Package :



Table of Contents


SslConfig contains the options necessary to configure a virtual host or listener to use TLS

Field Type Label Description
secretName string SecretName is the name of the kubernetes secret which contains the ssl secret. Each Gateway will look for a secret with this name on it's own local cluster in it's own namespace.
sslFiles SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem
verifySubjectAltName []string repeated Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
tlsMode TLS modes enforced by the proxy


Field Type Label Description
tlsCert string
tlsKey string
rootCa string for client cert validation. optional


General TLS parameters. See the envoy docs for more information on the meaning of these values.

Field Type Label Description
cipherSuites []string repeated


VirtualGateway is the top-level object for configuring ingress into a Mesh or VirtualMesh. A single VirtualGateway can apply to multiple deployed ingress pods and sidecars across meshes and clusters contained within a VirtualMesh. VirtualGateways can route traffic to destination services which live in a specific cluster or mesh. This allows VirtualGateways to route traffic from an ingress or sidecar in one mesh to a service in another. In order to perform cross-mesh routing, the Gateway Mesh and Destination mesh must be contained in a single VirtualMesh, with federation enabled.

Field Type Label Description
ingressGatewaySelectors [] repeated Select the destinations to deploy the gateway to.
connectionHandlers [] repeated Each Gateway must implement one or more ConnectionHandlers. A ConnectionHandler instructs the gateway how to handle clients which have connected to the specified bind address. Typically connectionHandlers will consist of a single http handler which serves HTTP Routes defined in a set of VirtualHosts. Multiple connectionHandlers can be specified to provide different behavior on the same Gateway, e.g. one for TCP and one for HTTP traffic. NOTE: Currently having multiple connection handlers is NOT supported. Only exactly ONE connection handler can be specified.
options Options applied to all clients who connect to this gateway


Each ConnnectionHandler specifies a connectionMatch (required if using multiple ConnectionHandlers) and a set of (HTTP or TCP) routes to serve matched connections.

Field Type Label Description
connectionMatch Additional options for matching a connection to a specific gateway. This is required when more than one connectionHandler is specified for a single gateway. Typically this is used to serve different
connectionOptions Top level optional configuration for all routes on the ConnectionHandler.


Field Type Label Description
serverNames []string repeated If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining a connectionMatch. Those values will be compared against the server names of a new connection, when detected by one of the listener filters.
The server name will be matched against all wildcard domains, i.e. will be first matched against, then *, then ``*.com.<br>Note that partial wildcards are not supported, and values like *` are invalid. |
transportProtocol string Optional, if set this will be used as the protocol for the gateway, otherwise it will be inferred based on the following logic:
- If the connectionHandler is a HTTP handler and no SslConfig is set in the connectionOptions, use “HTTP"
- If the connectionHandler is a HTTP handler and any SslConfig is set in the connectionOptions, use “HTTPS"
- If the connectionHandler is a TCP handler and no SslConfig is set in the connectionOptions, use “TCP"
- If the connectionHandler is a TCP handler and any SslConfig is set in the connectionOptions, use “TLS”


Field Type Label Description
sslConfig Contains the options necessary to configure a virtual host or listener to use TLS
httpsRedirect bool If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.
strictFilterManagement bool Restricts filter from being added to the corresponding Envoy Listener unless they are explicitly configured in the connection handler options
enableProxyProtocol bool enable PROXY protocol for this connection handler.


Field Type Label Description
routeConfig [] repeated
routeOptions HTTP Listener Options // Root level RouteTable + VirtualHost + routes level


Field Type Label Description
csrf Configure Global CSRF options for clients connected to this Gateway.
rateLimit Configure Global Rate limit options for clients connected to this Gateway. Rate limits must be configured on specific routes in order to enable rate limiting for a Gateway.
extauth Configure the Global Extauth options for clients connected to this Gateway
transformations Enable the use of Transformations of header / body content on request or response data on routes served by this gateway.


Field Type Label Description
virtualHostSelector RouteSelector is used to specify which VirtualHosts should be attached to this gateway.
virtualHost VirtualHost allows in-lining a route table directly in the Gateway Resource, for simple configs using fewer CRDs. Note that Kubernetes admission validation of inline virtual hosts is disabled. For production, the use of virtualHostSelector is recommended.


Field Type Label Description
tcpHosts [] repeated TCP hosts that the gateway can route to
options TCP Gateway configuration


Field Type Label Description
name string the logical name of the tcp host. names must be unique for each tcp host within a listener


Name of the destinations the gateway can route to. Note: the destination spec and subsets are not supported in this context and will be ignored.

Field Type Label Description
static Reference to a gloo mesh Static Destination
virtual Reference to a gloo mesh VirtualDestination
kube Reference to a Kubernetes Service. Note that the service must exist in the same mesh or virtual mesh (with federation enabled) as each gateway workload which routes to this destination.
forwardSniClusterName google.protobuf.Empty Forwards the request to a cluster name matching the TLS SNI name Note: This filter will only work properly with TLS connections in which the upstream SNI domain is specified
weight uint32 Relative weight of this destination to others in the same route. If omitted, all destinations in the route will be load balanced between evenly.


Field Type Label Description


Field Type Label Description
maxConnectAttempts google.protobuf.UInt32Value Contains various settings for Envoy's tcp proxy filter. See here for more information:
idleTimeout google.protobuf.Duration
tunnelingConfig If set, this configures tunneling, e.g. configuration options to tunnel multiple TCP payloads over a shared HTTP tunnel. If this message is absent, the payload will be proxied upstream as per usual.


Configuration for tunneling TCP over other transports or application layers.

Field Type Label Description
hostname string The hostname to send in the synthesized CONNECT headers to the upstream proxy.


TODO: Fill in more options
gateway-level options (only apply to gateway/listener)

Field Type Label Description
perConnectionBufferLimitBytes google.protobuf.UInt32Value Soft limit on size of the listener's new connection read and write buffers. If unspecified, defaults to 1MiB For more info, check out the Envoy docs
bindAddress string The bind address the gateway should serve traffic on This maps to the Envoy Listener address. Defaults to “::” or “”.


Field Type Label Description
observedGeneration int64 The most recent generation observed in the the VirtualGateway metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this resource.
state The state of the overall resource.
errors []string repeated Any errors found while processing this generation of the resource.
warnings []string repeated Any warnings found while processing this generation of the resource.
appliedIngressGateways [] repeated
selectedVirtualHosts [] repeated
selectedRouteTables [] repeated List of Delegated Route tables that this Route table delegates to
createdIstioGateways [] repeated List of Istio Gateway CRs created by this VirtualGateway in each cluster


Field Type Label Description
key string


Name Number Description
TLS_AUTO 0 Envoy will choose the optimal TLS version.
TLSv1_0 1 TLS 1.0
TLSv1_1 2 TLS 1.1
TLSv1_2 3 TLS 1.2
TLSv1_3 4 TLS 1.3


Name Number Description
PASSTHROUGH 0 The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.
SIMPLE 1 Secure connections with standard TLS semantics.
MUTUAL 2 Secure connections to the downstream using mutual TLS by presenting server certificates for authentication.
AUTO_PASSTHROUGH 3 Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry. The destination details such as the service/subset/port are encoded in the SNI value. The proxy will forward to the upstream (Envoy) cluster (a group of endpoints) specified by the SNI value. This server is typically used to provide connectivity between services in disparate L3 networks that otherwise do not have direct connectivity between their respective endpoints. Use of this mode assumes that both the source and the destination are using Istio mTLS to secure traffic. In order for this mode to be enabled, the gateway deployment must be configured with the ISTIO_META_ROUTER_MODE=sni-dnat environment variable.
ISTIO_MUTUAL 4 Secure connections from the downstream using mutual TLS by presenting server certificates for authentication. Compared to Mutual mode, this mode uses certificates, representing gateway workload identity, generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in TLSOptions should be empty.