settings.proto

Package: gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto

Settings

Represents global settings for all the Gloo components.

"discoveryNamespace": string
"watchNamespaces": []string
"kubernetesConfigSource": .gloo.solo.io.Settings.KubernetesCrds
"directoryConfigSource": .gloo.solo.io.Settings.Directory
"consulKvSource": .gloo.solo.io.Settings.ConsulKv
"kubernetesSecretSource": .gloo.solo.io.Settings.KubernetesSecrets
"vaultSecretSource": .gloo.solo.io.Settings.VaultSecrets
"directorySecretSource": .gloo.solo.io.Settings.Directory
"kubernetesArtifactSource": .gloo.solo.io.Settings.KubernetesConfigmaps
"directoryArtifactSource": .gloo.solo.io.Settings.Directory
"consulKvArtifactSource": .gloo.solo.io.Settings.ConsulKv
"refreshRate": .google.protobuf.Duration
"devMode": bool
"linkerd": bool
"knative": .gloo.solo.io.Settings.KnativeOptions
"discovery": .gloo.solo.io.Settings.DiscoveryOptions
"gloo": .gloo.solo.io.GlooOptions
"gateway": .gloo.solo.io.GatewayOptions
"consul": .gloo.solo.io.Settings.ConsulConfiguration
"kubernetes": .gloo.solo.io.Settings.KubernetesConfiguration
"extensions": .gloo.solo.io.Extensions
"ratelimit": .ratelimit.options.gloo.solo.io.ServiceSettings
"ratelimitServer": .ratelimit.options.gloo.solo.io.Settings
"rbac": .rbac.options.gloo.solo.io.Settings
"extauth": .enterprise.gloo.solo.io.Settings
"metadata": .core.solo.io.Metadata
"status": .core.solo.io.Status
Field Type Description Default
discoveryNamespace string This is the namespace to which Gloo controllers will write their own resources, e.g. discovered Upstreams or default Gateways. If empty, this will default to “gloo-system”.
watchNamespaces []string Use this setting to restrict the namespaces that Gloo controllers take into consideration when watching for resources.In a usual production scenario, RBAC policies will limit the namespaces that Gloo has access to. If watch_namespaces contains namespaces outside of this whitelist, Gloo will fail to start. If not set, this defaults to all available namespaces. Please note that, the discovery_namespace will always be included in this list.
kubernetesConfigSource .gloo.solo.io.Settings.KubernetesCrds Only one of kubernetesConfigSource, or consulKvSource can be set.
directoryConfigSource .gloo.solo.io.Settings.Directory Only one of directoryConfigSource, or consulKvSource can be set.
consulKvSource .gloo.solo.io.Settings.ConsulKv Only one of consulKvSource, or directoryConfigSource can be set.
kubernetesSecretSource .gloo.solo.io.Settings.KubernetesSecrets Only one of kubernetesSecretSource, or directorySecretSource can be set.
vaultSecretSource .gloo.solo.io.Settings.VaultSecrets Only one of vaultSecretSource, or directorySecretSource can be set.
directorySecretSource .gloo.solo.io.Settings.Directory Only one of directorySecretSource, or vaultSecretSource can be set.
kubernetesArtifactSource .gloo.solo.io.Settings.KubernetesConfigmaps Only one of kubernetesArtifactSource, or consulKvArtifactSource can be set.
directoryArtifactSource .gloo.solo.io.Settings.Directory Only one of directoryArtifactSource, or consulKvArtifactSource can be set.
consulKvArtifactSource .gloo.solo.io.Settings.ConsulKv Only one of consulKvArtifactSource, or directoryArtifactSource can be set.
refreshRate .google.protobuf.Duration How frequently to resync watches, etc.
devMode bool Enable serving debug data on port 9090.
linkerd bool Enable automatic linkerd upstream header addition for easier routing to linkerd services.
knative .gloo.solo.io.Settings.KnativeOptions Configuration options for the Clusteringress Controller (for Knative).
discovery .gloo.solo.io.Settings.DiscoveryOptions Options for configuring Gloo’s Discovery service.
gloo .gloo.solo.io.GlooOptions Options for configuring gloo, the core Gloo controller, which serves dynamic configuration to Envoy.
gateway .gloo.solo.io.GatewayOptions Options for configuring gateway, the Gateway Gloo controller, which enables the VirtualService/Gateway API in Gloo.
consul .gloo.solo.io.Settings.ConsulConfiguration Options to configure Gloo’s integration with HashiCorp Consul.
kubernetes .gloo.solo.io.Settings.KubernetesConfiguration Options to configure Gloo’s integration with Kubernetes.
extensions .gloo.solo.io.Extensions Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API.
ratelimit .ratelimit.options.gloo.solo.io.ServiceSettings Enterprise-only: Partial config for GlooE’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit descriptors here, which define the limits for requests based on their descriptors. Configure rate-limits (composed of actions, which define how request characteristics get translated into descriptors) on the VirtualHost or its routes.
ratelimitServer .ratelimit.options.gloo.solo.io.Settings Enterprise-only: Settings for the rate limiting server itself.
rbac .rbac.options.gloo.solo.io.Settings Enterprise-only: Settings for RBAC across all Gloo resources (VirtualServices, Routes, etc.).
extauth .enterprise.gloo.solo.io.Settings Enterprise-only: External auth related settings.
metadata .core.solo.io.Metadata Metadata contains the object metadata for this resource.
status .core.solo.io.Status Status indicates the validation status of this resource. Status is read-only by clients, and set by gloo during validation.

KubernetesCrds

Use Kubernetes CRDs as storage.

Field Type Description Default

KubernetesSecrets

Use Kubernetes as storage for secret data.

Field Type Description Default

VaultSecrets

Use HashiCorp Vault as storage for secret data.

"token": string
"address": string
"caCert": string
"caPath": string
"clientCert": string
"clientKey": string
"tlsServerName": string
"insecure": .google.protobuf.BoolValue
"rootKey": string
Field Type Description Default
token string the Token used to authenticate to Vault.
address string address is the address of the Vault server. This should be a complete URL such as http://solo.io.
caCert string caCert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
caPath string caPath is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
clientCert string clientCert is the path to the certificate for Vault communication.
clientKey string clientKey is the path to the private key for Vault communication.
tlsServerName string tlsServerName, if set, is used to set the SNI host when connecting via TLS.
insecure .google.protobuf.BoolValue Insecure enables or disables SSL verification.
rootKey string all keys stored in Vault will begin with this Vault this can be used to run multiple instances of Gloo against the same Consul cluster defaults to gloo.

ConsulKv

Use HashiCorp Consul Key-Value as storage for config data. Configuration options for connecting to Consul can be configured in the Settings’ root consul field

"rootKey": string
Field Type Description Default
rootKey string all keys stored in Consul will begin with this prefix this can be used to run multiple instances of Gloo against the same Consul cluster defaults to gloo.

KubernetesConfigmaps

Use Kubernetes ConfigMaps as storage.

Field Type Description Default

Directory

As an alternative to Kubernetes CRDs, Gloo is able to store resources in a local file system. This option determines the root of the directory tree used to this end.

"directory": string
Field Type Description Default
directory string

KnativeOptions

"clusterIngressProxyAddress": string
"knativeExternalProxyAddress": string
"knativeInternalProxyAddress": string
Field Type Description Default
clusterIngressProxyAddress string Address of the clusteringress proxy. If empty, it will default to clusteringress-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.7.X or less.
knativeExternalProxyAddress string Address of the externally-facing knative proxy. If empty, it will default to knative-external-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.8.X or higher.
knativeInternalProxyAddress string Address of the internally-facing knative proxy. If empty, it will default to knative-internal-proxy.$POD_NAMESPACE.svc.cluster.local. Use if running Knative Version 0.8.X or higher.

DiscoveryOptions

"fdsMode": .gloo.solo.io.Settings.DiscoveryOptions.FdsMode
Field Type Description Default
fdsMode .gloo.solo.io.Settings.DiscoveryOptions.FdsMode

FdsMode

Possible modes for running the function discovery service (FDS). FDS polls services in-cluster for Swagger and gRPC endpoints. This behavior can be controlled with the use of annotations. FdsMode specifies what policy FDS will use when determining which services to poll.

Name Description
BLACKLIST In BLACKLIST mode (default), FDS will poll all services in cluster except those services labeled with discovery.solo.io/function_discovery=disabled. This label can also be used on namespaces to apply to all services within a namespace which are not explicitly whitelisted. Note that kube-system and kube-public namespaces must be explicitly whitelisted even in blacklist mode.
WHITELIST In WHITELIST mode, FDS will poll only services in cluster labeled with discovery.solo.io/function_discovery=enabled. This label can also be used on namespaces to apply to all services which are not explicitly blacklisted within a namespace.
DISABLED In DISABLED mode, FDS will not run.

ConsulConfiguration

Provides overrides for the default configuration parameters used to connect to Consul.

Note: It is also possible to configure the Consul client Gloo uses via the environment variables described here. These need to be set on the Gloo container.

"address": string
"datacenter": string
"username": string
"password": string
"token": string
"caFile": string
"caPath": string
"certFile": string
"keyFile": string
"insecureSkipVerify": .google.protobuf.BoolValue
"waitTime": .google.protobuf.Duration
"serviceDiscovery": .gloo.solo.io.Settings.ConsulConfiguration.ServiceDiscoveryOptions
Field Type Description Default
address string The address of the Consul server. Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
datacenter string Datacenter to use. If not provided, the default agent datacenter is used.
username string Username to use for HTTP Basic Authentication.
password string Password to use for HTTP Basic Authentication.
token string Token is used to provide a per-request ACL token which overrides the agent’s default token.
caFile string caFile is the optional path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
caPath string caPath is the optional path to a directory of CA certificates to use for Consul communication, defaults to the system bundle if not specified.
certFile string CertFile is the optional path to the certificate for Consul communication. If this is set then you need to also set KeyFile.
keyFile string KeyFile is the optional path to the private key for Consul communication. If this is set then you need to also set CertFile.
insecureSkipVerify .google.protobuf.BoolValue InsecureSkipVerify if set to true will disable TLS host verification.
waitTime .google.protobuf.Duration WaitTime limits how long a watches for Consul resources will block. If not provided, the agent default values will be used.
serviceDiscovery .gloo.solo.io.Settings.ConsulConfiguration.ServiceDiscoveryOptions Enable Service Discovery via Consul with this field set to empty struct {} to enable with defaults.

ServiceDiscoveryOptions

service discovery options for Consul

"dataCenters": []string
Field Type Description Default
dataCenters []string Use this parameter to restrict the data centers that will be considered when discovering and routing to services. If not provided, Gloo will use all available data centers.

KubernetesConfiguration

Provides overrides for the default configuration parameters used to interact with Kubernetes.

"rateLimits": .gloo.solo.io.Settings.KubernetesConfiguration.RateLimits
Field Type Description Default
rateLimits .gloo.solo.io.Settings.KubernetesConfiguration.RateLimits Rate limits for the kubernetes clients.

RateLimits

"qPS": float
"burst": int
Field Type Description Default
qPS float The maximum queries-per-second Gloo can make to the Kubernetes API Server.
burst int Maximum burst for throttle. When a steady state of QPS requests per second, this is an additional number of allowed, to allow for short bursts.

GlooOptions

Settings specific to the gloo (Envoy xDS server) controller

"xdsBindAddr": string
"validationBindAddr": string
"circuitBreakers": .gloo.solo.io.CircuitBreakerConfig
"endpointsWarmingTimeout": .google.protobuf.Duration
"awsOptions": .gloo.solo.io.GlooOptions.AWSOptions
"invalidConfigPolicy": .gloo.solo.io.GlooOptions.InvalidConfigPolicy
"disableKubernetesDestinations": bool
Field Type Description Default
xdsBindAddr string Where the gloo xDS server should bind (should not need configuration by user). Defaults to 0.0.0.0:9977.
validationBindAddr string Where the gloo validation server should bind. Defaults to 0.0.0.0:9988.
circuitBreakers .gloo.solo.io.CircuitBreakerConfig Default circuit breaker configuration to use for upstream requests, when not provided by specific upstream.
endpointsWarmingTimeout .google.protobuf.Duration Timeout to get initial snapshot of resources. If not set, Gloo will not wait for initial snapshot - if set and and gloo could not fetch it’s initial snapshot before the timeout reached, gloo will panic.
awsOptions .gloo.solo.io.GlooOptions.AWSOptions
invalidConfigPolicy .gloo.solo.io.GlooOptions.InvalidConfigPolicy set these options to fine-tune the way Gloo handles invalid user configuration.
disableKubernetesDestinations bool Gloo allows you to directly reference a Kubernetes service as a routing destination. To enable this feature, Gloo scans the cluster for Kubernetes services and creates a special type of in-memory Upstream to represent them. If the cluster contains a lot of services and you do not restrict the namespaces Gloo is watching, this can result in significant overhead. If you do not plan on using this feature, you can use this flag to turn it off.

AWSOptions

"enableCredentialsDiscovey": bool
Field Type Description Default
enableCredentialsDiscovey bool Enable credential discovery via IAM; when this is set, there’s no need provide a secret on the upstream when running on AWS environment. Note: This should ONLY be enabled when running in an AWS environment, as the AWS code blocks the envoy main thread. This should be negligible when running inside AWS.

InvalidConfigPolicy

Policy for how Gloo should handle invalid config

"replaceInvalidRoutes": bool
"invalidRouteResponseCode": int
"invalidRouteResponseBody": string
Field Type Description Default
replaceInvalidRoutes bool if set to true, Gloo removes any routes from the provided configuration which point to a missing destination. Routes that are removed in this way will instead return a configurable direct response to clients. When routes are replaced, Gloo will configure Envoy with a special listener which serves direct responses. Note: enabling this option allows Gloo to accept partially valid proxy configurations.
invalidRouteResponseCode int replaced routes reply to clients with this response code default is 404.
invalidRouteResponseBody string replaced routes reply to clients with this response body default is ‘Gloo Gateway has invalid configuration. Administrators should run glooctl check to find and fix config errors.‘.

GatewayOptions

Settings specific to the Gateway controller

"validationServerAddr": string
"disableAutoGenGateways": bool
"validation": .gloo.solo.io.GatewayOptions.ValidationOptions
"readGatewaysFromAllNamespaces": bool
Field Type Description Default
validationServerAddr string Address of the gloo config validation server. Defaults to gloo:9988.
disableAutoGenGateways bool Disable auto generation of default gateways from gateway pod.
validation .gloo.solo.io.GatewayOptions.ValidationOptions If provided, the Gateway will performDynamic Admission Control of Gateways, Virtual Services, and Route Tables when running in Kubernetes.
readGatewaysFromAllNamespaces bool When true, the Gateway controller will consume Gateway CRDs from all watch namespaces, rather than just the Gateway CRDs in its own namespace.

ValidationOptions

options for configuring admission control / validation

"proxyValidationServerAddr": string
"validationWebhookTlsCert": string
"validationWebhookTlsKey": string
"ignoreGlooValidationFailure": bool
"alwaysAccept": .google.protobuf.BoolValue
Field Type Description Default
proxyValidationServerAddr string Address of the gloo proxy validation grpc server. Defaults to gloo:9988 This field is required in order to enable fine-grained admission control.
validationWebhookTlsCert string Path to TLS Certificate for Kubernetes Validating webhook. Defaults to /etc/gateway/validation-certs/tls.crt.
validationWebhookTlsKey string Path to TLS Private Key for Kubernetes Validating webhook. Defaults to /etc/gateway/validation-certs/tls.key.
ignoreGlooValidationFailure bool When Gateway cannot communicate with Gloo (e.g. Gloo is offline) resources will be rejected by default. Enable the ignoreGlooValidationFailure to prevent the Validation server from rejecting resources due to network errors.
alwaysAccept .google.protobuf.BoolValue Always accept resources even if validation produced an error Validation will still log the error and increment the validation.gateway.solo.io/resources_rejected stat Currently defaults to true - must be set to false to prevent writing invalid resources to storage.