VirtualGateway

Proto: virtual_gateway.proto

Package: networking.gloo.solo.io

Types:

TLSConfig

TLSConfig contains the options necessary to configure a listener to use TLS

Field Description
secretName (string)

SecretName is the name of the kubernetes secret which contains the ssl secret. Each Gateway will look for a secret with this name on its own local cluster in its own namespace.
files (TLSConfig.Files)

Files reference paths to certificates which can be read by the proxy off of its local filesystem
verifySubjectAltName (repeated string)

Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a ca_certs must be provided if this option is used.
parameters (TLSConfig.Parameters)

mode (TLSConfig.TLSMode)

TLS modes enforced by the proxy

TLSConfig.Files

Field Description
serverCert (string)

Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server side TLS certificate.
privateKey (string)

Required if tlsMode is SIMPLE or MUTUAL. The path to the file that contains the server's private key.
caCerts (string)

Required if tlsMode is MUTUAL. The path to the file that contains the certificate authority(CA) certificates for validating client cert.

TLSConfig.Parameters

General TLS parameters. See the envoy docs for more information on the meaning of these values.

Field Description
minimumProtocolVersion (TLSConfig.Parameters.ProtocolVersion)

maximumProtocolVersion (TLSConfig.Parameters.ProtocolVersion)

cipherSuites (repeated string)

VirtualGatewaySpec

VirtualGateway represents a logical gateway configuration served by Gateway workloads within the same workspace. The specification describes a set of ports that the virtual gateway listens for incoming or outgoing HTTP/TCP connections, the type of protocol to use, SNI configuration etc.

For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, and delegate the route configuration of the ‘*.bookinfo.com’ hostname to be provided by the bookinfo workspace. The VirtualGateway is applied to a specific set of gateway pods/VMs with the app:my-gateway-controller label within the same workspace as the VirtualGateway resource.

apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      allowedRouteTables:
        - host: '*.bookinfo.com'
          selector:
            workspace: bookinfo

For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, delegate any *.foo.com request to the HTTPRouteTable resource(s) provided by the foo-ws workspace. Further, on the same port 80, it also delegates any *.bar.com request to the route configurations provided by the bar-ws workspace.

apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
        - host: '*.bar.com'
          selector:
            workspace: bar-ws

For example, the following VirtualGateway resource configures the gateway to act as a load balancer listening on port 80 and 9080 (http), 443 (https), and 9443(https) for ingress. The VirtualGateway resource is applied to a specific set of gateway pods/VMs with the app: my-gateway-controller label within the same workspace. The route table(s) associated with each port 80, 9080 and 443 must be provided by the foo-ws workspace, with hosts that match *.foo.com. The route table(s) for port 9080 must be provided by the bar-ws workspace with hosts that match *.bar.com.

apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      httpsRedirect: true
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
    - port:
        number: 443
      tls:
        mode: SIMPLE
        files:
          privateKey: /etc/certs/privatekey.pem
          serverCert: /etc/certs/servercert.pem
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
    - port:
        number: 9443
      tls:
        mode: SIMPLE
        secretName: my-secret
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
    - port:
        number: 9080
      allowedRouteTables:
        - host: '*.bar.com'
          selector:
            workspace: foo-ws

For example, the following VirtualGateway resource configures the gateway to listen for incoming HTTP requests on port 80, delegate any *.foo.com request to the HTTPRouteTable resource(s) provided by the foo-ws workspace. This routeTable is restricted to using CloudProvider functionality which routes to cloud functions backend-function-* in region us-east-2 and which assume the dev-team-B-* IAM role.

apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
  labels:
    workspace.solo.io/exported: 'true'
spec:
  workloads:
    - selector:
        labels:
          app: my-gateway-controller
  listeners:
    - port:
        number: 80
      allowedRouteTables:
        - host: '*.foo.com'
          selector:
            workspace: foo-ws
Field Description
workloads (repeated common.gloo.solo.io.WorkloadSelector)

Optional: Select which gateway workloads implement this virtual gateway in the same workspace. A gateway workload will be selected if it matches any of the provided selectors. For ‘selector.name’, specify the gateway service's name. For ‘selector.labels’, specify the gateway service's ‘spec.selector’ label. If workloads is nil, it will be applied to all gateway workloads.
listeners (repeated VirtualGatewaySpec.Listener)

Required: One or more listeners for the virtual gateway. Each listener specifies a port and virtual host(s) for traffic received on those ports.

VirtualGatewaySpec.Listener

Field Description
port (common.gloo.solo.io.PortSelector)

Required: The port on the gateway workload's service on which the gateway will listen for connections to route.
tls (TLSConfig)

TLS configure for a virtual host or listener to use TLS
httpsRedirect (bool)

If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.
http (VirtualGatewaySpec.Listener.HTTPServer)

Serves http requests on the hosts specified for a given listener. The listener will route traffic based on the HTTPRouteTable resource(s) that is attached to the virtual gateway.
tcp (VirtualGatewaySpec.Listener.TCPServer)

tcp routes on based on sni server name requires tls to be enabled
allowedRouteTables (repeated VirtualGatewaySpec.Listener.RouteTableFilter)

Optional: Filter RouteTables which can bind to this listener by the host names and object metadata. Wildcard matching for host name is supported here. If not specified, any route table will be allowed to bind to this VirtualGateway.
appProtocol (string)

Optional: Apply an application protocol to use when deciding what additional capabilities to add to the gateway, such as routing and rich metrics. If no protocol is selected, it will be inferred from the listener type and its TLS settings. With an http listener, the app_protocol will default to HTTP if there are no TLS settings and HTTPS if there are. With a tcp listener, the app_protocol will default to TCP or TLS depending on the presence of TLS settings.

VirtualGatewaySpec.Listener.HTTPServer

HTTP server indicates HTTP routes will be served for RouteTables which select this gateway.

VirtualGatewaySpec.Listener.RouteTableFilter

Filter route tables which can attach to a VGW by host name as well as an object selector.

Field Description
host (string)

Required: host name to select. Can use * to match host name patterns in multiple objects.
selector (common.gloo.solo.io.ObjectSelector)

Optional: filter out route tables which do not match the selector, if provided.

VirtualGatewaySpec.Listener.TCPServer

VirtualGatewayStatus

reflects the status of the gateway Template

Field Description
global (common.gloo.solo.io.GenericGlobalStatus)

workspaces (repeated VirtualGatewayStatus.WorkspacesEntry)

The status of the resource in each workspace that it exists in
allowedRouteTables (repeated common.gloo.solo.io.ObjectReference)

list of RouteTables allowed to bind to this VirtualGateway
workloads (repeated common.gloo.solo.io.ObjectReference)

workloads selected by this VirtualGateway

VirtualGatewayStatus.WorkspacesEntry

Field Description
key (string)

value (common.gloo.solo.io.WorkspaceStatus)

TLSConfig.Parameters.ProtocolVersion

Name Number Description
TLS_AUTO 0 Automatically choose the optimal TLS version.
TLSv1_0 1 TLS 1.0
TLSv1_1 2 TLS 1.1
TLSv1_2 3 TLS 1.2
TLSv1_3 4 TLS 1.3

TLSConfig.TLSMode

Name Number Description
PASSTHROUGH 0 The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.
SIMPLE 1 Secure connections with standard TLS semantics.
MUTUAL 2 Secure connections to the downstream using mutual TLS by presenting server certificates for authentication.
AUTO_PASSTHROUGH 3 Similar to the passthrough mode, except servers with this TLS mode do not require an associated VirtualService to map from the SNI value to service in the registry. The destination details such as the service/subset/port are encoded in the SNI value. The proxy will forward to the upstream (Envoy) cluster (a group of endpoints) specified by the SNI value. This server is typically used to provide connectivity between services in disparate L3 networks that otherwise do not have direct connectivity between their respective endpoints. Use of this mode assumes that both the source and the destination are using Istio mTLS to secure traffic. In order for this mode to be enabled, the gateway deployment must be configured with the ISTIO_META_ROUTER_MODE=sni-dnat environment variable.
ISTIO_MUTUAL 4 Secure connections from the downstream using mutual TLS by presenting server certificates for authentication. Compared to Mutual mode, this mode uses certificates, representing gateway workload identity, generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in TLSConfig should be empty.