Proto: virtual_gateway.proto

Package: networking.gloo.solo.io

ListenerRouteTable

ListenerRouteTable represents an association between a RouteTable and a particular VirtualGateway listener.

FieldDescription
listenerIdx(uint32)

The index of the listener in the list of listeners on the virtual gateway
routeTableRef(common.gloo.solo.io.ObjectReference)

A reference to a route table

TLSConfig

TLSConfig contains the options necessary to configure a listener to use TLS

FieldDescription
secretName(string)

SecretName is the name of the kubernetes secret which contains the ssl secret. Each Gateway will look for a secret with this name on its own local cluster in its own namespace.
files(TLSConfig.Files)

Files reference paths to certificates which can be read by the proxy off of its local filesystem
verifySubjectAltName(repeated string)

Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a ca_certs must be provided if this option is used.
parameters(TLSConfig.Parameters)

mode(TLSConfig.TLSMode)

TLS modes enforced by the proxy

TLSConfig.Files

FieldDescription
serverCert(string)

Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server side TLS certificate.
privateKey(string)

Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server’s private key.
caCerts(string)

Required if tlsMode is MUTUAL. The path to the file that contains the certificate authority(CA) certificates for validating client cert.

TLSConfig.Parameters

General TLS parameters. See the envoy docs for more information on the meaning of these values.

FieldDescription
minimumProtocolVersion(TLSConfig.Parameters.ProtocolVersion)

maximumProtocolVersion(TLSConfig.Parameters.ProtocolVersion)

cipherSuites(repeated string)

VirtualGatewayReport

FieldDescription
workspaces(repeated VirtualGatewayReport.WorkspacesEntry)

allowedRouteTables(repeated common.gloo.solo.io.ObjectReference)

A list of route tables allowed to bind to this virtual gateway.
selectedWorkloads(repeated common.gloo.solo.io.ObjectReference)

A list of workloads selected by this virtual gateway.
exposedExternalServices(repeated common.gloo.solo.io.ObjectReference)

list of external services exposed by this virtual gateway.
listenerRouteTables(repeated ListenerRouteTable)

A list of listener/RouteTable combinations showing which route tables are attached to which listeners.

VirtualGatewayReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

VirtualGatewaySpec

VirtualGateway represents a logical gateway configuration served by Gateway workloads within the same workspace. The specification describes a set of ports that the virtual gateway listens for incoming or outgoing HTTP/TCP connections, the type of protocol to use, SNI configuration etc.

For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, and delegate the route configuration of the ‘*.bookinfo.com’ hostname to be provided by the bookinfo workspace. The VirtualGateway is applied to a specific set of gateway pods/VMs with the app:my-gateway-controller label within the same workspace as the VirtualGateway resource.

  apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      allowedRouteTables:
        - host: '*.bookinfo.com'
          selector:
            workspace: bookinfo
  

For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, delegate any *.foo.com request to the HTTPRouteTable resource(s) provided by the foo-ws workspace. Further, on the same port 80, it also delegates any *.bar.com request to the route configurations provided by the bar-ws workspace.

  apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
        - host: '*.bar.com'
          selector:
            workspace: bar-ws
  

For example, the following VirtualGateway resource configures the gateway to act as a load balancer listening on port 80 and 9080 (http), 443 (https), and 9443(https) for ingress. The VirtualGateway resource is applied to a specific set of gateway pods/VMs with the app: my-gateway-controller label within the same workspace. The route table(s) associated with each port 80, 9443 and 443 must be provided by the foo-ws workspace, with hosts that match *.foo.com. The route table(s) for port 9080 must be provided by the bar-ws workspace with hosts that match *.bar.com.

  apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      httpsRedirect: true
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
    - port:
        number: 443
      tls:
        mode: SIMPLE
        files:
          privateKey: /etc/certs/privatekey.pem
          serverCert: /etc/certs/servercert.pem
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
    - port:
        number: 9443
      tls:
        mode: SIMPLE
        secretName: my-secret
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
    - port:
        number: 9080
      allowedRouteTables:
        - host: '*.bar.com'
          selector:
            workspace: foo-ws
  

For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, delegate any *.foo.com request to the HTTPRouteTable resource(s) provided by the foo-ws workspace. This routeTable is restricted to using CloudProvider functionality which routes to cloud functions backend-function-* in region us-east-2 and which assume the dev-team-B-* IAM role.

  apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
  
FieldDescription
workloads(repeated common.gloo.solo.io.WorkloadSelector)

Optional: Select which gateway workloads implement this virtual gateway in the same workspace. A gateway workload will be selected if it matches any of the provided selectors. For ‘selector.name’, specify the gateway service’s name. For ‘selector.labels’, specify the gateway service’s ‘spec.selector’ label. If workloads is nil, it will be applied to all gateway workloads.
listeners(repeated VirtualGatewaySpec.Listener)

Required: One or more listeners for the virtual gateway. Each listener specifies a port and virtual host(s) for traffic received on those ports.

VirtualGatewaySpec.Listener

FieldDescription
port(common.gloo.solo.io.PortSelector)

Required: The port on the gateway workload’s service on which the gateway will listen for connections to route.
tls(TLSConfig)

TLS configure for a virtual host or listener to use TLS
httpsRedirect(bool)

If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.
http(VirtualGatewaySpec.Listener.HTTPServer)

Serves http requests on the hosts specified for a given listener. The listener will route traffic based on the HTTPRouteTable resource(s) that is attached to the virtual gateway.
tcp(VirtualGatewaySpec.Listener.TCPServer)

The TCP listener configuration. If you want to use TCP routes that route via SNI server name, a TLS configuration is required.
allowedRouteTables(repeated VirtualGatewaySpec.Listener.RouteTableFilter)

Optional: Filter RouteTables which can bind to this listener by the host names and object metadata. Wildcard matching for host name is supported here. If omitted, any route table will be allowed to bind to this VirtualGateway.
exposedExternalServices(repeated VirtualGatewaySpec.Listener.ExternalServiceFilter)

Optional: List of ExternalServices exposed by this VirtualGateway. If empty, any ExternalService will be exposed by this VirtualGateway. Specifically used for configuring egress traffic.
appProtocol(string)

Optional: Apply an application protocol to use when deciding what additional capabilities to add to the gateway, such as routing and rich metrics. If no protocol is selected, it will be inferred from the listener type and its TLS settings. With an http listener, the app_protocol will default to HTTP if there are no TLS settings and HTTPS if there are. With a tcp listener, the app_protocol will default to TCP or TLS depending on the presence of TLS settings.

VirtualGatewaySpec.Listener.ExternalServiceFilter

Filter ExternalServices which can attach to a VGW by host name.

FieldDescription
host(string)

Required: host name to select. Can use * to match host name patterns in multiple objects.
selector(common.gloo.solo.io.ObjectSelector)

Optional: filter out ExternalServices which do not match the selector, if provided.

VirtualGatewaySpec.Listener.HTTPServer

HTTP server indicates HTTP routes will be served for RouteTables which select this gateway.

VirtualGatewaySpec.Listener.RouteTableFilter

Filter route tables which can attach to a VGW by host name as well as an object selector.

FieldDescription
host(string)

Required: host name to select. Can use * to match host name patterns in multiple objects.
selector(common.gloo.solo.io.ObjectSelector)

Optional: filter out route tables which do not match the selector, if provided.
allowedRoutes(repeated common.gloo.solo.io.RouteFilter)

Optional: Restrict the routes that can be applied to this VirtualGateway to a set of route filter criteria. If empty, all the routes that belong to the matching route tables are allowed to bind to this VirtualGateway.

VirtualGatewaySpec.Listener.TCPServer

VirtualGatewayStatus

FieldDescription
common(common.gloo.solo.io.Status)

The state and workspace conditions of the applied resource.
routeTablesCount(uint32)

The number of route tables allowed to bind to this virtual gateway.
selectedWorkloadsCount(uint32)

The number of workloads selected by this virtual gateway.
externalServicesCount(uint32)

The number of external services exposed by this virtual gateway.

TLSConfig.Parameters.ProtocolVersion

NameNumberDescription
TLS_AUTO0Automatically choose the optimal TLS version.
TLSv1_01TLS 1.0
TLSv1_12TLS 1.1
TLSv1_23TLS 1.2
TLSv1_34TLS 1.3

TLSConfig.TLSMode

NameNumberDescription
PASSTHROUGH0The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.
SIMPLE1Secure connections with standard TLS semantics.
MUTUAL2Secure connections to the downstream using mutual TLS by presenting server certificates for authentication.
AUTO_PASSTHROUGH3Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry. The destination details such as the service/subset/port are encoded in the SNI value. The proxy will forward to the upstream (Envoy) cluster (a group of endpoints) specified by the SNI value. This server is typically used to provide connectivity between services in disparate L3 networks that otherwise do not have direct connectivity between their respective endpoints. Use of this mode assumes that both the source and the destination are using Istio mTLS to secure traffic. In order for this mode to be enabled, the gateway deployment must be configured with the ISTIO_META_ROUTER_MODE=sni-dnat environment variable.
ISTIO_MUTUAL4Secure connections from the downstream using mutual TLS by presenting server certificates for authentication. Compared to Mutual mode, this mode uses certificates, representing gateway workload identity, generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in TLSConfig should be empty.