GatewayParameters
microgateway.airlock.com/v1alpha1
GatewayParameters defines the configuration settings for deploying a Gateway in a Kubernetes, including options for logging, service type, deployment strategy, and resource management. It can be referenced by either a GatewayClass or a Gateway.
Note: More specific GatewayParameters takes precedence, e.g., if a Gateway references GatewayParameters, the parameters from its associated GatewayClass are completely overridden without merging.
apiVersion: microgateway.airlock.com/v1alpha1
kind: GatewayParameters
metadata:
name: gateway-parameters-example
spec:
# Enable debug logging
logging:
level: debug
kubernetes:
# Expose the Gateway using a service with an internet-facing AWS Network Load Balancer
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
deployment:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
# Schedule the Airlock Microgateway Engine pods on a specific instance type and across availability zones
placement:
nodeSelector:
node.kubernetes.io/instance-type: m3.medium
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
# Set resource restrictions to apply to the Airlock Microgateway Engine container
engineContainer:
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 40Mi
defaults:
sessionHandlingRef:
name: session-handling-example
downstream:
# Configure 'remoteIP' extraction.
remoteIP:
xff:
numTrustedHops: 1apiVersion: microgateway.airlock.com/v1alpha1
kind: GatewayParameters
metadata:
name: default
spec:
logging:
level: info
kubernetes:
service:
type: ClusterIP
deployment:
replicas: 2
placement: {}
engineContainer: {}
automountServiceAccountToken: false
defaults:
downstream:
remoteIP:
connectionIP: {}GatewayParameters
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | GatewayParametersSpec defines additional configuration parameters for the Gateway. | no |
GatewayParameters.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| defaults | object | Defaults specifies default configurations and policies for the Gateway. | no | ||
| kubernetes | object | Kubernetes defines the configuration for Kubernetes resources provisioned for the Gateway. | no | ||
| logging | object | Logging specifies Envoy system logging settings for the Gateway. | no |
GatewayParameters.spec.defaults
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| downstream | object | Downstream defines the downstream configuration for this Gateway. | no | ||
| sessionHandlingRef | object | SessionHandlingRef selects the default SessionHandling configuration for the Gateway. | no |
GatewayParameters.spec.defaults.downstream
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| remoteIP | object | RemoteIP defines how the remote IP of a client is propagated. Default: connectionIP: {…} |
no | connectionIP{...} |
connectionIP{}, customHeader{}, xff{} |
GatewayParameters.spec.defaults.downstream.remoteIP
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| connectionIP | object | ConnectionIP configures to use the source IP address of the direct downstream connection. | no | ||
| customHeader | object | CustomHeader specifies to use a custom header for remote IP extraction. | no | ||
| xff | object | XFF configures to use the standard ‘X-Forwarded-For’ header for IP extraction. | no |
GatewayParameters.spec.defaults.downstream.remoteIP.customHeader
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
headerName |
string | HeaderName specifies the name of the custom header containing the remote IP. | yes | ||
required |
bool | Required specifies if the custom header is required. If true and not available the request will be rejected with 403. | no | true |
true, false |
GatewayParameters.spec.defaults.downstream.remoteIP.xff
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
numTrustedHops |
uint32 | NumTrustedHops specifies to extract the client’s originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry. | no | 1 |
[1, 4294967295] |
GatewayParameters.spec.defaults.sessionHandlingRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
GatewayParameters.spec.kubernetes
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| deployment | object | Deployment configures the Kubernetes Deployment provisioned for the Gateway. | no | ||
| service | object | Service configures the Kubernetes Service provisioned for the Gateway. | no |
GatewayParameters.spec.kubernetes.deployment
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
automountServiceAccountToken |
bool | AutomountServiceAccountToken configures whether a service account token should be automatically mounted. Set this to true only if a sidecar that requires a service account token (e.g., OpenShift ServiceMesh) is injected to the Gateway Deployment. |
no | false |
true, false |
| engineContainer | object | EngineContainer configures the container running the Airlock Microgateway Engine. | no | ||
imagePullSecrets |
LocalObjectReference[] | ImagePullSecrets configures the list of references to secrets in the same namespace, which will be used in the Gateway deployment for pulling any of the images. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |
no | ||
| placement | object | Placement configures scheduling of the Airlock Microgateway Engine pod. | no | ||
replicas |
int32 | Replicas sets the number of Gateway Deployment replicas. | no | 2 |
[1, 2147483647] |
strategy |
DeploymentStrategy | Strategy configures the deployment strategy which is used to replace existing Airlock Microgateway Engine pods with new ones. If undefined, default settings (RollingUpdate) are applied. |
no |
GatewayParameters.spec.kubernetes.deployment.engineContainer
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
resources |
ResourceRequirements | Resources specifies the compute resources required for this container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details. |
no |
GatewayParameters.spec.kubernetes.deployment.placement
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
affinity |
Affinity | Affinity specifies affinity and anti-affinity rules for the Airlock Microgateway Engine pods. | no | ||
nodeSelector |
map[string]string | NodeSelector is a selector which must be true for the Airlock Microgateway Engine pods to fit on a node. | no | ||
tolerations |
Toleration[] | Tolerations allows scheduling of Airlock Microgateway Engine pods on tainted nodes. | no | ||
topologySpreadConstraints |
TopologySpreadConstraint[] | TopologySpreadConstraints describes how the Airlock Microgateway Engine pods ought to spread across topology domains (e.g., nodes, zones). If the label selector of the constraints is undefined, the label selector of the deployment will be used instead. |
no |
GatewayParameters.spec.kubernetes.service
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
allocateLoadBalancerNodePorts |
bool | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer. If undefined, the default is true. It may be set to false if the cluster load-balancer does not rely on NodePorts. |
no | true, false |
|
annotations |
map[string]string | Annotations specifies additional annotations for the Service, e.g., for configuring cloud LoadBalancers. | no | ||
externalTrafficPolicy |
ServiceExternalTrafficPolicy | ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, and LoadBalancer IPs). Meaning of the possible values: Local: preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints). Cluster: routes traffic to all endpoints. Be aware that this may break client IP detection and dependent features (e.g., deny rule exceptions or access control policies with request conditions matching remote IPs). If undefined, the Local policy is applied. |
no | Cluster, Local |
|
type |
ServiceType | Type specifies the type of Kubernetes Service. | no | ClusterIP |
ClusterIP, LoadBalancer, NodePort |
GatewayParameters.spec.logging
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
level |
enum | Level specifies the logging level for the Envoy system logs of the Airlock Microgateway Engine. | no | info |
off, critical, error, warn, info, debug, trace |