traffic_policy.proto

Package : networking.mesh.gloo.solo.io

Top

traffic_policy.proto

Table of Contents

GatewayRoutes

Represents a specific gateway resource and which routes on that resource have been selected

Field Type Label Description
routes []string repeated The list of routes selected. If no routeLabelMatcher was provided, the value “*” will be used to indicate all routes were selected.

TrafficPolicySpec

Applies L7 routing and post-routing configuration on selected network edges.

Field Type Label Description
sourceSelector []common.mesh.gloo.solo.io.WorkloadSelector repeated Specify the Workloads (sources for east-west traffic) this TrafficPolicy applies to. Omit to apply to all Workloads.
destinationSelector []common.mesh.gloo.solo.io.DestinationSelector repeated Specify the Destinations (destinations) this TrafficPolicy applies to. Omit to apply to all Destinations.
routeSelector []networking.mesh.gloo.solo.io.TrafficPolicySpec.RouteSelector repeated Specify which ingress gateway traffic this trafficPolicy should apply to. Multiple policies from different sources defining different policies (eg retries, timeouts) will be merged. If a conflicting policy value is defined in both a TrafficPolicy resource (or multiple TrafficPolicy resources) and in-line on a VirtualHost, or Route - then the in-line values will take precedence. If multiple TrafficPolicies select the same VirtualHost, RouteTable, or Route, then the older TrafficPolicy (by CreationTime) takes precedence over any newer Traffic policy. Omit to apply to all VirtualHosts and all of their routes.
httpRequestMatchers []common.mesh.gloo.solo.io.DeprecatedHttpMatcher repeated Specify criteria that HTTP requests must satisfy for the TrafficPolicy to apply. Conditions defined within a single matcher are conjunctive, i.e. all conditions must be satisfied for a match to occur. Conditions defined between different matchers are disjunctive, i.e. at least one matcher must be satisfied for the TrafficPolicy to apply. Omit to apply to any HTTP request.
policy networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy Specify L7 routing and post-routing configuration.

TrafficPolicySpec.Policy

Specify L7 routing and post-routing configuration.

Field Type Label Description
trafficShift networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.MultiDestination Shift traffic to a different destination. Note that the shifted traffic will only have policies applied that select the original source, rather than the shifted source.
faultInjection networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.FaultInjection Inject faulty responses.
requestTimeout google.protobuf.Duration Set a timeout on requests.
retries networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.RetryPolicy Set a retry policy on requests.
corsPolicy networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.CorsPolicy Set a Cross-Origin Resource Sharing policy (CORS) for requests. Refer to this link for further details about cross origin resource sharing.
mirror networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.Mirror Mirror traffic to a another destination (traffic will be sent to its original destination in addition to the mirrored destinations).
headerManipulation networking.mesh.gloo.solo.io.HeaderManipulation Manipulate request and response headers.
outlierDetection networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.OutlierDetection Configure outlier detection on the selected destinations. Specifying this field requires an empty source_selector because it must apply to all traffic.
mtls networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.MTLS Configure mTLS settings. If specified will override global default defined in Settings.
csrf csrf.networking.mesh.gloo.solo.io.CsrfPolicy Configure the Envoy based CSRF filter
rateLimit ratelimit.networking.mesh.gloo.solo.io.RouteRateLimit Configure the Envoy based Ratelimit filter
extauth extauth.networking.mesh.gloo.solo.io.RouteExtauth Configure the Envoy based Extauth filter
rateLimitSettings ratelimit.networking.mesh.gloo.solo.io.RateLimitServerSettings Configure the Ratelimit server settings
extauthSettings extauth.networking.mesh.gloo.solo.io.ExtauthSettings Configure the ExtAuth server settings
connectionPoolSettings networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.ConnectionPoolSettings Configure the ConnectionPool settings
transformations transformation.networking.mesh.gloo.solo.io.RouteTransformations Configure transformations of HTTP header / body content on request or response data.

TrafficPolicySpec.Policy.ConnectionPoolSettings

Configure connection pool settings on the selected destinations.

Field Type Label Description
tcp networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.TCPSettings Settings common to both HTTP and TCP upstream connections
http networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.HTTPSettings HTTP connection pool settings.

TrafficPolicySpec.Policy.CorsPolicy

Specify Cross-Origin Resource Sharing policy (CORS) for requests. Refer to this link for further details about cross origin resource sharing.

Field Type Label Description
allowOrigins []common.mesh.gloo.solo.io.StringMatch repeated String patterns that match allowed origins. An origin is allowed if any of the string matchers match.
allowMethods []string repeated List of HTTP methods allowed to access the resource. The content will be serialized to the Access-Control-Allow-Methods header.
allowHeaders []string repeated List of HTTP headers that can be used when requesting the resource. Serialized to the Access-Control-Allow-Headers header.
exposeHeaders []string repeated A list of HTTP headers that browsers are allowed to access. Serialized to the Access-Control-Expose-Headers header.
maxAge google.protobuf.Duration Specify how long the results of a preflight request can be cached. Serialized to the Access-Control-Max-Age header.
allowCredentials google.protobuf.BoolValue Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. Translates to the Access-Control-Allow-Credentials header.

TrafficPolicySpec.Policy.DLPPolicy

DLP filter config.

Field Type Label Description
todo string TODO: implement

TrafficPolicySpec.Policy.ExtAuth

ExtAuth filter config.

Field Type Label Description
todo string TODO: implement

TrafficPolicySpec.Policy.FaultInjection

Specify one or more faults to inject for the selected network edge.

Field Type Label Description
fixedDelay google.protobuf.Duration Add a delay of a fixed duration before sending the request. Format: 1h/1m/1s/1ms. MUST be >=1ms.
abort networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.FaultInjection.Abort Abort the request and return the specified error code back to traffic source.
percentage double Percentage of requests to be faulted. Values range between 0 and 100. If omitted all requests will be faulted.

TrafficPolicySpec.Policy.FaultInjection.Abort

Abort the request and return the specified error code back to traffic source.

Field Type Label Description
httpStatus int32 Required. HTTP status code to use to abort the request.

TrafficPolicySpec.Policy.HTTPSettings

Settings applicable to HTTP1.1/HTTP2/GRPC connections.

Field Type Label Description
http1MaxPendingRequests int32 Maximum number of pending HTTP requests to a destination. Default 2^32-1.
http2MaxRequests int32 Maximum number of requests to a backend. Default 2^32-1.
maxRequestsPerConnection int32 Maximum number of requests per connection to a backend. Setting this parameter to 1 disables keep alive. Default 0, meaning “unlimited”, up to 2^29.
maxRetries int32 Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. Defaults to 2^32-1.
idleTimeout google.protobuf.Duration The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. If not set, the default is 1 hour. When the idle timeout is reached, the connection will be closed. If the connection is an HTTP/2 connection a drain sequence will occur prior to closing the connection. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
h2UpgradePolicy networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.HTTPSettings.H2UpgradePolicy
useClientProtocol bool If set to true, client protocol will be preserved while initiating connection to backend. Note that when this is set to true, h2upgradepolicy will be ineffective i.e. the client connections will not be upgraded to http2.

TrafficPolicySpec.Policy.MTLS

Configure mTLS settings on destinations. If specified this overrides the global default defined in Settings.

Field Type Label Description
istio networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.MTLS.Istio Istio TLS settings.

TrafficPolicySpec.Policy.MTLS.Istio

Istio TLS settings.

Field Type Label Description
tlsMode networking.mesh.gloo.solo.io.TrafficPolicySpec.Policy.MTLS.Istio.TLSmode TLS connection mode Note: If this setting is set to STRICT, but settings.spec.peerAuth.peerAuthTlsMode is UNSET (or vice versa), the connection fails because mutual TLS cannot be enforced in one place but unenforced in another place. Make sure these settings match.

TrafficPolicySpec.Policy.Mirror

Mirror traffic to a another destination (traffic will be sent to its original destination in addition to the mirrored destinations).

Field Type Label Description
kubeService core.skv2.solo.io.ClusterObjectRef Reference (name, namespace, Gloo Mesh cluster) to a Kubernetes service.
percentage double Percentage of traffic to mirror. If omitted all traffic will be mirrored. Values must be between 0 and 100.
port uint32 Port on the destination to receive traffic. Required if the destination exposes multiple ports.

TrafficPolicySpec.Policy.MultiDestination

Specify a traffic shift destination.

Field Type Label Description
destinations []networking.mesh.gloo.solo.io.WeightedDestination repeated Specify weighted traffic shift destinations.

TrafficPolicySpec.Policy.OutlierDetection

Configure outlier detection on the selected destinations. Specifying this field requires an empty source_selector because it must apply to all traffic.

Field Type Label Description
consecutiveErrors uint32 The number of errors before a host is ejected from the connection pool. A default will be used if not set.
interval google.protobuf.Duration The time interval between ejection sweep analysis. Format: 1h/1m/1s/1ms. Must be >= 1ms. A default will be used if not set.
baseEjectionTime google.protobuf.Duration The minimum ejection duration. Format: 1h/1m/1s/1ms. Must be >= 1ms. A default will be used if not set.
maxEjectionPercent uint32 The maximum percentage of hosts that can be ejected from the load balancing pool. At least one host will be ejected regardless of the value. Must be between 0 and 100. A default will be used if not set.

TrafficPolicySpec.Policy.RetryPolicy

Specify retries for failed requests.

Field Type Label Description
attempts int32 Number of retries for a given request
perTryTimeout google.protobuf.Duration Timeout per retry attempt for a given request. Format: 1h/1m/1s/1ms. Must be >= 1ms.

TrafficPolicySpec.Policy.TCPSettings

Settings common to both HTTP and TCP upstream connections.

Field Type Label Description
maxConnections int32 Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.
connectTimeout google.protobuf.Duration TCP connection timeout. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
tcpKeepalive common.mesh.gloo.solo.io.TCPKeepalive If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

TrafficPolicySpec.RouteSelector

Specify selected gateway traffic by specifying which gateway resources (virtualHosts or routeTables) to select. You can optionally further filter by using route labels to only select a subset of routes within those resources. If no virtualHost or routeTable selectors (or references) are explicitly set, all virtualHosts and routeTables will be selected by default. If no route label matcher is specified, all routes on the selected resources are matched.

Field Type Label Description
virtualHostRefs []core.skv2.solo.io.ObjectRef repeated Select VirtualHosts by reference.
virtualHostSelector core.skv2.solo.io.ObjectSelector Select VirtualHosts by label and/or namespace.
routeTableRefs []core.skv2.solo.io.ObjectRef repeated Select RouteTables by reference.
routeTableSelector core.skv2.solo.io.ObjectSelector Select RouteTables by label and/or namespace.
routeLabelMatcher []networking.mesh.gloo.solo.io.TrafficPolicySpec.RouteSelector.RouteLabelMatcherEntry repeated Specify a set of labels for selecting Routes. All labels listed here must be present on a route for that route to be considered matched. If omitted, all routes on the selected VirtualHosts are selected.

TrafficPolicySpec.RouteSelector.RouteLabelMatcherEntry

Field Type Label Description
key string
value string

TrafficPolicyStatus

Field Type Label Description
observedGeneration int64 The most recent generation observed in the the TrafficPolicy metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this resource.
state common.mesh.gloo.solo.io.ApprovalState The state of the overall resource. It will only show accepted if it has been successfully applied to all selected Destinations.
destinations []networking.mesh.gloo.solo.io.TrafficPolicyStatus.DestinationsEntry repeated The status of the TrafficPolicy for each selected Destination. A TrafficPolicy may be Accepted for some Destinations and rejected for others.
virtualDestinations []networking.mesh.gloo.solo.io.TrafficPolicyStatus.VirtualDestinationsEntry repeated The status of the TrafficPolicy for each selected Virtual Destination. A TrafficPolicy may be Accepted for some Virtual Destinations and rejected for others.
workloads []string repeated The list of selected Workloads for which this policy has been applied.
errors []string repeated Any errors found while processing this generation of the resource.
gatewayRoutes []networking.mesh.gloo.solo.io.TrafficPolicyStatus.GatewayRoutesEntry repeated The Gateway resoures to which this traffic policy has been applied. The resource names are in the format name.namespace (resourceType), which act as the keys in this map.

TrafficPolicyStatus.DestinationsEntry

Field Type Label Description
key string
value networking.mesh.gloo.solo.io.ApprovalStatus

TrafficPolicyStatus.GatewayRoutesEntry

Field Type Label Description
key string
value networking.mesh.gloo.solo.io.GatewayRoutes

TrafficPolicyStatus.VirtualDestinationsEntry

Field Type Label Description
key string
value networking.mesh.gloo.solo.io.ApprovalStatus

TrafficPolicySpec.Policy.HTTPSettings.H2UpgradePolicy

Specify if http1.1 connection should be upgraded to http2 for the associated destination.

Name Number Description
DEFAULT 0 Use the global default.
DO_NOT_UPGRADE 1 Do not upgrade the connection to http2. This opt-out option overrides the default.
UPGRADE 2 Upgrade the connection to http2. This opt-in option overrides the default.

TrafficPolicySpec.Policy.MTLS.Istio.TLSmode

TLS connection mode. Enums correspond to those defined here

Name Number Description
DISABLE 0 Do not originate a TLS connection to the upstream endpoint.
SIMPLE 1 Originate a TLS connection to the upstream endpoint.
ISTIO_MUTUAL 2 Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in ClientTLSSettings should be empty.