Solo Enterprise for kgateway APIs

Review the Solo Enterprise for kgateway API reference docs.

Packages

enterprisekgateway.solo.io/v1alpha1

enterprisekgateway.solo.io/v1alpha1

Resource Types

EnterpriseKgatewayParameters
EnterpriseKgatewayTrafficPolicy

AWSLambdaTransformFormat

Underlying type: string

AWSLambdaTransformFormat defines the format used to transform requests/responses to/from AWS Lambda functions.

Validation:

Enum: [APIGateway]

Appears in:

AWSLambdaTransformation

Field	Description
`APIGateway`	AWSLambdaFormatAPIGateway transforms the request/response to/from AWS Lambda functions as if it were handled by the AWS API Gateway.

AWSLambdaTransformation

AWSLambdaTransformation defines the AWS Lambda transformation configuration for requests and responses.

Appears in:

EntTransformation

Field	Description	Default	Validation
`requestFormat` AWSLambdaTransformFormat	RequestFormat defines the format to transform requests to AWS Lambda functions.		Enum: [APIGateway] Optional: {}
`responseFormat` AWSLambdaTransformFormat	ResponseFormat defines the format to transform responses from AWS Lambda functions.		Enum: [APIGateway] Optional: {}

BodyTransformation

BodyTransformation defines how to transform the body.

Validation:

AtMostOneOf: [body mergeJsonKeys]

Appears in:

TransformationTemplate

Field	Description	Validation
`type` BodyTransformationType	Type specifies the type of body transformation to apply.	Enum: [Body Passthrough MergeExtractorsToBody MergeJsonKeys] Required: {}
`body` InjaTemplate	Body is the request/response body to be transformed. Only use when Type is Body.	Optional: {}
`mergeJsonKeys` object (keys:string, values:OverridableTemplate)	MergeJsonKeys is a transformation template used to merge json keys. Only use when Type is MergeJsonKeys. A set of key-value pairs to merge into the JSON body. Each value will be rendered separately, and then placed into the JSON body at the specified key. There are a number of important caveats to using this feature: * This can only be used when the body is parsed as JSON. * This option does NOT work with advanced templates currently Map of key name -> template to render into the JSON body. Specified keys which don’t exist in the JSON body will be set, keys which do exist will be override. For example, given the following JSON body: { “key1”: “value1” } and the following MergeJsonKeys: { “key1”: “{{ header(“header1”) }}”, “key2”: “{{ header(“header2”) }}" } The resulting JSON body will be: { “key1”: “header1_value”, “key2”: “header2_value” }	Optional: {}

BodyTransformationType

Underlying type: string

BodyTransformationType defines the type of body transformation to apply.

Validation:

Enum: [Body Passthrough MergeExtractorsToBody MergeJsonKeys]

Appears in:

BodyTransformation

Field	Description
`Body`	BodyTransformationTypeBody indicates a template-based body transformation
`Passthrough`	BodyTransformationTypePassthrough indicates a passthrough body transformation
`MergeExtractorsToBody`	BodyTransformationTypeMergeExtractorsToBody indicates merging extractors to body
`MergeJsonKeys`	BodyTransformationTypeMergeJsonKeys indicates merging JSON keys

CA

Appears in:

Agentgateway

Field	Description	Default	Validation
`address` string	Address is the discovery address of the certificate authority. Default is https://istiod.istio-system.svc:15012		Optional: {}
`trustDomain` string	TrustDomain is the trust domain of the certificate authority.		Optional: {}

ClaimToHeader

Allows copying verified claims to headers sent upstream

Appears in:

JWTProvider

Field	Description	Validation
`claim` string	Claim name. for example, “sub”	Required: {}
`header` string	The header the claim will be copied to. for example, “x-sub”.	Required: {}
`append` boolean	If the header exists, append to it (true), or overwrite it (false). If omitted, will default to false.	Optional: {}

ContainerConfiguration

Appears in:

DeploymentConfiguration

Field	Description	Default	Validation
`image` Image	The image. See https://kubernetes.io/docs/concepts/containers/images for details.		Optional: {}
`securityContext` SecurityContext	The security context for this container. Note OmitSecurityContext and FloatingUserId, two related settings. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core for details.		Optional: {}

DeploymentConfiguration

DeploymentConfiguration configures the Kubernetes Deployment.

Appears in:

Extensions

Field	Description	Validation
`enabled` boolean	Enabled indicates whether the extension is enabled. If not enabled, then no resources for this extension will be deployed. If the extension was previously enabled and then disabled, the deployed resources will be garbage collected, regardless of whether any other configuration still depends on it.	Optional: {}
`resources` ResourceRequirements		Optional: {}
`pod` Pod		Optional: {}
`container` ContainerConfiguration		Optional: {}
`replicas` integer	The number of desired pods. If omitted, behavior will be managed by the K8s control plane, and will default to 1. If you are using an HPA, make sure to not explicitly define this. K8s reference: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#replicas	Minimum: 0 Optional: {}
`strategy` DeploymentStrategy	The deployment strategy to use to replace existing pods with new ones. The Kubernetes default is a RollingUpdate with 25% maxUnavailable, 25% maxSurge. E.g., to recreate pods, minimizing resources for the rollout but causing downtime: strategy: type: Recreate E.g., to roll out as a RollingUpdate but with non-default parameters: strategy: type: RollingUpdate rollingUpdate: maxSurge: 100%	Optional: {}

DynamicMetadataValue

DynamicMetadataValue defines an Envoy Dynamic Metadata entry.

Appears in:

TransformationTemplate

Field	Description	Validation
`metadataNamespace` string	MetadataNamespace specifies the metadata namespace. Defaults to the filter namespace.	MaxLength: 4096 MinLength: 1 Optional: {}
`key` string	Key specifies the metadata key.	MaxLength: 4096 MinLength: 1 Required: {}
`value` InjaTemplate	Value specifies the template that determines the metadata value.	Required: {}
`jsonToProto` boolean	JsonToProto determines whether to parse the rendered value as a proto Struct message.	Optional: {}

EntExtAuth

Validation:

ExactlyOneOf: [authConfigRef disable]

Appears in:

EnterpriseKgatewayTrafficPolicySpec

Field	Description	Validation
`authConfigRef` AuthConfigRef	AuthConfigRef references the AuthConfig we want the external-auth server will use to make auth decisions.	Optional: {}
`extensionRef` NamespacedObjectReference	ExtensionRef references a GatewayExtension that provides the external authorization service. If not set, defaults to the provisioned ext-auth-service for the GatewayClass of the parent Gateway this policy is being used in. Reference grants are not required for cross-namespace extension references.	Optional: {}
`disable` PolicyDisable	Disable all external authorization filters. Can be used to disable external authorization policies applied at a higher level in the config hierarchy.	Optional: {}

EntJWT

EntJWT defines a set of providers used for JWT authentication (and an optional validation policy for these providers) or the ability to disable JWT authentication and verification.

Appears in:

StagedJWT

Field	Description	Validation
`providers` object (keys:string, values:JWTProvider)	Providers maps a provider name to a JWT provider, configuring a way to authenticate JWTs. If specified, multiple providers will be `OR`-ed together and will allow validation to any of the providers. Note: agentgateway only supports a single provider. If more than one provider is specified, the first provider found with a local JWKS will be used, but order is not guaranteed to be respected due to the map type.	MaxProperties: 32 Optional: {}
`validationPolicy` JwtValidationPolicy	Configure how JWT validation works, with the flexibility to handle requests with missing or invalid JWTs. By default, after applying a JWT policy, only requests that have been authenticated with a valid JWT are allowed.	Enum: [RequireValid AllowMissing AllowMissingOrFailed] Optional: {}
`disable` PolicyDisable	Disable JWT authentication for this policy scope. Note: this is not currently supported for agentgateway.	Optional: {}

EntRBAC

EntRBAC defines RBAC configuration.

Validation:

ExactlyOneOf: [disable policies]

Appears in:

EnterpriseKgatewayTrafficPolicySpec

Field	Description	Default	Validation
`disable` PolicyDisable	Disable is used to explicitly disable RBAC checks for the scope of this policy. This is useful to allow access to static resources/login page without RBAC checks.		Optional: {}
`policies` object (keys:string, values:RBACPolicy)	Policies maps a policy name to an RBAC policy to apply.		Optional: {}

EntRateLimit

Appears in:

EnterpriseKgatewayTrafficPolicySpec

Field	Description	Default	Validation
`global` GlobalRateLimit	Global rate limit configuration		Required: {}

EntTransformation

EntTransformation defines the Enterprise transformation configuration.

Appears in:

EnterpriseKgatewayTrafficPolicySpec

Field	Description	Default	Validation
`stages` StagedTransformations	Stages defines the transformations run at different stages of the filter chain.		Optional: {}
`awsLambda` AWSLambdaTransformation	AWSLambda defines the AWS Lambda transformation configuration.		Optional: {}

EnterpriseKgatewayKubernetesProxyConfig

Appears in:

EnterpriseKgatewayParametersSpec

Field	Description	Validation
`deployment` ProxyDeployment	Use a Kubernetes deployment as the proxy workload type. Currently, this is the only supported workload type.	Optional: {}
`envoyContainer` EnvoyContainer	Configuration for the container running Envoy. If agentgateway is enabled, the EnvoyContainer values will be ignored.	Optional: {}
`sdsContainer` SdsContainer	Configuration for the container running the Secret Discovery Service (SDS).	Optional: {}
`podTemplate` Pod	Configuration for the pods that will be created.	Optional: {}
`service` Service	Configuration for the Kubernetes Service that exposes the Envoy proxy over the network.	Optional: {}
`serviceAccount` ServiceAccount	Configuration for the Kubernetes ServiceAccount used by the Envoy pod.	Optional: {}
`istio` IstioIntegration	Configuration for the Istio integration.	Optional: {}
`stats` StatsConfig	Configuration for the stats server.	Optional: {}
`omitDefaultSecurityContext` boolean	OmitDefaultSecurityContext is used to control whether or not `securityContext` fields should be rendered for the various generated Deployments/Containers that are dynamically provisioned by the deployer. When set to true, no `securityContexts` will be provided and will left to the user/platform to be provided. This should be enabled on platforms such as Red Hat OpenShift where the `securityContext` will be dynamically added to enforce the appropriate level of security.	Optional: {}
`sharedExtensions` Extensions	SharedExtensions defines extensions that are shared across all Gateways of the same GatewayClass	Optional: {}

EnterpriseKgatewayParameters

EnterpriseKgatewayParameters contains configuration that is used to dynamically provision Solo Enterprise for kgateway’s data plane (Envoy proxy instance), and enterprise ExtAuth and RateLimiter extensions

Inherits fields from:

TypeMeta

Field	Description	Validation
`apiVersion` string	`enterprisekgateway.solo.io/v1alpha1`
`kind` string	`EnterpriseKgatewayParameters`
`kind` string	Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	Optional: {}
`apiVersion` string	APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources	Optional: {}
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.	Optional: {}
`spec` EnterpriseKgatewayParametersSpec	Spec defines the desired state of the gateway parameters	Required: {}
`status` EnterpriseKgatewayParametersStatus	Status is the status of the gateway parameters	Optional: {}

EnterpriseKgatewayParametersSpec

EnterpriseKgatewayParametersSpec defines the desired state of EnterpriseKgatewayParameters

Appears in:

EnterpriseKgatewayParameters

Field	Description	Default	Validation
`kube` EnterpriseKgatewayKubernetesProxyConfig	Kubernetes configuration for the proxy.		Optional: {}

EnterpriseKgatewayParametersStatus

Appears in:

EnterpriseKgatewayParameters

EnterpriseKgatewayTrafficPolicy

EnterpriseKgatewayTrafficPolicy is a traffic policy that can be applied to a route

Inherits fields from:

TypeMeta

Field	Description	Validation
`apiVersion` string	`enterprisekgateway.solo.io/v1alpha1`
`kind` string	`EnterpriseKgatewayTrafficPolicy`
`kind` string	Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	Optional: {}
`apiVersion` string	APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources	Optional: {}
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.	Optional: {}
`spec` EnterpriseKgatewayTrafficPolicySpec	Spec defines the desired state of the traffic policy	AtMostOneOf: [transformation entTransformation] Required: {}
`status` PolicyStatus	Status is the status of the traffic policy	Optional: {}

EnterpriseKgatewayTrafficPolicySpec

EnterpriseKgatewayTrafficPolicySpec defines the desired state of EnterpriseKgatewayTrafficPolicy

Validation:

AtMostOneOf: [transformation entTransformation]

Appears in:

EnterpriseKgatewayTrafficPolicy

Inherits fields from:

TrafficPolicySpec

Field	Description	Validation
`targetRefs` LocalPolicyTargetReferenceWithSectionName array	TargetRefs specifies the target resources by reference to attach the policy to.	MaxItems: 16 MinItems: 1 Optional: {}
`targetSelectors` LocalPolicyTargetSelectorWithSectionName array	TargetSelectors specifies the target selectors to select resources to attach the policy to.	Optional: {}
`transformation` TransformationPolicy	Transformation is used to mutate and transform requests and responses before forwarding them to the destination.	Optional: {}
`extProc` ExtProcPolicy	ExtProc specifies the external processing configuration for the policy.	ExactlyOneOf: [extensionRef disable] Optional: {}
`extAuth` ExtAuthPolicy	ExtAuth specifies the external authentication configuration for the policy. This controls what external server to send requests to for authentication.	ExactlyOneOf: [extensionRef disable] Optional: {}
`rateLimit` RateLimit	RateLimit specifies the rate limiting configuration for the policy. This controls the rate at which requests are allowed to be processed.	Optional: {}
`cors` CorsPolicy	Cors specifies the CORS configuration for the policy.	Optional: {}
`csrf` CSRFPolicy	Csrf specifies the Cross-Site Request Forgery (CSRF) policy for this traffic policy.	AtMostOneOf: [percentageEnabled percentageShadowed] Optional: {}
`headerModifiers` HeaderModifiers	HeaderModifiers defines the policy to modify request and response headers.	Optional: {}
`autoHostRewrite` boolean	AutoHostRewrite rewrites the Host header to the DNS name of the selected upstream. NOTE: This field is only honored for HTTPRoute targets. NOTE: If `autoHostRewrite` is set on a route that also has a URLRewrite filter configured to override the `hostname`, the `hostname` value will be used and `autoHostRewrite` will be ignored.	Optional: {}
`buffer` Buffer	Buffer can be used to set the maximum request size that will be buffered. Requests exceeding this size will return a 413 response.	ExactlyOneOf: [maxRequestSize disable] Optional: {}
`timeouts` Timeouts	Timeouts defines the timeouts for requests It is applicable to HTTPRoutes and ignored for other targeted kinds.	Optional: {}
`retry` Retry	Retry defines the policy for retrying requests. It is applicable to HTTPRoutes, Gateway listeners and XListenerSets, and ignored for other targeted kinds.	Optional: {}
`rbac` Authorization	RBAC specifies the role-based access control configuration for the policy. This defines the rules for authorization based on roles and permissions. RBAC policies applied at different attachment points in the configuration hierarchy are not cumulative, and only the most specific policy is enforced. This means an RBAC policy attached to a route will override any RBAC policies applied to the gateway or listener.	Optional: {}
`jwtAuth` JWTAuth	JWT specifies the JWT authentication configuration for the policy. This defines the JWT providers and their configurations.	ExactlyOneOf: [extensionRef disable] Optional: {}
`urlRewrite` URLRewrite	UrlRewrite specifies URL rewrite rules for matching requests. NOTE: This field is only honored for HTTPRoute targets.	AtLeastOneOf: [pathRegex] Optional: {}
`compression` Compression	Compression configures response compression (per-route) and request/response decompression (listener-level insertion triggered by route enable). The response compression configuration is only honored for HTTPRoute targets.	AtLeastOneOf: [responseCompression requestDecompression] Optional: {}
`basicAuth` BasicAuthPolicy	BasicAuth specifies the HTTP basic authentication configuration for the policy. This controls authentication using username/password credentials in the Authorization header.	ExactlyOneOf: [users secretRef disable] Optional: {}
`apiKeyAuth` APIKeyAuth	APIKeyAuth authenticates users based on a configured API Key.	ExactlyOneOf: [secretRef secretSelector disable] Optional: {}
`oauth2` OAuth2Policy	OAuth2 specifies the configuration to use for OAuth2/OIDC. Note: the OAuth2 filter does not protect against Cross-Site-Request-Forgery attacks on domains with cached authentication (in the form of cookies). It is recommended to pair this with the CSRF policy to prevent malicious social engineering.	Optional: {}
`entRateLimit` EntRateLimit	EntRateLimit defines the Enterprise rate limit configuration for the traffic policy	Optional: {}
`entExtAuth` EntExtAuth	EntExtAuth defines the Enterprise external authorization configuration for the traffic policy	ExactlyOneOf: [authConfigRef disable] Optional: {}
`entTransformation` EntTransformation	EntTransformation defines the Enterprise transformation configuration for the traffic policy	Optional: {}
`entJWT` StagedJWT	EntJWT allows for configuration of JWT authentication	Optional: {}
`entRBAC` EntRBAC	EntRBAC provides config for RBAC rules based on JWT claims resulting from authentication with `entJWT` configs	ExactlyOneOf: [disable policies] Optional: {}

EscapeCharactersBehavior

Underlying type: string

EscapeCharactersBehavior defines how to handle characters that need to be escaped in JSON.

Validation:

Enum: [Escape DontEscape]

Appears in:

StagedTransformations
TransformationTemplate

Field	Description
`Escape`	EscapeCharactersEscape always escapes characters that need to be escaped in JSON
`DontEscape`	EscapeCharactersDontEscape never escapes characters

Extensions

Appears in:

EnterpriseKgatewayKubernetesProxyConfig

Field	Description	Default	Validation
`extauth` DeploymentConfiguration			Optional: {}
`ratelimiter` DeploymentConfiguration			Optional: {}
`extCache` DeploymentConfiguration			Optional: {}

Extraction

Extraction is used to define extractions to extract information from the request/response. The extracted information can then be referenced in template fields.

Validation:

AtMostOneOf: [body header]

Appears in:

TransformationTemplate

Field	Description	Default	Validation
`body` boolean	ExtractionBody specifies extracting information from the request/response body.		Optional: {}
`header` string	ExtractionHeader specifies extracting information from headers.		MaxLength: 4096 MinLength: 1 Optional: {}
`regex` string	Regex specifies the regular expression used for matching against the source content. - In Extract mode, the entire source must match the regex. `subgroup` selects the n-th capturing group, which determines the part of the match that you want to extract. If the regex does not match the source, the result of the extraction will be an empty value. - In SingleReplace mode, the regex also needs to match the entire source. `subgroup` selects the n-th capturing group that is replaced with the content of `replacementText`. If the regex does not match the source, the result of the replacement will be the source itself. - In ReplaceAll mode, the regex is applied repeatedly to find all occurrences within the source that match. Each matching occurrence is replaced with the value in `replacementText`. In this mode, the configuration is rejected if `subgroup` is set. If the regex does not match the source, the result of the replacement will be the source itself.		MaxLength: 4096 MinLength: 1 Required: {}
`subgroup` integer	Subgroup is used to determine the group that you want to select if your regex contains capturing groups. Defaults to 0. If set in `Extract` and `SingleReplace` modes, the subgroup represents the capturing group that you want to extract or replace in the source. The configuration is rejected if you set subgroup to a non-zero value when using the `REPLACE_ALL` mode.		Minimum: 0 Optional: {}
`replacementText` string	ReplacementText is used to format the substitution for matched sequences in an input string. This value is only legal in `SingleReplace` and `REPLACE_ALL` modes. - In `SingleReplace` mode, the `subgroup` selects the n-th capturing group, which represents the value that you want to replace with the string provided in `replacementText`. - In `REPLACE_ALL` mode, each sequence that matches the specified regex in the input is replaced with the value in`replacementText`. The `replacementText` can include special syntax, such as $1, $2, etc., to refer to capturing groups within the regular expression. The value that is specified in `replacementText` is treated as a string, and is passed to `std::regex_replace` as the replacement string. For more information, see https://en.cppreference.com/cpp/regex/regex_replace.		Optional: {}
`mode` TransformationExtractMode	Mode defines the mode of operation for the extraction. Defaults to Extract.	Extract	Enum: [Extract SingleReplace ReplaceAll] Optional: {}

GlobalRateLimit

Appears in:

EntRateLimit

Field	Description	Default	Validation
`extensionRef` NamespacedObjectReference	ExtensionRef references a GatewayExtension that provides the global rate limit service. If not set, defaults to the rate limit service named ‘rate-limit’ in the same namespace as the Solo Enterprise for kgateway control plane. In this case no reference grant is required.		Optional: {}
`rateLimitConfigRefs` RateLimitConfigRef array	RateLimitConfigRefs is a list of references to the RateLimitConfig resources containing the rate limit configurations.		MaxItems: 16 MinItems: 1 Required: {}

HeaderBodyTransform

HeaderBodyTransform defines a header and body transformation.

Appears in:

Transformation

Field	Description	Default	Validation
`addRequestMetadata` boolean	AddRequestMetadata determines whether to add request metadata to the body. When transforming a request, setting this to true will additionally add “queryString”, “queryStringParameters”, “multiValueQueryStringParameters”, “httpMethod”, “path”, and “multiValueHeaders” to the body.		Optional: {}

HeaderToAppend

HeaderToAppend defines a header-template pair for appending headers.

Appears in:

TransformationTemplate

Field	Description	Default	Validation
`key` string	Key specifies the header name.		MaxLength: 4096 MinLength: 1 Required: {}
`value` InjaTemplate	Value specifies the template to apply to the header value.		Required: {}

InjaTemplate

Underlying type: string

InjaTemplate defines an Inja template that will be rendered by Gloo. In addition to the core template functions, the Gloo transformation filter defines the following custom functions:

header(header_name): returns the value of the header with the given name.
extraction(extractor_name): returns the value of the extractor with the given name.
env(env_var_name): returns the value of the environment variable with the given name.
body(): returns the request/response body.
context(): returns the base JSON context (allowing for example to range on a JSON body that is an array).
request_header(header_name): returns the value of the request header with the given name. Use this option when you want to include request header values in response transformations.
base64_encode(string): encodes the input string to base64.
base64_decode(string): decodes the input string from base64.
substring(string, start_pos, substring_len): returns a substring of the input string, starting at start_pos and extending for substring_len characters. If no substring_len is provided or substring_len is <= 0, the substring extends to the end of the input string.

Appears in:

BodyTransformation
DynamicMetadataValue
HeaderToAppend
OverridableTemplate
SpanTransformer
TransformationTemplate

JWKS

JWKS (JSON Web Key Set) configures how to fetch the public key used for JWT verification.

Validation:

ExactlyOneOf: [local remote]

Appears in:

JWTProvider

Field	Description	Default	Validation
`local` LocalJWKS	Local is used when JWKS is local to the proxy, such as an inline string definition.		Optional: {}
`remote` RemoteJWKS	Remote is used when the JWKS should be fetched from a remote host Note: agentgateway does not support remote JWKS configuration.		Optional: {}

JWTProvider

JWTProvider defines configuration for how a JWT should be authenticated and verified.

Appears in:

EntJWT

Field	Description	Validation
`jwks` JWKS	The source for the keys to validate JWTs.	ExactlyOneOf: [local remote] Required: {}
`audiences` string array	An incoming JWT must have an ‘aud’ claim and it must be in this list.	Optional: {}
`issuer` string	Issuer of the JWT. the ‘iss’ claim of the JWT must match this.	Optional: {}
`tokenSource` TokenSource	Where to find the JWT of the current provider. Note: agentgateway does not support token source configuration.	Optional: {}
`keepToken` boolean	Should the token forwarded upstream. If false, the header containing the token will be removed. If omitted, the default behavior is to remove the token and not forward	Optional: {}
`claimsToHeaders` ClaimToHeader array	What claims should be copied to upstream headers. Note: agentgateway does not support claimsToHeaders configuration.	Optional: {}
`clockSkewSeconds` integer	Used to verify time constraints, such as `exp` and `npf`. If omitted, defaults to 60s Note: agentgateway does not support clockSkewSeconds configuration.	Minimum: 0 Optional: {}
`attachFailedStatusToMetadata` string	When this field is set, the specified value is used as the key in DynamicMetadata to store the JWT failure status code and message under that key. This field is particularly useful when logging the failure status. Note: agentgateway does not support attachFailedStatusToMetadata configuration. For example, if the value of `attach_failed_status_to_metadata` is ‘custom_auth_failure_status’ then the failure status can be accessed in the access log as ‘%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status)’ Note: status code and message can be individually accessed as ‘%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.code)’ and ‘%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.message)’ respectively.	Optional: {}

JwksAsyncFetch

Fetch Jwks asynchronously in the main thread when the filter config is parsed. The listener is activated only after the Jwks is fetched. When the Jwks is expired in the cache, it is fetched again in the main thread. The fetched Jwks from the main thread can be used by all worker threads.

Appears in:

RemoteJWKS

Field	Description	Default	Validation
`fastListener` boolean	If false, the listener is activated after the initial fetch is completed. The initial fetch result can be either successful or failed. If true, it is activated without waiting for the initial fetch to complete. Default is false.		Optional: {}

JwtValidationPolicy

Underlying type: string

Validation:

Enum: [RequireValid AllowMissing AllowMissingOrFailed]

Appears in:

EntJWT

Field	Description
`RequireValid`	Default value. Allow only requests that authenticate with a valid JWT to succeed.
`AllowMissing`	Allow requests to succeed even if JWT authentication is missing, but fail when an invalid JWT token is presented. You might use this setting when later steps depend on input from the JWT. For example, you might add claims from the JWT to request headers with the claimsToHeaders field. As such, you may want to make sure that any provided JWT is valid. If not, the request fails, which informs the requester that their JWT is not valid. Requests without a JWT, however, still succeed and skip JWT validation.
`AllowMissingOrFailed`	Allow requests to succeed even when a JWT is missing or JWT verification fails. For example, you might apply multiple policies to your routes so that requests can authenticate with either a JWT or another method such as external auth. Use this value to allow a failed JWT auth request to pass through to the other authentication method.

LocalJWKS

LocalJWKS contains configuration for JWKS that are locally available to the proxy

Appears in:

JWKS

Field	Description	Default	Validation
`key` string	Inline key. this can be json web key, key-set or PEM format.		Required: {}

OverridableTemplate

Appears in:

BodyTransformation

Field	Description	Default	Validation
`tmpl` InjaTemplate	Template to render		Required: {}
`overrideEmpty` boolean	If set to true, the template will be set even if the rendered value is empty.		Optional: {}

QueryParameterMatcher

QueryParameterMatcher configures the query parameter matching to apply.

Appears in:

TransformationRequestMatcher

Field	Description	Validation
`name` string	Specifies the name of a key that must be present in the requested path’s query string.	Required: {}
`value` string	Specifies the value of the key. If the value is absent, a request that contains the key in its query string will match, whether the key appears with a value (e.g., “?debug=true”) or not (e.g., “?debug”)	Optional: {}
`regex` boolean	Specifies whether the query parameter value is a regular expression. Defaults to false. The entire query parameter value (i.e., the part to the right of the equals sign in “key=value”) must match the regex. E.g., the regex “\d+$” will match “123” but not “a123” or “123a”.	Optional: {}

RBACJWTPrincipal

A JWT principal. To use this, JWT authentication MUST be configured as well.

Appears in:

RBACPrincipal

Field	Description	Validation
`claims` object (keys:string, values:string)	Set of claims that make up this principal. Commonly, the ‘iss’ and ‘sub’ or ’email’ claims are used. If you specify the path for a nested claim, such as ‘parent.child.foo’, you must also specify a non-empty string value for the `nested_claim_delimiter` field in the Policy.	Required: {}
`provider` string	Verify that the JWT came from a specific provider. This usually can be left empty and a provider will be chosen automatically.	MinLength: 1 Optional: {}
`matcher` RBACJWTPrincipalClaimMatcher	The matcher to use when evaluating this principal. If omitted, exact string comparison (ExactString) is used.	Enum: [ExactString Boolean ListContains] Optional: {}

RBACJWTPrincipalClaimMatcher

Underlying type: string

Appears in:

RBACJWTPrincipal

Field	Description
`ExactString`	The JWT claim value is a string that exactly matches the value.
`Boolean`	The JWT claim value is a boolean that matches the value.
`ListContains`	The JWT claim value is a list that contains a string that exactly matches the value.

RBACPermissions

What permissions should be granted. An empty field means allow-all. If more than one field is added, all of them need to match.

Appears in:

RBACPolicy

Field	Description	Default	Validation
`pathPrefix` string	Paths that have this prefix will be allowed.		MinLength: 1 Optional: {}
`methods` string array	What http methods (GET, POST, …) are allowed.		Optional: {}

RBACPolicy

Appears in:

EntRBAC

Field	Description	Validation
`principals` RBACPrincipal array	Principals in this policy.	MinItems: 1 Required: {}
`permissions` RBACPermissions	Permissions granted to the principals.	Optional: {}
`nestedClaimDelimiter` string	The delimiter to use when specifying nested claim names within principals. Default is an empty string, which disables nested claim functionality. This is commonly set to `.`, allowing for nested claim names of the form `parent.child.grandchild`	Optional: {}

RBACPrincipal

An RBAC principal - the identity entity (usually a user or a service account).

Appears in:

RBACPolicy

Field	Description	Default	Validation
`jwtPrincipal` RBACJWTPrincipal	JWTPrincipal references a principal from JWT authentication.		Required: {}

RegexMatcher

RegexMatcher based on https://github.com/envoyproxy/envoy/blob/4453ce1f809ec502fb2cbe0363cf5c6a971f3836/api/envoy/type/matcher/regex.proto#L19

Appears in:

StringMatch
TransformationRequestMatcher

Field	Description	Default	Validation
`regex` string	The regex match string. The string must be supported by the configured engine.		Required: {}

RemoteJWKS

Appears in:

JWKS

Field	Description	Validation
`url` string	The url used when accessing the upstream for Json Web Key Set. This is used to correctly set the host and path in the JWKS HTTP request. E.g. https://example.com/.well-known/jwks.json	Pattern: `^(http\|https):\/\/[a-zA-Z0-9]([a-zA-Z0-9-][a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-][a-zA-Z0-9])?)(:\d+)?\/.$` Required: {}
`backendRef` BackendRef	The Backend representing the Json Web Key Set server	Required: {}
`cacheDuration` Duration	Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes.	Optional: {}
`asyncFetch` JwksAsyncFetch	Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads. If this feature is not enabled: - The Jwks is fetched on-demand when the requests come. During the fetching, first few requests are paused until the Jwks is fetched. - Each worker thread fetches its own Jwks since Jwks cache is per worker thread. If this feature is enabled: - Fetched Jwks is done in the main thread before the listener is activated. Its fetched Jwks can be used by all worker threads. Each worker thread doesn’t need to fetch its own. - Jwks is ready when the requests come, not need to wait for the Jwks fetching.	Optional: {}

RequestBodyParse

Underlying type: string

RequestBodyParse determines how the body will be parsed.

Appears in:

TransformationTemplate

Field	Description
`ParseAsJson`	ParseAsJson configures the transformation to attempt to parse the request/response body as JSON
`DontParse`	DontParse configures the transformation request/response body will be treated as plain text

RequestMatcher

RequestMatcher configures transformations to apply on the request.

Appears in:

RequestResponseTransformations

Field	Description	Validation
`matcher` TransformationRequestMatcher	Matcher defines the request matching parameter. Only when the match is satisfied, the “requires” field will apply. Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. For example, take the following matches configuration: `<br />matches:<br />- path:<br /> value: "/foo"<br /> headers:<br /> - name: "version"<br /> value "v1"<br />- path:<br /> value: "/v2/foo"<br />` For a request to match against this rule, a request must satisfy EITHER of the two conditions: - path prefixed with `/foo` AND contains the header `version: v1` - path prefix of `/v2/foo` For example: following match will match all requests. matches: - path: value: “/”	AtMostOneOf: [prefix path regex connect] Optional: {}
`clearRouteCache` boolean	ClearRouteCache should we clear the route cache if a transformation was matched.	Optional: {}
`transformation` Transformation	Transformation to apply on the request.	ExactlyOneOf: [template headerBody] Required: {}

RequestResponseTransformations

RequestResponseTransformations configures transformations to apply on the request and response.

Appears in:

StagedTransformations

Field	Description	Default	Validation
`requests` RequestMatcher array	Requests configures transformations to apply on the request. The first request that matches will apply.		MaxItems: 32 Optional: {}
`responses` ResponseMatcher array	Responses configures transformations to apply on the response. The first response transformation that matches will apply.		MaxItems: 32 Optional: {}

ResponseMatcher

ResponseMatch configures transformations to apply on the response.

Appears in:

RequestResponseTransformations

Field	Description	Validation
`matchers` TransformationHeaderMatcher array	Specifies a set of headers that the route should match on. The router will check the response headers against all the specified headers in the route config. A match will happen if all the headers in the route are present in the request with the same values (or based on presence if the value field is not in the config).	MaxItems: 32 Optional: {}
`responseCodeDetails` string	Only match responses with non-empty response code details (this usually implies a local reply).	Optional: {}
`transformation` Transformation	Transformation to apply on the response.	ExactlyOneOf: [template headerBody] Required: {}

SpanTransformer

SpanTransformer defines a span transformer for modifying trace spans.

Appears in:

TransformationTemplate

Field	Description	Default	Validation
`name` InjaTemplate	Name specifies a template that sets the span name.		Required: {}

StagedJWT

StagedJWT allows for configuring JWT authentication at various stages of request processing

Appears in:

EnterpriseKgatewayTrafficPolicySpec

Field	Description	Default	Validation
`afterExtAuth` EntJWT	JWT configuration to be enforced after external auth has been processed (if it is present). Note: this is not currently supported for agentgateway.		Optional: {}
`beforeExtAuth` EntJWT	JWT configuration to be enforced before external auth has been processed.		Optional: {}

StagedTransformations

StagedTransformations configures transformations to apply for different stages of the filter chain.

Appears in:

EntTransformation

Field	Description	Validation
`early` RequestResponseTransformations	Early transformations happen before most other options (Like Auth and Rate Limit).	Optional: {}
`regular` RequestResponseTransformations	Regular transformations happen after Auth and Rate limit decisions have been made.	Optional: {}
`postRouting` RequestResponseTransformations	PostRouting happen during the router filter chain. This is important for a number of reasons 1. Retries re-trigger this filter, which might impact performance. 2. It is the only point where endpoint metadata is available. 3. `clearRouteCache` does NOT work in this stage as the routing decision is already made.	Optional: {}
`logRequestResponseInfo` boolean	When enabled, log request/response body and headers before and after all transformations defined here are applied.<br />This overrides the logRequestResponseInfo field in the Transformation message.	Optional: {}
`escapeCharacters` EscapeCharactersBehavior	EscapeCharacters configures the Inja behavior when rendering strings which contain characters that would need to be escaped to be valid JSON. Note that this sets the behavior for all staged transformations configured here. This setting can be overridden per-transformation using the field `escapeCharacters` on the TransformationTemplate.	Enum: [Escape DontEscape] Optional: {}

TlsContextMatchOptions

TlsContextMatchOptions configures the TLS context match options.

Appears in:

TransformationRequestMatcher

Field	Description	Default	Validation
`presented` boolean	If specified, the route will match against whether a certificate is presented. If not specified, certificate presentation status (true or false) will not be considered when route matching.		Optional: {}
`validated` boolean	If specified, the route will match against whether a certificate is validated. If not specified, certificate validation status (true or false) will not be considered when route matching.		Optional: {}

TokenSource

Describes the location of a JWT token

Appears in:

JWTProvider

Field	Description	Default	Validation
`headers` TokenSourceHeaderSource array	Try to retrieve token from these headers		Optional: {}
`queryParams` string array	Try to retrieve token from these query params		Optional: {}

TokenSourceHeaderSource

Describes how to retrieve a JWT from a header

Appears in:

TokenSource

Field	Description	Default	Validation
`header` string	The name of the header. for example, “authorization”		Required: {}
`prefix` string	Prefix before the token. for example, “Bearer "		Optional: {}

Transformation

Transformation defines a transformation that can be applied to requests or responses.

Validation:

ExactlyOneOf: [template headerBody]

Appears in:

RequestMatcher
ResponseMatcher

Field	Description	Default	Validation
`template` TransformationTemplate	Template specifies a template-based transformation.		Optional: {}
`headerBody` HeaderBodyTransform	HeaderBody specifies a header and body transformation.		Optional: {}

TransformationExtractMode

Underlying type: string

TransformationExtractMode represents the mode of operation for the extraction, which configures how the tranformation will extract the content of a specified capturing group.

Validation:

Enum: [Extract SingleReplace ReplaceAll]

Appears in:

Extraction

Field	Description
`Extract`	ModeExtract configures the transformation to extract the content of a specified capturing group. In this mode, `subgroup` selects the n-th capturing group, which represents the value that you want to extract.
`SingleReplace`	ModeSingleReplace configures the transformation to replace the content of a specified capturing group. In this mode, `subgroup` selects the n-th capturing group, which represents the value that you want to replace with the string provided in `replacementText`. Note: `replacementText` must be set for this mode.
`ReplaceAll`	ModeReplaceAll configures the transformation to replace all regex matches with the value provided in `replacementText`. Note: `replacementText` must be set for this mode. Note: The configuration fails if `subgroup` is set to a non-zero value. Note: restrictions on the regex are different for this mode. See the regex field for more details.

TransformationHeaderMatcher

TransformationHeaderMatcher configures the header matching to apply.

Appears in:

ResponseMatcher
TransformationRequestMatcher

Field	Description	Validation
`name` string	Specifies the name of the header in the request.	Required: {}
`value` string	Specifies the value of the header. If the value is absent a request that has the name header will match, regardless of the header’s value.	Optional: {}
`regex` boolean	Specifies whether the header value should be treated as regex or not.	Optional: {}
`invertMatch` boolean	If set to true, the result of the match will be inverted. Defaults to false. Examples: * name=foo, invertMatch=true: matches if no header named `foo` is present * name=foo, value=bar, invertMatch=true: matches if no header named `foo` with value `bar` is present * name=foo, value=`\d\{3\}`, regex=true, invertMatch=true: matches if no header named `foo` with a value consisting of three integers is present	Optional: {}

TransformationRequestMatcher

TransformationRequestMatcher configures the matcher to match against the request.

Validation:

AtMostOneOf: [prefix path regex connect]

Appears in:

RequestMatcher

Field	Description	Default	Validation
`prefix` string	Prefix configures the prefix rule meaning that the prefix must match the beginning of the :path header. Max length is following https://gateway-api.sigs.k8s.io/reference/spec/#httppathmatch		MaxLength: 1024 MinLength: 1 Optional: {}
`path` string	Path configures the exact path rule meaning that the path must exactly match the :path header once the query string is removed. Max length is following https://gateway-api.sigs.k8s.io/reference/spec/#httppathmatch		MaxLength: 1024 MinLength: 1 Optional: {}
`regex` RegexMatcher	Regex configures the route regular expression rule meaning that the regex must match the :path header once the query string is removed. The entire path (without the query string) must match the regex. The rule will not match if only a subsequence of the :path header matches the regex.		Optional: {}
`connect` boolean	Connect configures the matcher to only match CONNECT requests. Note that this will not match HTTP/2 upgrade-style CONNECT requests (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style upgrades. This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2, where CONNECT requests may have a path, the path matchers will work if there is a path present.		Optional: {}
`caseSensitive` boolean	CaseSensitive indicates that prefix/path matching should be case-insensitive. The default is true.	true	Optional: {}
`headers` TransformationHeaderMatcher array	Specifies a set of headers that the route should match on. The router will check the request’s headers against all the specified headers in the route config. A match will happen if all the headers in the route are present in the request with the same values (or based on presence if the value field is not in the config).		MaxItems: 32 Optional: {}
`queryParameters` QueryParameterMatcher array	Specifies a set of URL query parameters on which the route should match. The router will check the query string from the path header against all the specified query parameters. If the number of specified query parameters is nonzero, they all must match the path header’s query string for a match to occur.		MaxItems: 32 Optional: {}
`grpc` boolean	If specified, only gRPC requests will be matched. The router will check that the content-type header has a application/grpc or one of the various application/grpc+ values.		Optional: {}
`tlsContext` TlsContextMatchOptions	If specified, the client tls context will be matched against the defined match options.		Optional: {}
`methods` string array	HTTP Method/Verb(s) to match on. If none specified, the matcher will ignore the HTTP Method		MaxItems: 32 Optional: {}

TransformationTemplate

TransformationTemplate defines a transformation template.

Appears in:

Transformation

Field	Description	Default	Validation
`advancedTemplates` boolean	AdvancedTemplates determines whether to use JSON pointer notation instead of dot notation. If set to true, use JSON pointer notation (e.g. “time/start”) instead of dot notation (e.g. “time.start”) to access JSON elements. Defaults to false. Please note that, if set to ’true’, you will need to use the `extraction` function to access extractors in the template (e.g. “{{ extraction(“my_extractor”) }}”). If the default value of ‘false’ is used, extractors will simply be available by their name (e.g. “{{ my_extractor }}”).		Optional: {}
`extractors` object (keys:string, values:Extraction)	Extractors use this attribute to extract information from the request. It consists of a map of strings to extractors. The extractor will define which information will be extracted, while the string key will provide the extractor with a name. You can reference extractors by their name in templates, e.g. “{{ my-extractor }}” will render to the value of the “my-extractor” extractor.		MaxProperties: 32 Optional: {}
`headers` object (keys:string, values:InjaTemplate)	Headers configures the transform request/response headers. It consists of a map of strings to templates. The string key determines the name of the resulting header, the rendered template will determine the value. Any existing headers with the same header name will be replaced by the transformed header. If a header name is included in `headers` and `headersToAppend`, it will first be replaced the template in `headers`, then additional header values will be appended by the templates defined in `headersToAppend`. For example, the following header transformation configuration: `yaml<br /> headers:<br /> x-header-one: \{"text": "first \{\{inja\}\} template"\}<br /> x-header-one: \{"text": "second \{\{inja\}\} template"\}<br /> headersToAppend:<br /> - key: x-header-one<br /> value: \{"text": "first appended \{\{inja\}\} template"\}<br /> - key: x-header-one<br /> value: \{"text": "second appended \{\{inja\}\} template"\}<br />` will result in the following headers on the HTTP message: `<br />x-header-one: first inja template<br />x-header-one: first appended inja template<br />x-header-one: second appended inja template<br />`		MaxProperties: 32 Optional: {}
`headersToAppend` HeaderToAppend array	HeadersToAppend configures the transform request/response headers. It consists of an array of string/template objects. Use this attribute to define multiple templates for a single header. Header template(s) defined here will be appended to any existing headers with the same header name, not replace existing ones. See `headers` documentation to see an example of usage.		MaxItems: 32 Optional: {}
`headersToRemove` string array	HeadersToRemove is configured to remove headers from requests. If a header is present multiple times, all instances of the header will be removed.		MaxItems: 32 Optional: {}
`bodyTransformation` BodyTransformation	BodyTransformation specifies how to transform the body.		AtMostOneOf: [body mergeJsonKeys] Optional: {}
`parseBodyBehavior` RequestBodyParse	ParseBodyBehavior determines how the body will be parsed. Defaults to ParseAsJson.	ParseAsJson	Enum: [ParseAsJson DontParse] Optional: {}
`ignoreErrorOnParse` boolean	IgnoreErrorOnParse determines whether Envoy should throw an exception if body parsing fails.		Optional: {}
`dynamicMetadataValues` DynamicMetadataValue array	DynamicMetadataValues defines Envoy Dynamic Metadata entries.		MaxItems: 32 Optional: {}
`escapeCharacters` EscapeCharactersBehavior	EscapeCharacters configures the Inja behavior when rendering strings which contain characters that would need to be escaped to be valid JSON. Note that this sets the behavior for the entire transformation. Use raw_strings function for fine-grained control within a template.		Enum: [Escape DontEscape] Optional: {}
`spanTransformer` SpanTransformer	SpanTransformer defines a span transformer for modifying trace spans.		Optional: {}

Shared Types

The following types are defined in the shared package and used across multiple APIs.

APIKeyAuth

Validation:

ExactlyOneOf=secretRef;secretSelector;disable

Field	Type	Description
`keySources`	[]APIKeySource	keySources specifies the list of key sources to extract the API key from. Key sources are processed in array order and the first one that successfully extracts a key is used. Within each key source, if multiple types (header, query, cookie) are specified, precedence is: header > query parameter > cookie. If empty, defaults to a single key source with header “api-key”. Example: keySources: - header: “X-API-KEY” - query: “api_key” - header: “Authorization” query: “token” cookie: “auth_token” In this example, the system will: 1. First try header “X-API-KEY” 2. If not found, try query parameter “api_key” 3. If not found, try header “Authorization” (then query “token”, then cookie “auth_token” within that key source)
`forwardCredential`	*bool	forwardCredential controls whether the API key is included in the request sent to the upstream. If false (default), the API key is removed from the request before sending to upstream. If true, the API key is included in the request sent to upstream. This applies to all configured key sources (header, query parameter, or cookie).
`clientIdHeader`	*string	clientIdHeader specifies the header name to forward the authenticated client identifier. If not specified, the client identifier will not be forwarded in any header. Example: “x-client-id”
`secretRef`	*gwv1.SecretObjectReference	secretRef references a Kubernetes secret storing a set of API Keys. If there are many keys, ‘secretSelector’ can be used instead. Each entry in the Secret represents one API Key. The key is an arbitrary identifier. The value is a string, representing the API Key. Example: apiVersion: v1 kind: Secret metadata: name: api-key stringData: client1: “k-123” client2: “k-456”
`secretSelector`	*LabelSelector	secretSelector selects multiple secrets containing API Keys. If the same key is defined in multiple secrets, the behavior is undefined. Each entry in the Secret represents one API Key. The key is an arbitrary identifier. The value is a string, representing the API Key. Example: apiVersion: v1 kind: Secret metadata: name: api-key stringData: client1: “k-123” client2: “k-456”
`disable`	*shared.PolicyDisable	Disable the API key authentication filter. Can be used to disable API key authentication policies applied at a higher level in the config hierarchy.

APIKeySource

APIKeySource defines where to extract the API key from within a single key source. Within a single key source, if multiple types are specified, precedence is: header > query parameter > cookie. The header is checked first, and only falls back to query parameter if the header is not present, then to cookie if both header and query are not present.

Validation:

AtLeastOneOf=header;query;cookie

Field	Type	Description
`header`	*string	header specifies the name of the header that contains the API key.
`query`	*string	query specifies the name of the query parameter that contains the API key.
`cookie`	*string	cookie specifies the name of the cookie that contains the API key.

Agentgateway

Agentgateway is obsolete and retained only for backwards compatibility. Use the agentgateway.dev AgentgatewayParameters API to configure agentgateway deployments.

Field	Type	Description
`enabled`	*bool	Obsolete: This field is no longer used. The agentgateway dataplane is automatically enabled when the Gateway references a GatewayClass with controllerName: agentgateway.dev/agentgateway. Use the AgentgatewayParameters API to configure agentgateway deployments. Any values specified here are ignored.
`logLevel`	*string	Log level for the agentgateway. Defaults to info. Levels include “trace”, “debug”, “info”, “error”, “warn”. See: https://docs.rs/tracing/latest/tracing/struct.Level.html
`image`	*Image	The agentgateway container image. See https://kubernetes.io/docs/concepts/containers/images for details. Default values, which may be overridden individually: registry: cr.agentgateway.dev repository: agentgateway tag: pullPolicy: IfNotPresent
`securityContext`	*corev1.SecurityContext	The security context for this container. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core for details.
`resources`	*corev1.ResourceRequirements	The compute resources required by this container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
`env`	[]corev1.EnvVar	The container environment variables.
`extraVolumeMounts`	[]corev1.VolumeMount	Additional volume mounts to add to the container. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volumemount-v1-core for details.

Agentgateway (Enterprise)

Inherits fields from:

upstream.Agentgateway

Field	Type	Description
`ca`	*CA	CA is the certificate authority configuration.
`istioClusterId`	*string	IstioClusterId is the ID of the cluster that this Istiod instance resides (default `Kubernetes`).

AuthConfigRef

AuthConfigRef selects the AuthConfig resource with the external auth policy that you want to use. For more details, see the AuthConfig reference in the Gloo Edge docs.

Field	Type	Description
`name`	gwv1.ObjectName	Name is the name of the AuthConfig resource. Required.
`namespace`	*gwv1.Namespace	Namespace is the namespace of the AuthConfig resource. If not set, defaults to the namespace of the EnterpriseKgatewayTrafficPolicy.

Authorization

Authorization defines the configuration for role-based access control.

Field	Type	Description
`policy`	AuthorizationPolicy	Policy specifies the Authorization rule to evaluate. A policy matches when any of the conditions evaluates to true. Required.
`action`	AuthorizationPolicyAction	Action defines whether the rule allows or denies the request if matched. If unspecified, the default is “Allow”.

AuthorizationPolicy

AuthorizationPolicy defines a single Authorization rule.

Field	Type	Description
`matchExpressions`	[]CELExpression	MatchExpressions defines a set of conditions that must be satisfied for the rule to match. These expression should be in the form of a Common Expression Language (CEL) expression. Required.

AuthorizationPolicyAction

Underlying type: string

AuthorizationPolicyAction defines the action to take when the RBACPolicies matches.

BasicAuthPolicy

BasicAuthPolicy configures HTTP basic authentication using the Authorization header. Basic authentication validates requests against username/password pairs provided either inline or via a Kubernetes secret. The credentials must be in htpasswd SHA-1 format.

Validation:

ExactlyOneOf=users;secretRef;disable

Field	Type	Description
`users`	[]string	Users provides an inline list of username/password pairs in htpasswd format. Each entry should be formatted as “username:hashed_password”. The only supported hash format is SHA-1 Example entries: - “user1:{SHA}d95o2uzYI7q7tY7bHI4U1xBug7s=”
`secretRef`	*SecretReference	SecretRef references a Kubernetes secret containing htpasswd data. The secret must contain username/password pairs in htpasswd format.
`disable`	*shared.PolicyDisable	Disable basic auth. Can be used to disable basic auth policies applied at a higher level in the config hierarchy.

BodyTransformation

BodyTransformation controls how the body should be parsed and transformed.

Field	Type	Description
`parseAs`	BodyParseBehavior	ParseAs defines what auto formatting should be applied to the body. This can make interacting with keys within a json body much easier if AsJson is selected.
`value`	*InjaTemplate	Value is the template to apply to generate the output value for the body. Only Inja templates are supported.

BodyTransformation (Enterprise)

BodyTransformation defines how to transform the body.

Validation:

XValidation:rule=“self.type == ‘Body’ ? has(self.body) : true”,message=“body must be set when type is Body”
XValidation:rule=“self.type == ‘MergeJsonKeys’ ? has(self.mergeJsonKeys) : true”,message=“mergeJsonKeys must be set when type is MergeJsonKeys”
AtMostOneOf=body;mergeJsonKeys

Field	Type	Description
`type`	BodyTransformationType	Type specifies the type of body transformation to apply. Required.
`body`	*InjaTemplate	Body is the request/response body to be transformed. Only use when Type is Body.
`mergeJsonKeys`	map[string]OverridableTemplate	MergeJsonKeys is a transformation template used to merge json keys. Only use when Type is MergeJsonKeys. A set of key-value pairs to merge into the JSON body. Each value will be rendered separately, and then placed into the JSON body at the specified key. There are a number of important caveats to using this feature: * This can only be used when the body is parsed as JSON. * This option does NOT work with advanced templates currently Map of key name -> template to render into the JSON body. Specified keys which don’t exist in the JSON body will be set, keys which do exist will be override. For example, given the following JSON body: { “key1”: “value1” } and the following MergeJsonKeys: { “key1”: “{{ header(“header1”) }}”, “key2”: “{{ header(“header2”) }}” } The resulting JSON body will be: { “key1”: “header1_value”, “key2”: “header2_value” }

BodyTransformationType

Underlying type: string

BodyTransformationType defines the type of body transformation to apply.

Validation:

Enum=Body;Passthrough;MergeExtractorsToBody;MergeJsonKeys

Buffer

Validation:

ExactlyOneOf=maxRequestSize;disable

Field	Type	Description
`maxRequestSize`	*resource.Quantity	MaxRequestSize sets the maximum size in bytes of a message body to buffer. Requests exceeding this size will receive HTTP 413. Example format: “1Mi”, “512Ki”, “1Gi”
`disable`	*shared.PolicyDisable	Disable the buffer filter. Can be used to disable buffer policies applied at a higher level in the config hierarchy.

CELExpression

Underlying type: string

CELExpression represents a Common Expression Language (CEL) expression.

Validation:

MinLength=1
MaxLength=16384

CSRFPolicy

CSRFPolicy can be used to set percent of requests for which the CSRF filter is enabled, enable shadow-only mode where policies will be evaluated and tracked, but not enforced and add additional source origins that will be allowed in addition to the destination origin.

Validation:

AtMostOneOf=percentageEnabled;percentageShadowed

Field	Type	Description
`percentageEnabled`	*int32	Specifies the percentage of requests for which the CSRF filter is enabled.
`percentageShadowed`	*int32	Specifies that CSRF policies will be evaluated and tracked, but not enforced.
`additionalOrigins`	[]shared.StringMatcher	Specifies additional source origins that will be allowed in addition to the destination origin.

Compression

Compression configures HTTP gzip compression and decompression behavior.

Validation:

AtLeastOneOf=responseCompression;requestDecompression

Field	Type	Description
`responseCompression`	*ResponseCompression	ResponseCompression controls response compression to the downstream. If set, responses with the appropriate `Accept-Encoding` header with certain textual content types will be compressed using gzip. The content-types that will be compressed are: - `application/javascript` - `application/json` - `application/xhtml+xml` - `image/svg+xml` - `text/css` - `text/html` - `text/plain` - `text/xml`
`requestDecompression`	*RequestDecompression	RequestDecompression controls request decompression. If set, gzip requests will be decompressed.

CorsPolicy

Inherits fields from:

HTTPCORSFilter

Field	Type	Description
`disable`	*shared.PolicyDisable	Disable the CORS filter. Can be used to disable CORS policies applied at a higher level in the config hierarchy.

EnvoyBootstrap

EnvoyBootstrap configures the Envoy proxy instance that is provisioned from a Kubernetes Gateway.

Field	Type	Description
`logLevel`	*string	Envoy log level. Options include “trace”, “debug”, “info”, “warn”, “error”, “critical” and “off”. Defaults to “info”. See https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/run-envoy#debugging-envoy for more information.
`componentLogLevels`	map[string]string	Envoy log levels for specific components. The keys are component names and the values are one of “trace”, “debug”, “info”, “warn”, “error”, “critical”, or “off”, e.g. `yaml componentLogLevels: upstream: debug connection: trace` These will be converted to the `--component-log-level` Envoy argument value. See https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/run-envoy#debugging-envoy for more information. Note: the keys and values cannot be empty, but they are not otherwise validated.

EnvoyContainer

EnvoyContainer configures the container running Envoy.

Field	Type	Description
`bootstrap`	*EnvoyBootstrap	Initial envoy configuration.
`image`	*Image	The envoy container image. See https://kubernetes.io/docs/concepts/containers/images for details. Default values, which may be overridden individually: registry: quay.io/solo-io repository: envoy-wrapper tag: pullPolicy: IfNotPresent
`securityContext`	*corev1.SecurityContext	The security context for this container. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core for details.
`resources`	*corev1.ResourceRequirements	The compute resources required by this container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
`env`	[]corev1.EnvVar	The container environment variables.
`extraVolumeMounts`	[]corev1.VolumeMount	Additional volume mounts to add to the container. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volumemount-v1-core for details.

ExtAuthBufferSettings

ExtAuthBufferSettings configures how the request body should be buffered.

Field	Type	Description
`maxRequestBytes`	int32	MaxRequestBytes sets the maximum size of a message body to buffer. Requests exceeding this size will receive HTTP 413 and not be sent to the auth service. Required.
`allowPartialMessage`	bool	AllowPartialMessage determines if partial messages should be allowed. When true, requests will be sent to the auth service even if they exceed maxRequestBytes. The default behavior is false.
`packAsBytes`	bool	PackAsBytes determines if the body should be sent as raw bytes. When true, the body is sent as raw bytes in the raw_body field. When false, the body is sent as UTF-8 string in the body field. The default behavior is false.

ExtAuthPolicy

ExtAuthPolicy configures external authentication/authorization for a route. This policy will determine the ext auth server to use and how to talk to it. Note that most of these fields are passed along as is to Envoy. For more details on particular fields please see the Envoy ExtAuth documentation. https://raw.githubusercontent.com/envoyproxy/envoy/f910f4abea24904aff04ec33a00147184ea7cffa/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

Validation:

ExactlyOneOf=extensionRef;disable

Field	Type	Description
`extensionRef`	*shared.NamespacedObjectReference	ExtensionRef references the GatewayExtension that should be used for auth.
`withRequestBody`	*ExtAuthBufferSettings	WithRequestBody allows the request body to be buffered and sent to the auth service. Warning buffering has implications for streaming and therefore performance.
`contextExtensions`	map[string]string	Additional context for the auth service.
`disable`	*shared.PolicyDisable	Disable all external auth filters. Can be used to disable external auth policies applied at a higher level in the config hierarchy.

ExtProcPolicy

ExtProcPolicy defines the configuration for the Envoy External Processing filter.

Validation:

ExactlyOneOf=extensionRef;disable

Field	Type	Description
`extensionRef`	*shared.NamespacedObjectReference	ExtensionRef references the GatewayExtension that should be used for external processing.
`processingMode`	*ProcessingMode	ProcessingMode defines how the filter should interact with the request/response streams
`disable`	*shared.PolicyDisable	Disable all external processing filters. Can be used to disable external processing policies applied at a higher level in the config hierarchy.

GracefulShutdownSpec

Field	Type	Description
`enabled`	*bool	Enable grace period before shutdown to finish current requests while Envoy health checks fail to e.g. notify external load balancers. NOTE: This will not have any effect if you have not defined health checks via the health check filter
`sleepTimeSeconds`	*int64	Time (in seconds) for the preStop hook to wait before allowing Envoy to terminate

HeaderModifiers

HeaderModifiers can be used to define the policy to modify request and response headers.

Validation:

AtLeastOneOf=request;response

Field	Type	Description
`request`	*gwv1.HTTPHeaderFilter	Request modifies request headers.
`response`	*gwv1.HTTPHeaderFilter	Response modifies response headers.

HeaderName

Underlying type: string

EnvoyHeaderName is the name of a header or pseudo header Based on gateway api v1.Headername but allows a singular : at the start

Validation:

MinLength=1
MaxLength=256
Pattern=^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

HeaderTransformation

EnvoyHeaderName is the name of a header or pseudo header Based on gateway api v1.Headername but allows a singular : at the start

Validation:

MinLength=1
MaxLength=256
Pattern=^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

Field	Type	Description
`name`	HeaderName	Required.
`value`	InjaTemplate

Image

A container image. See https://kubernetes.io/docs/concepts/containers/images for details.

Field	Type	Description
`registry`	*string	The image registry.
`repository`	*string	The image repository (name).
`tag`	*string	The image tag.
`digest`	*string	The hash digest of the image, e.g. `sha256:12345...`
`pullPolicy`	*corev1.PullPolicy	The image pull policy for the container. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for details.

InjaTemplate

Underlying type: string

InjaTemplate (Enterprise)

Underlying type: string

InjaTemplate defines an Inja template that will be rendered by Gloo. In addition to the core template functions, the Gloo transformation filter defines the following custom functions: - header(header_name): returns the value of the header with the given name. - extraction(extractor_name): returns the value of the extractor with the given name. - env(env_var_name): returns the value of the environment variable with the given name. - body(): returns the request/response body. - context(): returns the base JSON context (allowing for example to range on a JSON body that is an array). - request_header(header_name): returns the value of the request header with the given name. Use this option when you want to include request header values in response transformations. - base64_encode(string): encodes the input string to base64. - base64_decode(string): decodes the input string from base64. - substring(string, start_pos, substring_len): returns a substring of the input string, starting at start_pos and extending for substring_len characters. If no substring_len is provided or substring_len is <= 0, the substring extends to the end of the input string.

IstioContainer

IstioContainer configures the container running the istio-proxy.

Field	Type	Description
`image`	*Image	The container image. See https://kubernetes.io/docs/concepts/containers/images for details.
`securityContext`	*corev1.SecurityContext	The security context for this container. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core for details.
`resources`	*corev1.ResourceRequirements	The compute resources required by this container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
`logLevel`	*string	Log level for istio-proxy. Options include “info”, “debug”, “warning”, and “error”. Default level is info Default is “warning”.
`istioDiscoveryAddress`	*string	The address of the istio discovery service. Defaults to “istiod.istio-system.svc:15012”.
`istioMetaMeshId`	*string	The mesh id of the istio mesh. Defaults to “cluster.local”.
`istioMetaClusterId`	*string	The cluster id of the istio cluster. Defaults to “Kubernetes”.

IstioIntegration

IstioIntegration configures the Istio integration settings used by kgateway’s data plane

Field	Type	Description
`istioProxyContainer`	*IstioContainer	Configuration for the container running istio-proxy. Note that if Istio integration is not enabled, the istio container will not be injected into the gateway proxy deployment.
`customSidecars`	[]corev1.Container	do not use slice of pointers: https://github.com/kubernetes/code-generator/issues/166 Override the default Istio sidecar in gateway-proxy with a custom container.

JWTAuth

JWTAuth defines the providers used to configure JWT authentication

Validation:

ExactlyOneOf=extensionRef;disable

Field	Type	Description
`extensionRef`	*shared.NamespacedObjectReference	ExtensionRef references a GatewayExtension that provides the jwt providers
`disable`	*shared.PolicyDisable	Disable all JWT filters. Can be used to disable JWT policies applied at a higher level in the config hierarchy.

LabelSelector

LabelSelector selects resources using label selectors.

Field	Type	Description
`matchLabels`	map[string]string	Label selector to select the target resource. Required.

LocalPolicyTargetReference

Select the object to attach the policy by Group, Kind, and Name. The object must be in the same namespace as the policy. You can target only one object at a time.

Field	Type	Description
`group`	gwv1.Group	The API group of the target resource. For Kubernetes Gateway API resources, the group is `gateway.networking.k8s.io`. Required.
`kind`	gwv1.Kind	The API kind of the target resource, such as Gateway or HTTPRoute. Required.
`name`	gwv1.ObjectName	The name of the target resource. Required.

LocalPolicyTargetReferenceWithSectionName

Select the object to attach the policy by Group, Kind, Name and SectionName. The object must be in the same namespace as the policy. You can target only one object at a time.

Inherits fields from:

LocalPolicyTargetReference

Field	Type	Description
`sectionName`	*gwv1.SectionName	The section name of the target resource.

LocalPolicyTargetSelector

LocalPolicyTargetSelector selects the object to attach the policy by Group, Kind, and MatchLabels. The object must be in the same namespace as the policy and match the specified labels. Do not use targetSelectors when reconciliation times are critical, especially if you have a large number of policies that target the same resource. Instead, use targetRefs to attach the policy.

Field	Type	Description
`group`	gwv1.Group	The API group of the target resource. For Kubernetes Gateway API resources, the group is `gateway.networking.k8s.io`. Required.
`kind`	gwv1.Kind	The API kind of the target resource, such as Gateway or HTTPRoute. Required.
`matchLabels`	map[string]string	Label selector to select the target resource. Required.

LocalPolicyTargetSelectorWithSectionName

LocalPolicyTargetSelectorWithSectionName the object to attach the policy by Group, Kind, MatchLabels, and optionally SectionName. The object must be in the same namespace as the policy and match the specified labels. Do not use targetSelectors when reconciliation times are critical, especially if you have a large number of policies that target the same resource. Instead, use targetRefs to attach the policy.

Inherits fields from:

LocalPolicyTargetSelector

Field	Type	Description
`sectionName`	*gwv1.SectionName	The section name of the target resource.

LocalRateLimitPolicy

LocalRateLimitPolicy represents a policy for local rate limiting. It defines the configuration for rate limiting using a token bucket mechanism.

Field	Type	Description
`tokenBucket`	*TokenBucket	TokenBucket represents the configuration for a token bucket local rate-limiting mechanism. It defines the parameters for controlling the rate at which requests are allowed.

NamespacedObjectReference

Select the object by Name and Namespace. You can target only one object at a time.

Field	Type	Description
`name`	gwv1.ObjectName	The name of the target resource. Required.
`namespace`	*gwv1.Namespace	The namespace of the target resource. If not set, defaults to the namespace of the parent object.

OAuth2Policy

OAuth2Policy specifies the OAuth2 policy to apply to requests.

Field	Type	Description
`extensionRef`	shared.NamespacedObjectReference	ExtensionRef specifies the GatewayExtension that should be used for OAuth2. Required.

PathRegexRewrite

PathRegexRewrite specifies how to rewrite the URL path.

Field	Type	Description
`pattern`	string	Pattern is the regex pattern that matches the URL path. The pattern must be a valid RE2 regular expression. If the HTTPRoute uses a RegularExpression path match, this field can use capture groups from that match. Required.
`substitution`	string	Substitution is the replacement string for the matched pattern. It can include backreferences to captured groups from the pattern (e.g., \1, \2) or named groups (e.g., \g). Required.

Pod

Configuration for a Kubernetes Pod template.

Field	Type	Description
`extraLabels`	map[string]string	Additional labels to add to the Pod object metadata. If the same label is present on `Gateway.spec.infrastructure.labels`, the `Gateway` takes precedence.
`extraAnnotations`	map[string]string	Additional annotations to add to the Pod object metadata. If the same annotation is present on `Gateway.spec.infrastructure.annotations`, the `Gateway` takes precedence.
`securityContext`	*corev1.PodSecurityContext	The pod security context. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core for details.
`imagePullSecrets`	[]corev1.LocalObjectReference	An optional list of references to secrets in the same namespace to use for pulling any of the images used by this Pod spec. See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod for details.
`nodeSelector`	map[string]string	A selector which must be true for the pod to fit on a node. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ for details.
`affinity`	*corev1.Affinity	If specified, the pod’s scheduling constraints. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#affinity-v1-core for details.
`tolerations`	[]corev1.Toleration	do not use slice of pointers: https://github.com/kubernetes/code-generator/issues/166 If specified, the pod’s tolerations. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#toleration-v1-core for details.
`gracefulShutdown`	*GracefulShutdownSpec	If specified, the pod’s graceful shutdown spec.
`terminationGracePeriodSeconds`	*int64	If specified, the pod’s termination grace period in seconds. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#pod-v1-core for details
`startupProbe`	*corev1.Probe	If specified, the pod’s startup probe. A probe of container startup readiness. Container will be only be added to service endpoints if the probe succeeds. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#probe-v1-core for details.
`readinessProbe`	*corev1.Probe	If specified, the pod’s readiness probe. Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#probe-v1-core for details.
`livenessProbe`	*corev1.Probe	If specified, the pod’s liveness probe. Periodic probe of container service readiness. Container will be restarted if the probe fails. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#probe-v1-core for details.
`topologySpreadConstraints`	[]corev1.TopologySpreadConstraint	If specified, the pod’s topology spread constraints. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#topologyspreadconstraint-v1-core for details.
`extraVolumes`	[]corev1.Volume	Additional volumes to add to the pod. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#volume-v1-core for details.
`priorityClassName`	*string	If specified, the pod’s PriorityClass. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podspec-v1-core for details

PolicyAncestorStatus

Field	Type	Description
`ancestorRef`	gwv1.ParentReference	AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. Required.
`controllerName`	string	ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. Required.
`conditions`	[]metav1.Condition	Conditions describes the status of the Policy with respect to the given Ancestor.

PolicyDisable

PolicyDisable is used to disable a policy.

PolicyStatus

Field	Type	Description
`conditions`	[]metav1.Condition
`ancestors`	[]PolicyAncestorStatus	Required.

Port

Field	Type	Description
`port`	int32	The port number to match on the Gateway Required.
`nodePort`	*int32	The NodePort to be used for the service. If not specified, a random port will be assigned by the Kubernetes API server.

ProcessingMode

ProcessingMode defines how the filter should interact with the request/response streams

Field	Type	Description
`requestHeaderMode`	string	RequestHeaderMode determines how to handle the request headers
`responseHeaderMode`	string	ResponseHeaderMode determines how to handle the response headers
`requestBodyMode`	string	RequestBodyMode determines how to handle the request body
`responseBodyMode`	string	ResponseBodyMode determines how to handle the response body
`requestTrailerMode`	string	RequestTrailerMode determines how to handle the request trailers
`responseTrailerMode`	string	ResponseTrailerMode determines how to handle the response trailers

ProxyDeployment

ProxyDeployment configures the Proxy deployment in Kubernetes.

Field	Type	Description
`replicas`	*int32	The number of desired pods. If omitted, behavior will be managed by the K8s control plane, and will default to 1. If you are using an HPA, make sure to not explicitly define this. K8s reference: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#replicas
`strategy`	*appsv1.DeploymentStrategy	The deployment strategy to use to replace existing pods with new ones. The Kubernetes default is a RollingUpdate with 25% maxUnavailable, 25% maxSurge. E.g., to recreate pods, minimizing resources for the rollout but causing downtime: strategy: type: Recreate E.g., to roll out as a RollingUpdate but with non-default parameters: strategy: type: RollingUpdate rollingUpdate: maxSurge: 100%

RateLimit

RateLimit defines a rate limiting policy.

Field	Type	Description
`local`	*LocalRateLimitPolicy	Local defines a local rate limiting policy.
`global`	*RateLimitPolicy	Global defines a global rate limiting policy using an external service.

RateLimitConfigRef

RateLimitConfigRef selects the RateLimitConfig resource with the rate limit policy that you want to use. For more details, see the RateLimitConfig reference in the Gloo Edge docs.

Field	Type	Description
`name`	gwv1.ObjectName	Name is the name of the RateLimitConfig resource. Required.
`namespace`	*gwv1.Namespace	Namespace is the namespace of the RateLimitConfig resource. If not set, defaults to the namespace of the EnterpriseKgatewayTrafficPolicy.

RateLimitDescriptor

RateLimitDescriptor defines a descriptor for rate limiting. A descriptor is a group of entries that form a single rate limit rule.

Field	Type	Description
`entries`	[]RateLimitDescriptorEntry	Entries are the individual components that make up this descriptor. When translated to Envoy, these entries combine to form a single descriptor. Required.

RateLimitDescriptorEntry

RateLimitDescriptorEntry defines a single entry in a rate limit descriptor. Only one entry type may be specified.

Validation:

XValidation:message=“exactly one entry type must be specified”,rule="(has(self.type) && (self.type == ‘Generic’ && has(self.generic) && !has(self.header)) || (self.type == ‘Header’ && has(self.header) && !has(self.generic)) || (self.type == ‘RemoteAddress’ && !has(self.generic) && !has(self.header)) || (self.type == ‘Path’ && !has(self.generic) && !has(self.header)))”

Field	Type	Description
`type`	RateLimitDescriptorEntryType	Type specifies what kind of rate limit descriptor entry this is. Required.
`generic`	*RateLimitDescriptorEntryGeneric	Generic contains the configuration for a generic key-value descriptor entry. This field must be specified when Type is Generic.
`header`	*string	Header specifies a request header to extract the descriptor value from. This field must be specified when Type is Header.

RateLimitDescriptorEntryGeneric

RateLimitDescriptorEntryGeneric defines a generic key-value descriptor entry.

Field	Type	Description
`key`	string	Key is the name of this descriptor entry. Required.
`value`	string	Value is the static value for this descriptor entry. Required.

RateLimitDescriptorEntryType

Underlying type: string

RateLimitDescriptorEntryType defines the type of a rate limit descriptor entry.

Validation:

Enum=Generic;Header;RemoteAddress;Path

RateLimitPolicy

RateLimitPolicy defines a global rate limiting policy using an external service.

Field	Type	Description
`descriptors`	[]RateLimitDescriptor	Descriptors define the dimensions for rate limiting. These values are passed to the rate limit service which applies configured limits based on them. Each descriptor represents a single rate limit rule with one or more entries. Required.
`extensionRef`	shared.NamespacedObjectReference	ExtensionRef references a GatewayExtension that provides the global rate limit service. Required.

RateLimitUnit

Underlying type: string

RegexMatcher

RegexMatcher based on https://github.com/envoyproxy/envoy/blob/4453ce1f809ec502fb2cbe0363cf5c6a971f3836/api/envoy/type/matcher/regex.proto#L19

Field	Type	Description
`regex`	string	The regex match string. The string must be supported by the configured engine. Required.

RequestDecompression

RequestDecompression enables request gzip decompression.

Field	Type	Description
`disable`	*shared.PolicyDisable	Disables decompression.

ResponseCompression

ResponseCompression configures response compression.

Field	Type	Description
`disable`	*shared.PolicyDisable	Disables compression.

Retry

Retry defines the retry policy

Validation:

XValidation:rule=“has(self.retryOn) || has(self.statusCodes)",message=“retryOn or statusCodes must be set.”

Field	Type	Description
`retryOn`	[]RetryOnCondition	RetryOn specifies the conditions under which a retry should be attempted.
`attempts`	int32	Attempts specifies the number of retry attempts for a request. Defaults to 1 attempt if not set. A value of 0 effectively disables retries.
`perTryTimeout`	*metav1.Duration	PerTryTimeout specifies the timeout per retry attempt (incliding the initial attempt). If a global timeout is configured on a route, this timeout must be less than the global route timeout. It is specified as a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “1s” or “500ms”.
`statusCodes`	[]gwv1.HTTPRouteRetryStatusCode	StatusCodes specifies the HTTP status codes in the range 400-599 that should be retried in addition to the conditions specified in RetryOn.
`backoffBaseInterval`	*metav1.Duration	BackoffBaseInterval specifies the base interval used with a fully jittered exponential back-off between retries. Defaults to 25ms if not set. Given a backoff base interval B and retry number N, the back-off for the retry is in the range [0, (2^N-1)*B]. The backoff interval is capped at a max of 10 times the base interval. E.g., given a value of 25ms, the first retry will be delayed randomly by 0-24ms, the 2nd by 0-74ms, the 3rd by 0-174ms, and so on, and capped to a max of 10 times the base interval (250ms).

RetryOnCondition

Underlying type: string

RetryOnCondition specifies the condition under which retry takes place.

Validation:

Enum={“5xx”,gateway-error,reset,reset-before-request,connect-failure,envoy-ratelimited,retriable-4xx,refused-stream,retriable-status-codes,http3-post-connect-failure,cancelled,deadline-exceeded,internal,resource-exhausted,unavailable}

SdsBootstrap

SdsBootstrap configures the SDS instance that is provisioned from a Kubernetes Gateway.

Field	Type	Description
`logLevel`	*string	Log level for SDS. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is “info”.

SdsContainer

SdsContainer configures the container running SDS sidecar.

Field	Type	Description
`image`	*Image	The SDS container image. See https://kubernetes.io/docs/concepts/containers/images for details.
`securityContext`	*corev1.SecurityContext	The security context for this container. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core for details.
`resources`	*corev1.ResourceRequirements	The compute resources required by this container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
`bootstrap`	*SdsBootstrap	Initial SDS container configuration.

SecretReference

SecretReference identifies a Kubernetes secret containing authentication data.

Field	Type	Description
`name`	gwv1.ObjectName	Name of the secret containing htpasswd data. Required.
`namespace`	*gwv1.Namespace	Namespace of the secret. If not specified, defaults to the namespace of the TrafficPolicy. Note that a secret in a different namespace requires a ReferenceGrant to be accessible.
`key`	*string	Key in the secret that contains the htpasswd data. Defaults to “.htpasswd” if not specified.

Service

Configuration for a Kubernetes Service.

Field	Type	Description
`type`	*corev1.ServiceType	The Kubernetes Service type.
`clusterIP`	*string	The manually specified IP address of the service, if a randomly assigned IP is not desired. See https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address and https://kubernetes.io/docs/concepts/services-networking/service/#headless-services on the implications of setting `clusterIP`.
`extraLabels`	map[string]string	Additional labels to add to the Service object metadata. If the same label is present on `Gateway.spec.infrastructure.labels`, the `Gateway` takes precedence.
`extraAnnotations`	map[string]string	Additional annotations to add to the Service object metadata. If the same annotation is present on `Gateway.spec.infrastructure.annotations`, the `Gateway` takes precedence.
`ports`	[]Port	Additional configuration for the service ports. The actual port numbers are specified in the Gateway resource.
`externalTrafficPolicy`	*string	ExternalTrafficPolicy defines the external traffic policy for the service. Valid values are Cluster and Local. Default value is Cluster.

ServiceAccount

Field	Type	Description
`extraLabels`	map[string]string	Additional labels to add to the ServiceAccount object metadata.
`extraAnnotations`	map[string]string	Additional annotations to add to the ServiceAccount object metadata. If the same annotation is present on `Gateway.spec.infrastructure.annotations`, the `Gateway` takes precedence.

StatsConfig

Configuration for the stats server.

Field	Type	Description
`enabled`	*bool	Whether to expose metrics annotations and ports for scraping metrics.
`routePrefixRewrite`	*string	The Envoy stats endpoint to which the metrics are written
`enableStatsRoute`	*bool	Enables an additional route to the stats cluster defaulting to /stats
`statsRoutePrefixRewrite`	*string	The Envoy stats endpoint with general metrics for the additional stats route
`matcher`	*StatsMatcher	Matcher configures inclusion or exclusion lists for Envoy stats. Only one of inclusionList or exclusionList may be set. If unset, Envoy’s default stats emission behavior applies.

StatsMatcher

StatsMatcher specifies either an inclusion or exclusion list for Envoy stats. See Envoy’s envoy.config.metrics.v3.StatsMatcher for details.

Validation:

MaxProperties=1
MinProperties=1

Field	Type	Description
`inclusionList`	[]shared.StringMatcher	inclusionList specifies which stats to include, using string matchers.
`exclusionList`	[]shared.StringMatcher	exclusionList specifies which stats to exclude, using string matchers.

StringMatch

StringMatch configures the string matching to apply.

Validation:

ExactlyOneOf=exact;prefix;suffix;regex

Field	Type	Description
`exact`	*string	The input string must match exactly the string specified here. Examples: * abc only matches the value abc.
`prefix`	*string	The input string must have the prefix specified here. Note: empty prefix is not allowed, please use regex instead. Examples: * abc matches the value abc.xyz
`suffix`	*string	The input string must have the suffix specified here. Note: empty prefix is not allowed, please use regex instead. Examples: * abc matches the value xyz.abc
`regex`	*RegexMatcher	The input string must match the regular expression specified here.
`ignoreCase`	*bool	If true, indicates the exact/prefix/suffix matching should be case-insensitive. This has no effect for the regex match. For example, the matcher data will match both input string Data and data if set to true.

Timeouts

Field	Type	Description
`request`	*metav1.Duration	Request specifies a timeout for an individual request from the gateway to a backend. This spans between the point at which the entire downstream request (i.e. end-of-stream) has been processed and when the backend response has been completely processed. A value of 0 effectively disables the timeout. It is specified as a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “1s” or “500ms”.
`streamIdle`	*metav1.Duration	StreamIdle specifies a timeout for a requests’ idle streams. A value of 0 effectively disables the timeout.

TokenBucket

TokenBucket defines the configuration for a token bucket rate-limiting mechanism. It controls the rate at which tokens are generated and consumed for a specific operation.

Field	Type	Description
`maxTokens`	int32	MaxTokens specifies the maximum number of tokens that the bucket can hold. This value must be greater than or equal to 1. It determines the burst capacity of the rate limiter. Required.
`tokensPerFill`	*int32	TokensPerFill specifies the number of tokens added to the bucket during each fill interval. If not specified, it defaults to 1. This controls the steady-state rate of token generation.
`fillInterval`	metav1.Duration	FillInterval defines the time duration between consecutive token fills. This value must be a valid duration string (e.g., “1s”, “500ms”). It determines the frequency of token replenishment. Required.

Transform

Transform defines the operations to be performed by the transformation. These operations may include changing the actual request/response but may also cause side effects. Side effects may include setting info that can be used in future steps (e.g. dynamic metadata) and can cause envoy to buffer.

Field	Type	Description
`set`	[]HeaderTransformation	Set is a list of headers and the value they should be set to.
`add`	[]HeaderTransformation	Add is a list of headers to add to the request and what that value should be set to. If there is already a header with these values then append the value as an extra entry. Add is not supported on arm64 build, see https://github.com/kgateway-dev/kgateway/blob/v2.2.x/docs/guides/transformation.md for details
`remove`	[]string	Remove is a list of header names to remove from the request/response.
`body`	*BodyTransformation	Body controls both how to parse the body and if needed how to set. If empty, body will not be buffered.

TransformationPolicy

TransformationPolicy config is used to modify envoy behavior at a route level. These modifications can be performed on the request and response paths.

Field	Type	Description
`request`	*Transform	Request is used to modify the request path.
`response`	*Transform	Response is used to modify the response path.

URLRewrite

URLRewrite specifies URL rewrite rules using regular expressions. This allows more flexible and advanced path rewriting based on regex patterns.

Validation:

AtLeastOneOf=pathRegex

Field	Type	Description
`pathRegex`	*PathRegexRewrite	Path specifies the path rewrite configuration.

Kubernetes Gateway API