Gateway

A list of server specifications.

One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. By default workloads are searched across all namespaces based on label selectors. This implies that a gateway resource in the namespace “foo” can select pods in the namespace “bar” based on labels. This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE environment variable in istiod. If this variable is set to true, the scope of label search is restricted to the configuration namespace in which the the resource is present. In other words, the Gateway resource must reside in the same namespace as the gateway workload instance. If selector is nil, the Gateway will be applied to all workloads.

The Port on which the proxy should listen for incoming connections.

The ip or the Unix domain socket to which the listener should be bound to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux abstract namespace). When using Unix domain sockets, the port number should be 0. This can be used to restrict the reachability of this server to be gateway internal only. This is typically used when a gateway needs to communicate to another mesh service e.g. publishing metrics. In such case, the server created with the specified bind will not be available to external gateway clients.

One or more hosts exposed by this gateway. While typically applicable to HTTP services, it can also be used for TCP services using TLS with SNI. A host is specified as a dnsName with an optional namespace/ prefix. The dnsName should be specified using FQDN format, optionally including a wildcard character in the left-most component (e.g., prod/*.example.com). Set the dnsName to * to select all VirtualService hosts from the specified namespace (e.g.,prod/*).

The namespace can be set to * or ., representing any or the current namespace, respectively. For example, */foo.example.com selects the service from any available namespace while ./foo.example.com only selects the service from the namespace of the sidecar. The default, if no namespace/ is specified, is */, that is, select services from any namespace. Any associated DestinationRule in the selected namespace will also be used.

A VirtualService must be bound to the gateway and must have one or more hosts that match the hosts specified in a server. The match could be an exact match or a suffix match with the server’s hosts. For example, if the server’s hosts specifies *.example.com, a VirtualService with hosts dev.example.com or prod.example.com will match. However, a VirtualService with host example.com or newexample.com will not match.

NOTE: Only virtual services exported to the gateway’s namespace (e.g., exportTo value of *) can be referenced. Private configurations (e.g., exportTo set to .) will not be available. Refer to the exportTo setting in VirtualService, DestinationRule, and ServiceEntry configurations for details.

Set of TLS related options that govern the server’s behavior. Use these options to control if all http requests should be redirected to https, and the TLS modes to use.

An optional name of the server, when set must be unique across all servers. This will be used for variety of purposes like prefixing stats generated with this name etc.

A valid non-negative integer port number.

The protocol exposed on the port. MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. TLS can be either used to terminate non-HTTP based connections on a specific port or to route traffic based on SNI header to the destination without terminating the TLS connection.

Label assigned to the port.

If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.

Optional: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server-side TLS certificate to use.

REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server’s private key.

REQUIRED if mode is MUTUAL or OPTIONAL_MUTUAL. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.

For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. Applicable only on Kubernetes. An Opaque secret should contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS, cacert: <CACertificate> and crl: <CertificateRevocationList> can be provided in the same secret or a separate secret named <secret>-cacert. A TLS secret for server certificates with an additional tls.ocsp-staple key for specifying OCSP staple information, ca.crt key for CA certificates and ca.crl for certificate revocation list is also supported. Only one of server certificates and CA certificate or credentialName can be specified.

A list of alternate names to verify the subject identity in the certificate presented by the client.

An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.

An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated formats are acceptable. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.

Optional: Minimum TLS protocol version. By default, it is TLSV1_2. TLS protocol versions below TLSV1_2 require setting compatible ciphers with the cipherSuites setting as they no longer include compatible ciphers.

Note: Using TLS protocol versions below TLSV1_2 has serious security risks.

Optional: Maximum TLS protocol version.

Optional: If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy as specified here. The supported list of ciphers are:

• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-CHACHA20-POLY1305
• ECDHE-ECDSA-AES128-SHA
• ECDHE-RSA-AES128-SHA
• ECDHE-ECDSA-AES256-SHA
• ECDHE-RSA-AES256-SHA
• AES128-GCM-SHA256
• AES256-GCM-SHA384
• AES128-SHA
• AES256-SHA
• DES-CBC3-SHA