VirtualGateway
VirtualGateway API reference.
Proto: virtual_gateway.proto
Package: networking.gloo.solo.io
Types:
ListenerRouteTable
ListenerRouteTable represents an association between a RouteTable and a particular VirtualGateway listener.
| Field | Description |
|---|---|
listenerIdx | (uint32)The index of the listener in the list of listeners on the virtual gateway |
routeTableRef | (common.gloo.solo.io.ObjectReference)A reference to a route table |
TLSConfig
TLSConfig contains the options necessary to configure a listener to use TLS
| Field | Description |
|---|---|
secretName | (string)SecretName is the name of the kubernetes secret which contains the ssl secret. Each Gateway will look for a secret with this name on its own local cluster in its own namespace. |
files | (TLSConfig.Files)Files reference paths to certificates which can be read by the proxy off of its local filesystem |
verifySubjectAltName | (repeated string)Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a ca_certs must be provided if this option is used. |
parameters | (TLSConfig.Parameters) |
mode | (TLSConfig.TLSMode)TLS modes enforced by the proxy |
TLSConfig.Files
| Field | Description |
|---|---|
serverCert | (string)Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server side TLS certificate. |
privateKey | (string)Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server’s private key. |
caCerts | (string)Required if tlsMode is MUTUAL. The path to the file that contains the certificate authority(CA) certificates for validating client cert. |
TLSConfig.Parameters
General TLS parameters. See the envoy docs for more information on the meaning of these values.
| Field | Description |
|---|---|
minimumProtocolVersion | (TLSConfig.Parameters.ProtocolVersion) |
maximumProtocolVersion | (TLSConfig.Parameters.ProtocolVersion) |
cipherSuites | (repeated string) |
VirtualGatewayReport
| Field | Description |
|---|---|
workspaces | (repeated VirtualGatewayReport.WorkspacesEntry) |
allowedRouteTables | (repeated common.gloo.solo.io.ObjectReference)A list of route tables allowed to bind to this virtual gateway. |
selectedWorkloads | (repeated common.gloo.solo.io.ObjectReference)A list of workloads selected by this virtual gateway. |
exposedExternalServices | (repeated common.gloo.solo.io.ObjectReference)list of external services exposed by this virtual gateway. |
listenerRouteTables | (repeated ListenerRouteTable)A list of listener/RouteTable combinations showing which route tables are attached to which listeners. |
VirtualGatewayReport.WorkspacesEntry
| Field | Description |
|---|---|
key | (string) |
value | (common.gloo.solo.io.Report) |
VirtualGatewaySpec
VirtualGateway represents a logical gateway configuration served by Gateway workloads within
the same workspace. The specification describes a set of ports that the virtual gateway listens
for incoming or outgoing HTTP/TCP connections, the type of protocol to use, SNI configuration etc.
For example, the following VirtualGateway resource configures the gateway to listen for incoming
HTTP requests on port 80, and delegate the route configuration of the ‘*.bookinfo.com’ hostname
to be provided by the bookinfo workspace. The VirtualGateway is
applied to a specific set of gateway pods/VMs with the app:my-gateway-controller
label within the same workspace as the VirtualGateway resource.
apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
name: my-gateway
namespace: some-config-namespace
labels:
workspace.solo.io/exported: 'true'
spec:
workloads:
- selector:
labels:
app: my-gateway-controller
listeners:
- port:
number: 80
allowedRouteTables:
- host: '*.bookinfo.com'
selector:
workspace: bookinfo
For example, the following VirtualGateway resource configures the gateway to listen for incoming
HTTP requests on port 80, delegate any *.foo.com request to the HTTPRouteTable resource(s)
provided by the foo-ws workspace. Further, on the same port 80, it also delegates any
*.bar.com request to the route configurations provided by the bar-ws workspace.
apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
name: my-gateway
namespace: some-config-namespace
labels:
workspace.solo.io/exported: 'true'
spec:
workloads:
- selector:
labels:
app: my-gateway-controller
listeners:
- port:
number: 80
allowedRouteTables:
- host: '*.foo.com'
selector:
workspace: foo-ws
- host: '*.bar.com'
selector:
workspace: bar-ws
For example, the following VirtualGateway resource configures the gateway to act
as a load balancer listening on port 80 and 9080 (http), 443 (https), and
9443(https) for ingress. The VirtualGateway resource is
applied to a specific set of gateway pods/VMs with the app: my-gateway-controller
label within the same workspace. The route table(s) associated with each
port 80, 9443 and 443 must be provided by the foo-ws workspace, with hosts that
match *.foo.com. The route table(s) for port 9080 must be provided by the bar-ws
workspace with hosts that match *.bar.com.
apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
name: my-gateway
namespace: some-config-namespace
labels:
workspace.solo.io/exported: 'true'
spec:
workloads:
- selector:
labels:
app: my-gateway-controller
listeners:
- port:
number: 80
httpsRedirect: true
allowedRouteTables:
- host: '*.foo.com'
selector:
workspace: foo-ws
- port:
number: 443
tls:
mode: SIMPLE
files:
privateKey: /etc/certs/privatekey.pem
serverCert: /etc/certs/servercert.pem
allowedRouteTables:
- host: '*.foo.com'
selector:
workspace: foo-ws
- port:
number: 9443
tls:
mode: SIMPLE
secretName: my-secret
allowedRouteTables:
- host: '*.foo.com'
selector:
workspace: foo-ws
- port:
number: 9080
allowedRouteTables:
- host: '*.bar.com'
selector:
workspace: foo-ws
For example, the following VirtualGateway resource configures the gateway to listen for incoming
HTTP requests on port 80, delegate any *.foo.com request to the HTTPRouteTable resource(s)
provided by the foo-ws workspace. This routeTable is restricted to using CloudProvider functionality
which routes to cloud functions backend-function-* in region us-east-2 and which assume the
dev-team-B-* IAM role.
apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
name: my-gateway
namespace: some-config-namespace
labels:
workspace.solo.io/exported: 'true'
spec:
workloads:
- selector:
labels:
app: my-gateway-controller
listeners:
- port:
number: 80
allowedRouteTables:
- host: '*.foo.com'
selector:
workspace: foo-ws
| Field | Description |
|---|---|
workloads | (repeated common.gloo.solo.io.WorkloadSelector)Optional: Select which gateway workloads implement this virtual gateway in the same workspace. A gateway workload will be selected if it matches any of the provided selectors. For ‘selector.name’, specify the gateway service’s name. For ‘selector.labels’, specify the gateway service’s ‘spec.selector’ label. If workloads is nil, it will be applied to all gateway workloads. |
listeners | (repeated VirtualGatewaySpec.Listener)Required: One or more listeners for the virtual gateway. Each listener specifies a port and virtual host(s) for traffic received on those ports. |
VirtualGatewaySpec.Listener
| Field | Description |
|---|---|
port | (common.gloo.solo.io.PortSelector)Required: The port on the gateway workload’s service on which the gateway will listen for connections to route. |
tls | (TLSConfig)TLS configure for a virtual host or listener to use TLS |
httpsRedirect | (bool)If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. |
http | (VirtualGatewaySpec.Listener.HTTPServer)Serves http requests on the hosts specified for a given listener. The listener will route traffic based on the HTTPRouteTable resource(s) that is attached to the virtual gateway. |
tcp | (VirtualGatewaySpec.Listener.TCPServer)The TCP listener configuration. If you want to use TCP routes that route via SNI server name, a TLS configuration is required. |
allowedRouteTables | (repeated VirtualGatewaySpec.Listener.RouteTableFilter)Optional: Filter RouteTables which can bind to this listener by the host names and object metadata. Wildcard matching for host name is supported here. If omitted, any route table will be allowed to bind to this VirtualGateway. |
exposedExternalServices | (repeated VirtualGatewaySpec.Listener.ExternalServiceFilter)Optional: List of ExternalServices exposed by this VirtualGateway. If empty, any ExternalService will be exposed by this VirtualGateway. Specifically used for configuring egress traffic. |
appProtocol | (string)Optional: Apply an application protocol to use when deciding what additional capabilities to add to the gateway, such as routing and rich metrics. If no protocol is selected, it will be inferred from the listener type and its TLS settings. With an http listener, the app_protocol will default to HTTP if there are no TLS settings and HTTPS if there are. With a tcp listener, the app_protocol will default to TCP or TLS depending on the presence of TLS settings. |
VirtualGatewaySpec.Listener.ExternalServiceFilter
Filter ExternalServices which can attach to a VGW by host name.
| Field | Description |
|---|---|
host | (string)Required: host name to select. Can use * to match host name patterns in multiple objects. |
selector | (common.gloo.solo.io.ObjectSelector)Optional: filter out ExternalServices which do not match the selector, if provided. |
VirtualGatewaySpec.Listener.HTTPServer
HTTP server indicates HTTP routes will be served for RouteTables which select this gateway.
VirtualGatewaySpec.Listener.RouteTableFilter
Filter route tables which can attach to a VGW by host name as well as an object selector.
| Field | Description |
|---|---|
host | (string)Required: host name to select. Can use * to match host name patterns in multiple objects. |
selector | (common.gloo.solo.io.ObjectSelector)Optional: filter out route tables which do not match the selector, if provided. |
allowedRoutes | (repeated common.gloo.solo.io.RouteFilter)Optional: Restrict the routes that can be applied to this VirtualGateway to a set of route filter criteria. If empty, all the routes that belong to the matching route tables are allowed to bind to this VirtualGateway. |
VirtualGatewaySpec.Listener.TCPServer
VirtualGatewayStatus
| Field | Description |
|---|---|
common | (common.gloo.solo.io.Status)The state and workspace conditions of the applied resource. |
routeTablesCount | (uint32)The number of route tables allowed to bind to this virtual gateway. |
selectedWorkloadsCount | (uint32)The number of workloads selected by this virtual gateway. |
externalServicesCount | (uint32)The number of external services exposed by this virtual gateway. |
TLSConfig.Parameters.ProtocolVersion
| Name | Number | Description |
|---|---|---|
TLS_AUTO | 0 | Automatically choose the optimal TLS version. |
TLSv1_0 | 1 | TLS 1.0 |
TLSv1_1 | 2 | TLS 1.1 |
TLSv1_2 | 3 | TLS 1.2 |
TLSv1_3 | 4 | TLS 1.3 |
TLSConfig.TLSMode
| Name | Number | Description |
|---|---|---|
PASSTHROUGH | 0 | The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry. |
SIMPLE | 1 | Secure connections with standard TLS semantics. |
MUTUAL | 2 | Secure connections to the downstream using mutual TLS by presenting server certificates for authentication. |
AUTO_PASSTHROUGH | 3 | Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry. The destination details such as the service/subset/port are encoded in the SNI value. The proxy will forward to the upstream (Envoy) cluster (a group of endpoints) specified by the SNI value. This server is typically used to provide connectivity between services in disparate L3 networks that otherwise do not have direct connectivity between their respective endpoints. Use of this mode assumes that both the source and the destination are using Istio mTLS to secure traffic. In order for this mode to be enabled, the gateway deployment must be configured with the ISTIO_META_ROUTER_MODE=sni-dnat environment variable. |
ISTIO_MUTUAL | 4 | Secure connections from the downstream using mutual TLS by presenting server certificates for authentication. Compared to Mutual mode, this mode uses certificates, representing gateway workload identity, generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in TLSConfig should be empty. |