Proto: external_service.proto

Package: networking.gloo.solo.io

ExternalServiceReport

FieldDescription
workspaces(repeated ExternalServiceReport.WorkspacesEntry)

appliedDestinationPolicies(repeated ExternalServiceReport.AppliedDestinationPoliciesEntry)

A map of policy GVK to policy references for all the policies that are applied on this resource.
selectedExternalEndpoints(repeated common.gloo.solo.io.ObjectReference)

The list of endpoints selected by this ExternalService.
ownerWorkspace(string)

The name of the workspace that owns the ExternalService.
selectedVirtualGateways(repeated common.gloo.solo.io.ObjectReference)

The list of VirtualGateways selected by this ExternalService.

ExternalServiceReport.AppliedDestinationPoliciesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.AppliedDestinationPortPolicies)

ExternalServiceReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

ExternalServiceSpec

ExternalService defines a destination for routing which exist outside the mesh. This could for example be a web API or a set of virtual machines that are not running in Kubernetes. When an ExternalService is defined for a given workspace, it can be used as a Destination in Routes, as well as called directly via its specified hostname. Resolution of the IP addresses for external services can be done via DNS or provided statically using the ExternalEndpoint object.

FieldDescription
hosts(repeated string)

(mutually exclusive with addresses): The List of hostnames which will resolve to this service. Both FQDN and wildcard prefix domains are supported. TLS origination to ExternalServices is supported with use of the ClientsideTls property. Warning: If you do not use an egress gateway to route all egress traffic through, and you use a wildcard prefix domain for the host without selecting any ExternalEndpoints, the REGISTRY_ONLY outbound traffic policy can be bypassed and traffic can be sent to any external service by using a TCP passthrough listener on the sidecar proxy.
addresses(repeated string)

(mutually exclusive with hosts): The List of ipv4 or ipv6 addresses which will be associated to this service. Can be CIDR prefixes. These addresses must be unique among all ExternalServices within a workspace.
ports(repeated ExternalServiceSpec.Port)

The associated ports of the external service.
selector(repeated ExternalServiceSpec.SelectorEntry)

Selecting ExternalEndpoints will provide the addresses used for routing traffic to on the ExternalService’s hosts. An empty selector will not select any endpoints. If no endpoints are selected, requests will be routed to the provided hosts using dns resolution.
subjectAltNames(repeated string)

A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate’s subject alt name matches one of the specified values. Only applicable when using TLS to communicate with the ExternalService.

ExternalServiceSpec.Port

Port establishes a new port that will be exposed on an ExternalService.

FieldDescription
number(uint32)

The port number. Must be a valid, non-negative integer port number.
targetPort(common.gloo.solo.io.PortSelector)

(optional): The port number or name used to match the corresponding port on the ExternalService’s backing ExternalEndpoints. All of the backing ExternalEndpoints for this ExternalService must contain this port, matching by name or number. If no backing ExternalEndpoints are provided, a name selector is invalid, and requests will be routed to the provided hosts on the port number specified. If unspecified, will default to the value of the port number field above.
name(string)

A label for the port, eg “http”.
protocol(string)

The protocol used in communication with this destination MUST be one of the following: HTTP, HTTPS, GRPC, HTTP2, MONGO, TCP, TLS.
clientsideTls(ExternalServiceSpec.Port.TlsConfig)

The tls config for the given port. If the protocol is HTTPS or TLS, the ExternalService will be configured to use TLS automatically. If used in conjunction with targetPort this can be used for TLS Origination. For example, port: 80, targetPort: 443, with ClientsideTls will cause port 80 traffic from workloads to be forwarded to 443 resulting in HTTPS traffic over the internet with TLS originating at the sidecar proxy.
egressGatewayRoutes(ExternalServiceSpec.Port.EgressGatewayRoutes)

A list of egress VirtualGateways via which this ExternalService is reachable. This is required in meshes that are configured to deny all traffic that is not explicitly allowed. Requires the ExternalService to use Hosts rather than Addresses. Currently only supported for ExternalService ports with HTTP, HTTP2, and HTTPS protocols.

ExternalServiceSpec.Port.EgressGatewayRoutes

FieldDescription
portMatch(uint32)

The port number to match for traffic originating from the mesh. default to 80. must be unique for each ExternalService port. Note that if this field matches any ExternalService non-egress port (spec.ports.number), requests to this port may not be routed through the egress gateway.
virtualGatewayRefs(repeated common.gloo.solo.io.ObjectReference)

Reference to the virtual gateways to use for egress. Multiple gateways selected in this way will have egress traffic load-balanced across them.

ExternalServiceSpec.Port.TlsConfig

FieldDescription
sni(string)

SNI string to present to the server during TLS handshake. If there is a single host in the hosts list, this will be used as the SNI string.
mode(ExternalServiceSpec.Port.TlsConfig.TLSMode)

tls mode passed to corresponding DestinationRules’ tls traffic policy MUST be one of the following: SIMPLE, MUTUAL, ISTIO_MUTUAL, DISABLED
clientCertificate(string)

REQUIRED if mode is MUTUAL. Should be empty if mode is ISTIO_MUTUAL. The file path to the client-side TLS certificate to use, which should be mounted onto the proxy of the specific workload communicating with the external service.
privateKey(string)

REQUIRED if mode is MUTUAL. Should be empty if mode is ISTIO_MUTUAL. The file path to the client’s private key, which should be mounted onto the proxy of the specific workload communicating with the external service.
caCertificates(string)

Should be empty if mode is ISTIO_MUTUAL. The file path to the file containing CA certificates used to verify server certificates, which should be mounted onto the proxy of the specific workload communicating with the external service. If omitted, the proxy will not verify the server’s certificate.
credentialName(string)

The path to the file containing certificate authority certificates to use in verifying a presented server certificate. Should be empty if mode is ISTIO_MUTUAL.
insecureSkipVerify(google.protobuf.BoolValue)

insecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. The default value of this field is false.

ExternalServiceSpec.SelectorEntry

FieldDescription
key(string)

value(string)

ExternalServiceStatus

The status of the resource after it is applied to your Gloo environment.

FieldDescription
common(common.gloo.solo.io.Status)

The state and workspace conditions of the applied resource.
numAppliedDestinationPolicies(repeated ExternalServiceStatus.NumAppliedDestinationPoliciesEntry)

A map of policy GVK to policy references for all policies that are applied on this resource.
numSelectedExternalEndpoints(uint32)

The number of external endpoints selected by this ExternalService.
ownedByWorkspace(string)

The name of the workspace that owns this ExternalService.
numSelectedVirtualGateways(uint32)

The number of VirtualGateways selected by this ExternalService.

ExternalServiceStatus.NumAppliedDestinationPoliciesEntry

FieldDescription
key(string)

value(uint32)

ExternalServiceSpec.Port.TlsConfig.TLSMode

NameNumberDescription
SIMPLE0
DISABLE1
MUTUAL2
ISTIO_MUTUAL3