Consul
Gateway Resource Configuration
This topic provides full details about the Gateway
resource.
Introduction
A Gateway
is an instance of network infrastructure that determines how service traffic should be handled. A Gateway
contains one or more listeners
that bind to a set of IP addresses. An HTTPRoute
or TCPRoute
can then attach to a gateway listener to direct traffic from the gateway to a service.
Gateway instances derive their configurations from the GatewayClass
resource, which acts as a template for individual Gateway
deployments. Refer to GatewayClass for additional information.
Specify the following parameters to declare a Gateway
:
Parameter | Description | Required |
---|---|---|
kind | Specifies the type of configuration object. The value should always be Gateway . | Required |
description | Human-readable string that describes the purpose of the Gateway . | Optional |
version | Specifies the Kubernetes API version. The value should always be gateway.networking.k8s.io/v1alpha2 | Required |
scope | Specifies the effective scope of the Gateway. The value should always be namespaced . | Required |
fields | Specifies the configurations for the Gateway. The fields are listed in the configuration model. Details for each field are described in the specification. | Required |
Configuration model
The following outline shows how to format the configurations in the Gateway
object. Click on a property name to view details about the configuration.
gatewayClassName
: string | requiredlisteners
: array of objects | requiredallowedRoutes
: object | requirednamespaces
: object | requiredfrom
: string | requiredselector
: object | required iffrom
is configured toselector
matchExpressions
: array of objects | required ifmatchLabels
is not configuredmatchLabels
: map of strings | required ifmatchExpressions
is not configured
hostname
: string | requiredname
: string | requiredport
: integer | requiredprotocol
: string | requiredtls
: object | required ifprotocol
is set toHTTPS
certificateRefs
: array or objects | required iftls
is declaredmode
: string | required ifcertificateRefs
is declaredoptions
: map of strings | optional
Specification
This topic provides details about the configuration parameters.
gatewayClassName
Specifies the name of the GatewayClass
resource used for the Gateway
instance. Unless you are using a custom GatewayClass, this value should be set to consul-api-gateway
.
- Type: string
- Required: required
listeners
Specifies the listeners
associated with the Gateway
. At least one listener
must be specified. Each listener
within a Gateway
must have a unique combination of hostname
, port
, and protocol
.
- Type: array of objects
- Required: required
listeners.allowedRoutes
Specifies a namespace
object that defines the types of routes that may be attached to a listener.
- Type: object
- Required: required
listeners.allowedRoutes.namespaces
Determines which routes are allowed to attach to the listener
. Only routes in the same namespace as the Gateway
may be attached by default.
- Type: string
- Required: optional
- Default: Same namespace as the parent Gateway
listeners.allowedRoutes.namespaces.from
Determines which namespaces are allowed to attach a route to the Gateway
. You can specify one of the following strings:
All
: Routes in all namespaces may be attached to theGateway
.Same
(default): Only routes in the same namespace as theGateway
may be attached.Selector
: Only routes in namespaces that match theselector
may be attached.
This parameter is required.
listeners.allowedRoutes.namespaces.selector
Specifies a method for selecting routes that are allowed to attach to the listener. The Gateway
checks for namespaces in the network that match either a regular expression or a label. Routes from the matching namespace are allowed to attach to the listener.
You can configure one of the following objects:
This field is required when from
is configured to Selector
.
listeners.allowedRoutes.namespaces.selector.matchExpressions
Specifies an array of requirements for matching namespaces. If a match is found, then routes from the matching namespace(s) are allowed to attach to the Gateway
. The following table describes members of the matchExpressions
array:
Requirement | Description | Type | Required |
---|---|---|---|
key | Specifies the label that the key applies to. | string | required when matchExpressions is declared |
operator | Specifies the key's relation to a set of values. You can use the following keywords:
| string | required when matchExpressions is declared |
values | Specifies an array of string values. If operator is configured to In or NotIn , then the values array must contain values. If operator is configured to Exists or DoesNotExist , then the values array must be empty. | array of strings | required when matchExpressions is declared |
In the following example, routes in namespaces that contain foo
and bar
are allowed to attach routes to the Gateway
.
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
- foo
- bar
Refer to Labels and Selectors in the Kubernetes documentation for additional information about matchExpressions
.
listeners.allowedRoutes.namespaces.selector.matchLabels
Specifies an array of labels and label values. If a match is found, then routes with the matching label(s) are allowed to attach to the Gateway
. This selector can contain any arbitrary key/value pair.
In the following example, routes in namespaces that have a bar
label are allowed to attach to the Gateway
.
namespaceSelector:
matchLabels:
foo: bar
Refer to Labels and Selectors in the Kubernetes documentation for additional information about labels.
listeners.hostname
Specifies the listener
's hostname.
- Type: string
- Required: required
listeners.name
Specifies the listener
's name.
- Type: string
- Required: required
listeners.port
Specifies the port number that the listener
attaches to.
- Type: integer
- Required: required
listeners.protocol
Specifies the protocol the listener
communicates on.
- Type: string
- Required: required
Allowed values are TCP
, HTTP
, or HTTPS
listeners.tls
Specifies the tls
configurations for the Gateway
. The tls
object is required if protocol
is set to HTTPS
. The object contains the following fields:
Parameter | Description | Type | Required |
---|---|---|---|
certificateRefs | Specifies Kubernetes name and namespace objects that contains TLS certificates and private keys. The certificates establish a TLS handshake for requests that match the hostname of the associated listener . Each reference must be a Kubernetes Secret. If you are using a Secret in a namespace other than the Gateway 's, each reference must also have a corresponding ReferenceGrant . | Object or array | Required if tls is set |
mode | Specifies the TLS Mode. Should always be set to Terminate for HTTPRoutes | string | Required if certificateRefs is set |
options | Specifies additional Consul API Gateway options. | Map of strings | optional |
The following keys for options
are available
api-gateway.consul.hashicorp.com/tls_min_version
api-gateway.consul.hashicorp.com/tls_max_version
api-gateway.consul.hashicorp.com/tls_cipher_suites
In the following example, tls
settings are configured to use a secret named consul-server-cert
in the same namespace as the Gateway
and the minimum tls version is set to TLSv1_2
.
tls:
certificateRefs:
- name: consul-server-cert
group: ""
kind: Secret
mode: Terminate
options:
api-gateway.consul.hashicorp.com/tls_min_version: "TLSv1_2"
Example cross-namespace certificateRef
The following example creates a Gateway
named example-gateway
in namespace gateway-namespace
(lines 2-4). The gateway has a certificateRef
in namespace secret-namespace
(lines 16-18). The reference is allowed because the ReferenceGrant
configuration, named reference-grant
in namespace secret-namespace
(lines 24-27), allows Gateways
in gateway-namespace
to reference Secrets
in secret-namespace
(lines 31-35).
gateway_with_referencegrant.yaml
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: example-gateway
namespace: gateway-namespace
spec:
gatewayClassName: consul-api-gateway
listeners:
- protocol: HTTPS
port: 443
name: https
allowedRoutes:
namespaces:
from: Same
tls:
certificateRefs:
- name: cert
namespace: secret-namespace
group: ""
kind: Secret
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferenceGrant
metadata:
name: reference-grant
namespace: secret-namespace
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: gateway-namespace
to:
- group: ""
kind: Secret
name: cert