On this page
RouteTable
RouteTable API reference.
Proto: route_table.proto
Package: networking.gloo.solo.io
Types:
DelegateAction
DelegateActions are used to delegate routing decisions to other resources, for example RouteTables.
| Field | Description |
|---|---|
routeTables | (repeated common.gloo.solo.io.ObjectSelector)Delegate to the RouteTables that match the given selectors. Selected route tables are ordered by creation time stamp in ascending order to guarantee consistent ordering. Route tables will be selected from the pool of route tables defined within the current workspace, as well as any imported into the workspace. |
allowedRoutes | (repeated common.gloo.solo.io.RouteFilter)Optional: Restrict delegation to the RouteTables that match the set of route filter criteria specified. If omitted, any route will be allowed to be referenced by this RouteTable. |
sortMethod | (DelegateAction.SortMethod)How routes should be sorted |
DirectResponseAction
DirectResponseAction is copied directly from https://github.com/envoyproxy/envoy/blob/master/api/envoy/api/v2/route/route.proto
| Field | Description |
|---|---|
status | (uint32)Required: Specifies an HTTP response status between 100-599 inclusive to be returned. |
body | (string)Specifies the content of the response body. If omitted, no body is included in the generated response. Note: Headers can be specified using the Header Modification feature in the enclosing Route, ConnectionHandler, or Gateway options. |
ForwardToAction
When a client request matches a route, Gloo forwards the request to the destination that you specify in this forwardTo action.
| Field | Description |
|---|---|
destinations | (repeated common.gloo.solo.io.DestinationReference)Define the upstream destination to route the request to. Some destinations require additional configuration for the route. For example, to forward requests to a CloudProvider for an AWS Lambda, you must also set a function. HTTP routes support all destinations types. TCP routes support only Kubernetes services and Gloo VirtualDestinations. |
pathRewrite | (string)Replace the path specified in the matcher with this value before forwarding the request to the upstream destination. When a prefix matcher is used, only the prefix portion of the path is rewritten. When an exact matcher is used, the whole path is replaced. Rewriting the path when a regex matcher is used is currently unsupported. Note that path rewrites are available for HTTP routes only and are not supported for TCP routes. |
regexRewrite | (envoy.type.matcher.v3.RegexMatchAndSubstitute)During forwarding, portions of the path that match the pattern are rewritten, even allowing the substitution of capture groups from the pattern into the new path as specified by the rewrite substitution string. This substitution is useful to allow application paths to be rewritten in a way that is aware of segments with variable content like identifiers. Note that regex rewrites are available for RE2 syntax and HTTP routes only. |
hostRewrite | (string)Replace the Authority/Host header with this value before forwarding the request to the upstream destination. Note that host rewrites are available for HTTP routes only and are not supported for TCP routes. |
autoHostRewrite | (bool)Automatically replace the Authority/Host header with the hostname of the upstream destination. Note that host rewrites are available for HTTP routes only and are not supported for TCP routes. |
GraphQLAction
| Field | Description |
|---|---|
schema | (core.skv2.solo.io.ClusterObjectRef)Reference to a GraphQLSchema resource that contains the configuration for this subschema. |
stitchedSchema | (core.skv2.solo.io.ClusterObjectRef)Reference to a GraphQLStitchedSchema resource that contains the configuration for this subschema. |
options | (GraphQLAction.Options)Options that apply to this GraphQL Schema. |
GraphQLAction.Options
| Field | Description |
|---|---|
logSensitiveInfo | (google.protobuf.BoolValue)Include information about request/response in the envoy debug logs. This is helpful for debugging GraphQL. Defaults to false. |
HTTPRoute
Use HTTP routes to control Layer 7 application level traffic to your services. To configure HTTP routes, you pair together
HTTP request matchers with certain actions. Matchers are criteria such as a route name, port, header, or method to match
with an incoming request. Actions describe what to do with a matching request, such as forwardTo a destination or delegate
to another route table. When an HTTP request matches your HTTP route, Gloo performs the action for that route. You can add
metadata such as names and labels to your HTTP routes so that you can apply policies, track metrics, and better manage the routes.
| Field | Description |
|---|---|
name | (string)unique name of the route (within the route table). used to identify the route for metrics |
labels | (repeated HTTPRoute.LabelsEntry)Labels for the route, which you can use to apply policies that support routeSelectors. For enhanced security, include the special label “gateway.gloo.solo.io/require_auth=true” on the route. To activate this security feature, enable the “gatewayDefaultDenyAllHTTPRequests” feature flag for your Gloo installation. When both the label and feature flag are in place, Gloo requires an authentication policy, such as ExtAuthPolicy or JWTPolicy, to be applied to the route. If the authentication policy is removed or has an error, Gloo rejects all requests to the route. |
matchers | (repeated common.gloo.solo.io.HTTPRequestMatcher)The set of request matchers which this route will match on. If none are specified, this route will match any HTTP traffic. On a delegated RouteTable, this route will only match traffic that includes both the parent and child’s matchers. If these sets conflict, the delegating route on the parent will be replaced with a DirectResponseAction indicating the misconfiguration. |
forwardTo | (ForwardToAction)forward traffic to one or more destination services. |
delegate | (DelegateAction)delegate the handling of traffic to one or more HTTP Route Tables. This can be used to delegate a subset of the route table’s traffic to another route table, which may live in an imported workspace, or to separate routing concerns between objects. |
redirect | (RedirectAction)return a redirect response to the downstream client. |
directResponse | (DirectResponseAction)respond directly to the client from the proxy. |
graphql | (GraphQLAction)handle the HTTP request as a GraphQL request, including query validation, and execution of the GraphQL request. The incoming GraphQL request must either be a GET or POST request, see “Serving over HTTP”. |
HTTPRoute.LabelsEntry
| Field | Description |
|---|---|
key | (string) |
value | (string) |
RedirectAction
Notice: RedirectAction is copied directly from https://github.com/envoyproxy/envoy/blob/master/api/envoy/api/v2/route/route.proto
| Field | Description |
|---|---|
hostRedirect | (string)The host portion of the URL will be swapped with this value. |
pathRedirect | (string)The entire path portion of the URL will be overwritten with this value. |
responseCode | (RedirectAction.RedirectResponseCode)The HTTP status code to use in the redirect response. The default response code is MOVED_PERMANENTLY (301). |
RouteTableReport
| Field | Description |
|---|---|
workspaces | (repeated RouteTableReport.WorkspacesEntry) |
appliedRoutePolicies | (repeated RouteTableReport.AppliedRoutePoliciesEntry)A map of policy GVK to policy references for all policies that are applied on this resource. |
parentRouteTables | (repeated common.gloo.solo.io.ObjectReference)A list of the parents route tables for this route table, if it is a delegated route table. |
ownerWorkspace | (string)The name of the workspace that owns the route table. |
allowedVirtualGateways | (repeated common.gloo.solo.io.ObjectReference)A list of allowed virtual gateways that this route table can select. |
delegatedToRouteTables | (repeated RouteTableReport.DelegatedRouteTableReference)A list of routes delegated to by delegated routes in this RouteTable. Only tracks direct delegates of this RouteTable; delegates of delegate routes are not included. |
RouteTableReport.AppliedRoutePoliciesEntry
| Field | Description |
|---|---|
key | (string) |
value | (common.gloo.solo.io.AppliedRoutePolicies) |
RouteTableReport.DelegatedRouteTableReference
| Field | Description |
|---|---|
routeIndex | (int32)The index of the route in the parent RouteTable that delegates to the listed RouteTable. |
routeTable | (common.gloo.solo.io.ObjectReference)The reference to the RouteTable being delegated to by the parent RouteTable. |
RouteTableReport.WorkspacesEntry
| Field | Description |
|---|---|
key | (string) |
value | (common.gloo.solo.io.Report) |
RouteTableSpec
RouteTables define one or more hosts and a set of traffic route rules that describe how to handle traffic for these hosts.
Route tables support two types of routes: HTTP and TCP.
For more information, see see the Routing overview concept docs.
You can delegate HTTP routes to other route tables based on one or more matching hosts and specific route paths. If your “parent” route table delegates some traffic rules to another “child” route table, the child route table must be in the same workspace or imported to the parent route table’s workspace.
You can match traffic that originates from an ingress gateway (north-south), Istio mesh gateway (east-west),
or directly from the sidecars of workloads in your service mesh (east-west),
depending on the configuration of the virtualGateways field.
The following example defines route configuration for the ‘uk.bookinfo.com’ and ’eu.bookinfo.com’ hosts.
Traffic arrives at the my-gateway virtual gateway in the my-gateway-ws workspace.
The route table sets up several different matchers to direct HTTP traffic.
- When the cookie in the header matches to
user=dev-123, HTTP traffic is forwarded to the port7777of thev1ofreviews.qaservice. - When the path matches exactly to
/reviews/, 80% traffic is forwarded to port 9080 of thereviews.prodservice and 20% traffic is forwarded to port 9080 of thereviews.qaservice. - All other HTTP traffic is sent to the default destination, which is port 9080 of
reviews.prodservice in thebookinfoworkspace.
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
name: bookinfo-root-routes
namespace: bookinfo
spec:
hosts:
- 'uk.bookinfo.com'
- 'eu.bookinfo.com'
virtualGateways:
- name: my-gateway
namespace: my-gateway-ws
defaultDestination:
ref:
name: reviews
namespace: prod
port:
number: 9080
http:
- name: reviews-qa
matchers:
- headers:
- name: cookie
value: 'user=dev-123'
forwardTo:
destinations:
- ref:
name: reviews
namespace: qa
subset:
version: v1
port:
number: 7777
- name: reviews
matchers:
- name: review-prefix
uri:
exact: /reviews/
forwardTo:
destinations:
- weight: 80
- ref:
name: reviews
namespace: qa
port:
number: 9080
weight: 20
The following example defines route configuration for the ‘uk.bookinfo.com’ and ’eu.bookinfo.com’ hosts.
Traffic arrives at the my-gateway virtual gateway in the my-gateway-ws workspace. The route table sends traffic to an external cloud function.
- When the HTTP route path matches the prefix
/lambda, traffic is forwarded to the backingaws-providerCloudProvider. - The associated
aws-providerCloudResources resource describes an AWS Lambda service namedlogicalName: aws-dest. - The
"SYNC"option indicates that the AWS Lambda function is invoked synchronously, which is also the default behavior.
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
name: bookinfo-root-routes
namespace: bookinfo
spec:
hosts:
- 'uk.bookinfo.com'
- 'eu.bookinfo.com'
virtualGateways:
- name: my-gateway
namespace: my-gateway-ws
defaultDestination:
ref:
name: reviews
namespace: prod
port:
number: 9080
http:
- name: lambda
matchers:
- uri:
prefix: /lambda
labels:
route: lambda
forwardTo:
destinations:
- awsLambda:
cloudProvider:
name: aws-provider
namespace: bookinfo
cluster: cluster-1
function: aws-dest
options:
invocationStyle: SYNC
The following example defines route configuration for the ‘uk.bookinfo.com’ and ’eu.bookinfo.com’ hosts.
Traffic arrives at the my-gateway virtual gateway in the my-gateway-ws workspace. The route table sends traffic to an external cloud function.
- When the HTTP route path matches the prefix
/lambda, traffic is forwarded to the delegated route table for handling requests to AWS Lambdas. - The
allowedRoutesrestrict the usage of CloudProvider functionality, which routes to cloud functionsbackend-function-*in regionus-east-2and which assumes thedev-team-B-*IAM role in AWS to invoke the function.
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
name: bookinfo-root-routes
namespace: bookinfo
spec:
hosts:
- 'uk.bookinfo.com'
- 'eu.bookinfo.com'
virtualGateways:
- name: my-gateway
namespace: my-gateway-ws
defaultDestination:
ref:
name: reviews
namespace: prod
port:
number: 9080
http:
- name: lambda
matchers:
- uri:
prefix: /lambda
labels:
route: lambda
delegate:
allowedRoutes:
- cloudProvider:
aws:
lambda_function:
- backend-function-.*
iam_roles:
- dev-team-B-.*
regions:
- us-east-2
routeTables:
- labels:
table: lambda
| Field | Description |
|---|---|
hosts | (repeated string)Optional: One or more hosts for which this route table will route traffic. Supports wildcards. To avoid potential misconfigurations, it is recommended to always use fully qualified domain names over short names. Note: It must be empty for a delegated RouteTable. |
virtualGateways | (repeated common.gloo.solo.io.ObjectReference)Optional: A list of references to the virtual gateways which should serve this route table. Only valid for route tables which define at least one host. Note: This field must be empty for a delegated RouteTable. When not specified, the route table applies to either all the sidecars in the workspace or only sidecars for selected workloads (via the workloadSelectors field) in the workspace where the route table is deployed or imported.The following applies to sidecars of all the workloads for the workspace where the route table is deployed or imported: set virtualGateways to null and workloadSelectors to [].The following applies to the my-gateway virtual gateway in the gateway workspace and no sidecars: set virtualGateways.name to my-gateway, virtualGateways.namespace to gateway, and workloadSelectors to [].The following applies to the my-gateway virtual gateway in the gateway workspace and sidecars of all the workloads for the workspace where the route table is deployed or imported: set virtualGateways.name to my-gateway, virtualGateways.namespace to gateway, and workloadSelectors to {}.The following applies to sidecars of all the app: foo workloads for the workspace where the route table is deployed or imported: set virtualGateways to null and workloadSelectors.selector.labels to app: foo.The following applies to the my-gateway virtual gateway in the gateway workspace and sidecars of all the app: foo workloads for the workspace where the route table is deployed or imported: set virtualGateways.name to my-gateway, virtualGateways.namespace to gateway, and workloadSelectors.selector.labels to app: foo. |
workloadSelectors | (repeated common.gloo.solo.io.WorkloadSelector)Optional: Selectors for source workloads (with sidecars) which route traffic for this route table. Only valid for route tables which define at least one host. If no workloadSelectors or virtualGateways are specified, all workloads in the workspace will automatically be selected. If VirtualGateways are specified, set workloadSelectors: - {} to select all workloads in the workspace.For delegated routes: Delegated child route tables inherit the workload selectors of the parent route table, such as ‘value:foo’. The delegated child route table can also have its own workload selectors, such as ’env:prod’. These workload selectors are logically AND’d together. As a result, the child route table routes traffic only to workloads with both ‘value:foo’ and ’env:prod’ labels. Note that the child route table cannot override the parent’s workload selectors, such as by setting ‘value:bar’. In that case, the child route gets an error until the conflict is resolved. Note: Selection of external workloads (VMs) is currently not supported. Note: You can select workloads by using labels only. Selecting workloads by using other references, such as the name, namespace, or cluster is not supported. |
applyToDestinations | (repeated common.gloo.solo.io.DestinationSelector)Optional: Selectors for destinations that shall route traffic by this route table via producer-side side policy (e.g on waypoints) Applying an ambient-backed destinations means that any traffic that reaches the destination, regardless of its origin (mesh, outside mesh), will be subject to the RouteTable’s policy. To select all ambient destinations in the workspace, set applyToDestinations: - {}.Note: applyToDestinations is an alpha API currently implemented only for ambient-enabled meshes. Note: For delegated route tables this field should be empty, as the values from the parent will always be used for destination selection. Note: Selection of external workloads (VMs), external services, and Destinations with sidecars is currently not supported. |
defaultDestination | (common.gloo.solo.io.DestinationReference)Optional: Routes that do not specify a destination will forward traffic to this destination. |
http | (repeated HTTPRoute)The set of HTTP routes for this route table to serve. If no routes match the client request, the client gets back a 404. For more information on supported HTTP features, see the Routing overview concept docs. |
tcp | (repeated TCPRoute)The set of TCP routes for this route table to serve. TCP routes are available only for internal traffic within the cluster, not for ingress gateway traffic. For more information on supported TCP features see the Routing overview concept docs. |
tls | (repeated TLSRoute)The set of TLS routes for this route table to serve. For more information on supported TLS features see the Routing overview concept docs. |
weight | (int32)Weight is used when sorting route tables in delegate action or routes when sorted by specificity. Higher integer values are considered higher priority. The default value is 0. |
portalMetadata | (common.gloo.solo.io.PortalMetadata)Optional: If this route table bundles APIs that you want to expose in a developer portal, you can set portal metadata. Portal metadata is a set of key-value pairs that describe your APIs. Later, your developer portal displays this information in the end-user facing API documentation. |
failureMode | (RouteTableSpec.FailureMode)The desired behavior when one or more routes in a route table are misconfigured. Note: If route delegation is used, the setting is supported on the parent route table only and controls the behavior for all of the child route tables. If set on a child route table, the setting is ignored. |
RouteTableStatus
| Field | Description |
|---|---|
common | (common.gloo.solo.io.Status)The state and workspace conditions of the applied resource. |
numAppliedRoutePolicies | (repeated RouteTableStatus.NumAppliedRoutePoliciesEntry)A map of policy GVK to the number of policies that are applied on this resource, sorted by GVK. |
numParentRouteTables | (uint32)The number of parent route tables for this route table, if it is a delegated route table. |
ownedByWorkspace | (string)The name of the workspace that this route table belongs to. |
numAllowedVirtualGateways | (uint32)The number virtual gateways that this route table can select. |
RouteTableStatus.NumAppliedRoutePoliciesEntry
| Field | Description |
|---|---|
key | (string) |
value | (uint32) |
TCPRoute
Use TCP routes to control lower-level, connection-based traffic to services such as a local database.
TCP routes are available only for internal traffic within the cluster, not for ingress gateway traffic.
To configure TCP routes, you pair together TCP request matchers with certain actions.
Matchers are criteria such as a port to match with an incoming request.
Actions describe what to do with a matching request, such as forwardTo a destination.
When a TCP request matches your TCP route, Gloo performs the action for that route.
| Field | Description |
|---|---|
matchers | (repeated common.gloo.solo.io.TCPRequestMatcher)The set of request matchers for this route to match on. |
forwardTo | (ForwardToAction)Forward traffic to one or more destination services. Note that some forwardTo actions, such as path or host rewrite, are not supported for TCP routes. |
TLSRoute
Use TLS routes to route unterminated TLS traffic (TLS/HTTPS) through an ingress gateway or within the cluster, such as for pass-through SNI-routing. You must specify an SNI host in the matcher, and optionally a port on the host.
| Field | Description |
|---|---|
matchers | (repeated common.gloo.solo.io.TLSRequestMatcher)The set of request matchers for this route to match on. |
forwardTo | (TLSRoute.TLSForwardToAction)Forward traffic to one or more destination services. |
TLSRoute.TLSForwardToAction
When a client request matches a route, Gloo forwards the request to the destination that you specify in this forwardTo action.
| Field | Description |
|---|---|
destinations | (repeated common.gloo.solo.io.DestinationReference)Define the upstream destination to route the request to. |
DelegateAction.SortMethod
| Name | Number | Description |
|---|---|---|
TABLE_WEIGHT | 0 | Routes are kept in the order that they appear relative to their tables, but tables are sorted by weight. Tables that have the same weight will stay in the same order that they are listed in, which is the list order when given as a reference and by creation timestamp when selected. |
ROUTE_SPECIFICITY | 1 | After processing all routes, including additional route tables delegated to, the resulting routes are sorted by specificity to reduce the chance that a more specific route will be short-circuited by a general route. Matchers with exact path matchers are considered more specific than regex path patchers, which are more specific than prefix path matchers. For prefix and exact, matchers of the same type are sorted by length of the path in descending order. For regex matchers they are all treated equal when sorted. For sort ties, table weights are used across tables & within tables user specified order is preserved. Only the most specific matcher on each route is used. For example, consider the following two sub-tables that are sorted by specificity and the resulting route list. Sub-table A, with a table weight of 1 in case of sort ties:
2 in case of sort ties:
|
RedirectAction.RedirectResponseCode
| Name | Number | Description |
|---|---|---|
MOVED_PERMANENTLY | 0 | Moved Permanently HTTP Status Code - 301. |
FOUND | 1 | Found HTTP Status Code - 302. |
SEE_OTHER | 2 | See Other HTTP Status Code - 303. |
TEMPORARY_REDIRECT | 3 | Temporary Redirect HTTP Status Code - 307. |
PERMANENT_REDIRECT | 4 | Permanent Redirect HTTP Status Code - 308. |
RouteTableSpec.FailureMode
| Name | Number | Description |
|---|---|---|
ROUTE_REPLACEMENT | 0 | The default behavior for handling misconfigured routes in a route table. If you attempt to apply incorrect configuration to a route, the configuration is not applied in the cluster. Instead, the misconfigured route is replaced with a 500 HTTP direct response until the error is resolved. Other, correctly configured routes in the route table continue to route as configured and accept updates to their configuration. |
FREEZE_CONFIG | 1 | If you attempt to apply incorrect configuration to a route, the configuration is not accepted and the route table continues to serve the route configuration from the last accepted configuration. Other, correctly configured routes in the route table also continue to serve the last accepted configuration. Updates to correctly configured routes are ignored until the error is resolved. Note that the same behavior applies when using route delegation; any misconfigured route on the parent route table or any child route table freezes the configuration for all routes in the route table tree until the error is resolved. Keep in mind that if you change the failure mode from ROUTE_REPLACEMENT to FREEZE_CONFIG while a route is in a misconfigured state, any replaced routes will maintain their 500 HTTP direct response as that is their behavior in the last accepted configuration. |