virtual_gateway.proto

Package : networking.gloo.solo.io

Top

virtual_gateway.proto

Table of Contents

TLSConfig

TLSConfig contains the options necessary to configure a listener to use TLS

Field Type Label Description
secretName string SecretName is the name of the kubernetes secret which contains the ssl secret. Each Gateway will look for a secret with this name on its own local cluster in its own namespace.
files networking.gloo.solo.io.TLSConfig.Files Files reference paths to certificates which can be read by the proxy off of its local filesystem
verifySubjectAltName []string repeated Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a ca_certs must be provided if this option is used.
parameters networking.gloo.solo.io.TLSConfig.Parameters
mode networking.gloo.solo.io.TLSConfig.TLSMode TLS modes enforced by the proxy

TLSConfig.Files

Field Type Label Description
serverCert string Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server side TLS certificate.
privateKey string Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server's private key.
caCerts string Required if tlsMode is MUTUAL. The path to the file that contains the certificate authority(CA) certificates for validating client cert.

TLSConfig.Parameters

General TLS parameters. See the envoy docs for more information on the meaning of these values.

Field Type Label Description
minimumProtocolVersion networking.gloo.solo.io.TLSConfig.Parameters.ProtocolVersion
maximumProtocolVersion networking.gloo.solo.io.TLSConfig.Parameters.ProtocolVersion
cipherSuites []string repeated

VirtualGatewaySpec

VirtualGateway represents a logical gateway configuration served by Gateway workloads within the same workspace. The specification describes a set of ports that the virtual gateway listens for incoming or outgoing HTTP/TCP connections, the type of protocol to use, SNI configuration etc.
For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, and delegate the route configuration of the ‘*.bookinfo.com’ hostname to be provided by the bookinfo workspace. The VirtualGateway is applied to a specific set of gateway pods/VMs with the app:my-gateway-controller label within the same workspace as the VirtualGateway resource.
yaml apiVersion: networking.gloo.solo.io/v2 kind: VirtualGateway metadata: name: my-gateway namespace: some-config-namespace labels: workspace.solo.io/exported: 'true' spec: workloads: - selector: labels: app: my-gateway-controller listeners: - port: number: 80 allowedRouteTables: - host: '*.bookinfo.com' selector: workspace: bookinfo For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, delegate any *.foo.com request to the HTTPRouteTable resource(s) provided by the foo-ws workspace. Further, on the same port 80, it also delegates any *.bar.com request to the route configurations provided by the bar-ws workspace.
yaml apiVersion: networking.gloo.solo.io/v2 kind: VirtualGateway metadata: name: my-gateway namespace: some-config-namespace labels: workspace.solo.io/exported: 'true' spec: workloads: - selector: labels: app: my-gateway-controller listeners: - port: number: 80 allowedRouteTables: - host: '*.foo.com' selector: workspace: foo-ws - host: '*.bar.com' selector: workspace: bar-ws
For example, the following VirtualGateway resource configures the gateway to act as a load balancer listening on port 80 and 9080 (http), 443 (https), and 9443(https) for ingress. The VirtualGateway resource is applied to a specific set of gateway pods/VMs with the app: my-gateway-controller label within the same workspace. The route table(s) associated with each port 80, 9080 and 443 must be provided by the foo-ws workspace, with hosts that match *.foo.com. The route table(s) for port 9080 must be provided by the bar-ws workspace with hosts that match *.bar.com.
yaml apiVersion: networking.gloo.solo.io/v2 kind: VirtualGateway metadata: name: my-gateway namespace: some-config-namespace labels: workspace.solo.io/exported: 'true' spec: workloads: - selector: labels: app: my-gateway-controller listeners: - port: number: 80 httpsRedirect: true allowedRouteTables: - host: '*.foo.com' selector: workspace: foo-ws - port: number: 443 tls: mode: SIMPLE files: privateKey: /etc/certs/privatekey.pem serverCert: /etc/certs/servercert.pem allowedRouteTables: - host: '*.foo.com' selector: workspace: foo-ws - port: number: 9443 tls: mode: SIMPLE secretName: my-secret allowedRouteTables: - host: '*.foo.com' selector: workspace: foo-ws - port: number: 9080 allowedRouteTables: - host: '*.bar.com' selector: workspace: foo-ws

Field Type Label Description
workloads []common.gloo.solo.io.WorkloadSelector repeated Optional: Select which gateway workloads implement this virtual gateway in the same workspace. A gateway workload will be selected if it matches any of the provided selectors. If workloads is nil, it will be applied to all gateway workloads.
listeners []networking.gloo.solo.io.VirtualGatewaySpec.Listener repeated Required: One or more listeners for the virtual gateway. Each listener specifies a port and virtual host(s) for traffic received on those ports.

VirtualGatewaySpec.Listener

Field Type Label Description
port common.gloo.solo.io.PortSelector Required: The port on the gateway workload's service on which the gateway will listen for connections to route.
tls networking.gloo.solo.io.TLSConfig TLS configure for a virtual host or listener to use TLS
httpsRedirect bool If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.
http networking.gloo.solo.io.VirtualGatewaySpec.Listener.HTTPServer Serves http requests on the hosts specified for a given listener. The listener will route traffic based on the HTTPRouteTable resource(s) that is attached to the virtual gateway.
tcp networking.gloo.solo.io.VirtualGatewaySpec.Listener.TCPServer tcp routes on based on sni server name requires tls to be enabled
allowedRouteTables []networking.gloo.solo.io.VirtualGatewaySpec.Listener.RouteTableFilter repeated Optional: Filter RouteTables which can bind to this listener by the host names and object metadata. Wildcard matching for host name is supported here. If not specified, any route table will be allowed to bind to this VirtualGateway.
appProtocol string Optional: Apply an application protocol to use when deciding what additional capabilities to add to the gateway, such as routing and rich metrics. If no protocol is selected, it will be inferred from the listener type and its TLS settings. With an http listener, the app_protocol will default to HTTP if there are no TLS settings and HTTPS if there are. With a tcp listener, the app_protocol will default to TCP or TLS depending on the presence of TLS settings.

VirtualGatewaySpec.Listener.HTTPServer

HTTP server indicates HTTP routes will be served for RouteTables which select this gateway.

VirtualGatewaySpec.Listener.RouteTableFilter

Filter route tables which can attach to a VGW by host name as well as an object selector.

Field Type Label Description
host string Required: host name to select. Can use * to match host name patterns in multiple objects.
selector common.gloo.solo.io.ObjectSelector Optional: filter out route tables which do not match the selector, if provided.

VirtualGatewaySpec.Listener.TCPServer

TODO: TCPServer

VirtualGatewayStatus

reflects the status of the gateway Template

Field Type Label Description
global common.gloo.solo.io.GenericGlobalStatus
workspaces []networking.gloo.solo.io.VirtualGatewayStatus.WorkspacesEntry repeated The status of the resource in each workspace that it exists in
allowedRouteTables []common.gloo.solo.io.ObjectReference repeated list of RouteTables allowed to bind to this VirtualGateway
workloads []common.gloo.solo.io.ObjectReference repeated workloads selected by this VirtualGateway

VirtualGatewayStatus.WorkspacesEntry

Field Type Label Description
key string
value common.gloo.solo.io.WorkspaceStatus

TLSConfig.Parameters.ProtocolVersion

Name Number Description
TLS_AUTO 0 Automatically choose the optimal TLS version.
TLSv1_0 1 TLS 1.0
TLSv1_1 2 TLS 1.1
TLSv1_2 3 TLS 1.2
TLSv1_3 4 TLS 1.3

TLSConfig.TLSMode

Name Number Description
PASSTHROUGH 0 The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.
SIMPLE 1 Secure connections with standard TLS semantics.
MUTUAL 2 Secure connections to the downstream using mutual TLS by presenting server certificates for authentication.
AUTO_PASSTHROUGH 3 Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry. The destination details such as the service/subset/port are encoded in the SNI value. The proxy will forward to the upstream (Envoy) cluster (a group of endpoints) specified by the SNI value. This server is typically used to provide connectivity between services in disparate L3 networks that otherwise do not have direct connectivity between their respective endpoints. Use of this mode assumes that both the source and the destination are using Istio mTLS to secure traffic. In order for this mode to be enabled, the gateway deployment must be configured with the ISTIO_META_ROUTER_MODE=sni-dnat environment variable.
ISTIO_MUTUAL 4 Secure connections from the downstream using mutual TLS by presenting server certificates for authentication. Compared to Mutual mode, this mode uses certificates, representing gateway workload identity, generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in TLSConfig should be empty.