custom resources from all watch namespaces, rather than just the Gateway CRDs in its own namespace.
alwaysSortRouteTableRoutes bool Deprecated. This setting is ignored. Maintained for backwards compatibility with settings exposed on 1.2.x branch of Gloo.
compressedProxySpec bool If set, compresses proxy space. This can help make the Proxy CRD smaller to fit in etcd. This is an advanced option. Use with care.
virtualServiceOptions .gloo.solo.io.VirtualServiceOptions Default configuration to use for VirtualServices, when not provided by a specific virtual service When these properties are defined on a specific VirtualService, this configuration will be ignored.
persistProxySpec .google.protobuf.BoolValue Set this to persist the Proxy CRD to etcd By default, proxies are kept in memory to improve performance. Proxies can be persisted to etcd to allow external tools and other pods to read the contents the Proxy CRD.
enableGatewayController .google.protobuf.BoolValue This is set based on the install mode. It indicates to gloo whether or not it should run the gateway translations and validation.
isolateVirtualHostsBySslConfig .google.protobuf.BoolValue If set, group virtual hosts by matching ssl config, and isolate them on separate filter chains The default behavior is to aggregate all virtual hosts, and expose them on identical filter chains, each with a FilterChainMatch that corresponds to the ssl config. Individual Gateways can override this behavior by configuring the “gateway.solo.io/isolate_vhost” annotation to be a truthy (“true”, “false”) value.
translateEmptyGateways .google.protobuf.BoolValue If set, gateways will be translated into Envoy listeners even if no VirtualServices exist or match a gateway. When there are no VirtualServices that implies there are no routes to serve, so all requests will return a 404. Defaults to false. The default behavior when no VirtualServices are defined or no Gateways match a VirtualService is that the gateway is not converted into an Envoy listener.

ValidationOptions

options for configuring admission control / validation

"proxyValidationServerAddr": string
"validationWebhookTlsCert": string
"validationWebhookTlsKey": string
"ignoreGlooValidationFailure": bool
"alwaysAccept": .google.protobuf.BoolValue
"allowWarnings": .google.protobuf.BoolValue
"warnRouteShortCircuiting": .google.protobuf.BoolValue
"disableTransformationValidation": .google.protobuf.BoolValue
"validationServerGrpcMaxSizeBytes": .google.protobuf.Int32Value
"serverEnabled": .google.protobuf.BoolValue
"warnMissingTlsSecret": .google.protobuf.BoolValue

Field Type Description
proxyValidationServerAddr string Address of the gloo proxy validation grpc server. Defaults to gloo:9988. This field is required in order to enable fine-grained admission control.
validationWebhookTlsCert string Path to TLS Certificate for Kubernetes Validating webhook. Defaults to /etc/gateway/validation-certs/tls.crt.
validationWebhookTlsKey string Path to TLS Private Key for Kubernetes Validating webhook. Defaults to /etc/gateway/validation-certs/tls.key.
ignoreGlooValidationFailure bool Deprecated: the Gateway and the Gloo pods are now merged together, there are no longer requests made to a Gloo Validation server. When Gateway cannot communicate with Gloo (e.g. Gloo is offline) resources will be rejected by default. Enable the ignoreGlooValidationFailure to prevent the Validation server from rejecting resources due to network errors.
alwaysAccept .google.protobuf.BoolValue Always accept resources even if validation produced an error. Validation will still log the error and increment the validation.gateway.solo.io/resources_rejected stat. Currently defaults to true - must be set to false to prevent writing invalid resources to storage.
allowWarnings .google.protobuf.BoolValue Accept resources if validation produced a warning (defaults to true). By setting to false, this means that validation will start rejecting resources that would result in warnings, rather than just those that would result in errors. Note that this setting has no impact on Kubernetes Gateway API validation, as warnings will always be allowed in that context.
warnRouteShortCircuiting .google.protobuf.BoolValue Deprecated: See server_enabled and consider configuring it to false instead. Write a warning to route resources if validation produced a route ordering warning (defaults to false). By setting to true, this means that Gloo will start assigning warnings to resources that would result in route short-circuiting within a virtual host, for example: - prefix routes that make later routes unreachable - regex routes that make later routes unreachable - duplicate matchers.
disableTransformationValidation .google.protobuf.BoolValue By default gloo will attempt to validate transformations by calling out to a local envoy binary in validate mode. Calling this local envoy binary can become slow when done many times during a single validation. Setting this to true will stop gloo from calling out to envoy to validate the transformations, which may speed up the validation time considerably, but may also cause the transformation config to fail after being sent to envoy. When disabling this, ensure that your transformations are valid prior to applying them.
validationServerGrpcMaxSizeBytes .google.protobuf.Int32Value By default, gRPC validation messages between gateway and gloo pods have a max message size of 100 MB. Setting this value sets the gRPC max message size in bytes for the gloo validation server. This should only be changed if necessary. If not included, the gRPC max message size will be the default of 100 MB.
serverEnabled .google.protobuf.BoolValue By providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as warn_route_short_circuiting and disable_transformation_validation. If not included, the validation server will be enabled.
warnMissingTlsSecret .google.protobuf.BoolValue Allows configuring validation to report a missing TLS secret referenced by a SslConfig or UpstreamSslConfig as a warning instead of an error. This will allow for eventually consistent workloads, but will also permit the accidental deletion of secrets being referenced, which would cause disruption in traffic.

ConsoleOptions

Settings used by the Enterprise Console (UI)

"readOnly": .google.protobuf.BoolValue
"apiExplorerEnabled": .google.protobuf.BoolValue

Field Type Description
readOnly .google.protobuf.BoolValue If true, then custom resources can only be viewed in read-only mode in the UI. If false, then resources can be created, updated, and deleted via the UI. Currently, create/update/delete operations are only supported for GraphQL resources. This feature requires a Gloo Gateway Enterprise license with GraphQL enabled. Defaults to true.
apiExplorerEnabled .google.protobuf.BoolValue Whether to enable the GraphQL API Explorer. This feature requires a Gloo Gateway Enterprise license with GraphQL enabled. Defaults to true.

GraphqlOptions

GraphQL settings used by the control plane and UI.

"schemaChangeValidationOptions": .gloo.solo.io.GraphqlOptions.SchemaChangeValidationOptions

Field Type Description
schemaChangeValidationOptions .gloo.solo.io.GraphqlOptions.SchemaChangeValidationOptions Options for how to validate changes to schema definitions.

SchemaChangeValidationOptions

"rejectBreakingChanges": .google.protobuf.BoolValue
"processingRules": []gloo.solo.io.GraphqlOptions.SchemaChangeValidationOptions.ProcessingRule

Field Type Description
rejectBreakingChanges .google.protobuf.BoolValue Schema definition updates can be considered safe, dangerous, or breaking. If this field is set to true, then breaking schema updates will be rejected. Defaults to false.
processingRules []gloo.solo.io.GraphqlOptions.SchemaChangeValidationOptions.ProcessingRule We use GraphQL Inspector to detect breaking changes to GraphQL schemas. This field allows for passing processing rules to GraphQL Inspector to customize how various change types are handled.

ProcessingRule

Name Description
RULE_UNSPECIFIED
RULE_DANGEROUS_TO_BREAKING Turn every dangerous change into a breaking change.
RULE_DEPRECATED_FIELD_REMOVAL_DANGEROUS Treat the removal of a deprecated field as a dangerous change, instead of a breaking change.
RULE_IGNORE_DESCRIPTION_CHANGES Ignore description changes.
RULE_IGNORE_UNREACHABLE Ignore breaking changes on parts of the schema that are not reachable starting from the root types.