Kubernetes Gateway API Custom Resources

Airlock Microgteway brings support for Kubernetes Gateway API and extends the functionality with it's own Custom Resources (see Microgateway Custom Resources). To configure Gateway API functionality, which is typically traffic routing, use the Gateway API Custom Resources described in this chapter.

CR GatewayClass

The CR GatewayClass describes a class of Gateways available to the user for creating Gateway resources.

API reference

Consider the API reference for the defaults and all options.

References

-

Example:

 
Example
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: airlock-microgateway
spec:
  controllerName: microgateway.airlock.com/gatewayclass-controller
  description: GatewayClass for Airlock Microgateway.

The GatewayClass CR example contains the Airlock Microgateway controllerName.
The name must match the Microgateway Controller name configured in the Operator Helm chart (default: microgateway.airlock.com/gatewayclass-controller.

 
Notice

The default GatewayClass with the name airlock-microgateway is created when deploying the Microgateway Operator with Helm.

CR Gateway

The CR Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.

API reference

Consider the API reference for the defaults and all options.

References

spec.gatewayClassName

Specifies the GatewayClass the Gateway is based on.

spec.infrastructure.parametersRef.name

Specifies the CR GatewayParameters configured for this Gateway.

Example:

 
Example
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-example
  namespace: example-backend-gw
spec:
  gatewayClassName: airlock-microgateway
  infrastructure:
    parametersRef:
      group: microgateway.airlock.com
      kind: GatewayParameters
      name: gateway-parameters-example
  listeners:
    - name: http
      hostname: "*.example.com"       
      port: 80
      protocol: HTTP
    - name: https
      hostname: "*.example.com"   
      port: 443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - name: downstream-server-certificate
        options:  
          microgateway.airlock.com/minimumVersion: TLSv1_2 
          microgateway.airlock.com/maximumVersion: TLSv1_3

If the Airlock Microgateway Controller is configured to support the referenced GatewayClass, the following occurs:

  • A Deployment running the Airlock Microgateway Engine is deployed in the same namespace as the Gateway CR. In the example below, with the Gateway created in the example-backend-gw namespace, the Pod is also deployed there.
  • The Pod running the Airlock Microgateway Engine container is automatically named based on the name of the Gateway CR. In the example below, with the Gateway named gateway-example, the resulting Pod name follows a pattern such as gateway-example-85cdd86c47-mcn9c.
  • A Service will expose the Deployment on the listener ports. The name of the Service will be the same as the name of the Gateway CR.

spec.listeners.protocol

Airlock Microgateway supports the following application protocols:

  • HTTP
  • HTTPS
  • microgateway.airlock.com/http3

microgateway.airlock.com/http3 is our implementation-specific protocol string for HTTP/3 and is considered an incubating feature. It configures the Airlock Microgateway to serve HTTP/3 on the provided port. Note that in the future this implementation-specific protocol could be replaced by a standardised protocol string from the Gateway API.

spec.listeners.tls.options

TLS options define a set of key and value used to extend TLS configuration Gateway resources. These list all Airlock Microgateway–specific TLS options.

Field

Description

Allowed Values

microgateway.airlock.com/minimumVersion

MinimumVersion defines the minimum supported TLS protocol version and must be less than or equal to the maximum version.

TLS_AUTO,TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

microgateway.airlock.com/maximumVersion

MaximumVersion defines the maximum supported TLS protocol version and must be greater than or equal to the minimum version.

TLS_AUTO,TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

microgateway.airlock.com/ciphers

Ciphers defines the allowed cipher suites for TLS 1.0–1.2 (this setting has no effect when using TLS 1.3). The value must be a comma-separated list of cipher suites (e.g., “ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256”). If not set, the Envoy default cipher list is used.

microgateway.airlock.com/ecdhCurves

ECDHCurves defines the elliptic curves allowed for ECDH key exchange. The value must be a comma-separated list of curve names ordered by preference (e.g., “X25519,P-256,P-384”). If not set, the list defaults to the curves “X25519MLKEM768”, “X25519” and “P-256” and supports a post-quantum key exchange when using TLS 1.3.

microgateway.airlock.com/signatureAlgorithms

SignatureAlgorithms defines the allowed signature algorithms for TLS handshakes. The value must be a comma-separated list of algorithm names (e.g., “ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256”). If not set, the Envoy default list of signature algorithms is used.

For further details about the Envoy TLS settings, refer to the Envoy TLS protocol settings documentation.

Client certificate validation (downstream mTLS)

Client certificate validation ensures that only trusted clients can access a given web application or API. Properties of the client certificate can be leveraged for fine-grained access control and for propagating the user’s identity.

Prerequisite:
Client certificate validation is implemented using Kubernetes Gateway API 1.4.x-experimental. To use this feature, you must install the Gateway API experimental channel.

 
Notice

In environments such as OpenShift, where only the Gateway API standard channel can be used, this feature is exposed via GatewayParameters.spec.experimental in the CR GatewayParameters.

If mTLS settings are configured in the CR GatewayParametersand the Kubernetes Gateway API CRDs, the settings in GatewayParameters take precedence.

Once mTLS becomes available in the standard channel, the experimental mTLS settings will be removed from the GatewayParameters.

This section focuses on the configuration of client certificate validation. For details on access control and identity propagation, refer to the API reference for all options, and the examples. See CR AccessControlPolicy and CR IdentityPropagation.

 
Example
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-example
  namespace: example-backend-gw
spec:
  gatewayClassName: airlock-microgateway
  infrastructure:
    parametersRef:
      group: microgateway.airlock.com
      kind: GatewayParameters
      name: gateway-parameters-example
  listeners:
    - name: https
      hostname: "*.example.com"       
      port: 443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - name: downstream-server-certificate
    - name: mtls
      hostname: "*.example.com"   
      port: 8443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - name: downstream-server-certificate
  tls:
    frontend:
      default: {}
      perPort:
        - port: 8443
          tls:
            validation:
              mode: AllowValidOnly
              caCertificateRefs:
                - group: ""
                  kind: "Secret"
                  name: ca
                - group: ""
                  kind: "ConfigMap"
                  name: ca

The Gateway CR example defines two listeners. One on port 443 for standard HTTPS, and another on port 8443 with client certificate validation (mTLS) enabled. The spec.tls.frontend section contains two keys. default, which configures the behavior applied to all listeners, and perPort, which allows you to apply a port-specific TLS configuration.

This example demonstrates how to combine global and per-port TLS settings, including mTLS, on a single Gateway.

Recommendations

  • Due to security considerations, separate HTTPS with and without client certificate validation on different ports.
  • Because of the previous recommendation, do not use the tls.validation.mode: allowInsecureFallback
 
Functional limitation

mTLS for downstream and upstream are incubating features as described in the article Release notes and incubating features.

CR HTTPRoute

The CR HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed.

API reference

Consider the API reference for the defaults and all options.

References

spec.parentRefs[]

Specifies the Gateway the HTTPRoute is attached to.

Example:

 
Example
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: backend
  namespace: example-backend-gw
spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gateway-example
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: example-backend
          namespace: example-backend-app
          port: 8080

The CR HTTPRoute configures the routing between the Microgateway Engine Pods and back-end application(s). The example demonstrates how to configure cross-Namespace routing when the Microgateway Engine Pod and the example application Pod are in different namespaces.

 
Risk

To secure your back-end application(s), you must configure the incoming traffic to be routed through the Microgateway Engine Pod. We strongly recommend testing your routing configuration by generating test requests and checking the access logs.

CR BackendTLSPolicy

The CR BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.

API reference

Consider the API reference for the defaults and all options.

References

spec.targetRefs[]

Specifies the Kubernetes service the BackendTLSPolicy is applied to.

Example:

 
Example
apiVersion: gateway.networking.k8s.io/v1 
kind: BackendTLSPolicy 
metadata:  
  name: example-backend 
  namespace: example-backend-app 
spec:  
  targetRefs:  
    - kind: Service 
      group: core
      name: example-backend 
      sectionName: https 
  validation:  
    hostname: backend 
    wellKnownCACertificates: "System"
  options:  
    microgateway.airlock.com/minimumVersion: TLSv1_2
    microgateway.airlock.com/maximumVersion: TLSv1_3

spec.validation.wellKnownCACertificates

Airlock Microgateway supports the following values for wellKnownCACertificates:

Value

Description

System

Uses the system trust store of the Microgateway Engine container. This includes well-known public Certificate Authorities and is typically used for external services secured with publicly trusted certificates.

microgateway.airlock.com/openShiftServiceCA

Uses the OpenShift Service CA trust bundle for certificate validation. Only applicable when deployed in an OpenShift cluster.

spec.options

TLS options define a set of key and value used to extend TLS configuration BackendTLSPolicy resources. These list all Airlock Microgateway–specific TLS options.

Field

Description

Allowed Values

microgateway.airlock.com/minimumVersion

MinimumVersion defines the minimum supported TLS protocol version and must be less than or equal to the maximum version.

TLS_AUTO,TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

microgateway.airlock.com/maximumVersion

MaximumVersion defines the maximum supported TLS protocol version and must be greater than or equal to the minimum version.

TLS_AUTO,TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

microgateway.airlock.com/ciphers

Ciphers defines the allowed cipher suites for TLS 1.0–1.2 (this setting has no effect when using TLS 1.3). The value must be a comma-separated list of cipher suites (e.g., “ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256”). If not set, the Envoy default cipher list is used.

microgateway.airlock.com/ecdhCurves

ECDHCurves defines the elliptic curves allowed for ECDH key exchange. The value must be a comma-separated list of curve names ordered by preference (e.g., “X25519,P-256,P-384”). If not set, the list defaults to the curves “X25519MLKEM768”, “X25519” and “P-256” and supports a post-quantum key exchange when using TLS 1.3.

microgateway.airlock.com/signatureAlgorithms

SignatureAlgorithms defines the allowed signature algorithms for TLS handshakes. The value must be a comma-separated list of algorithm names (e.g., “ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256”). If not set, the Envoy default list of signature algorithms is used.

microgateway.airlock.com/allowExpiredCertificate

AllowExpiredCertificate allows connections with expired certificates.

true

microgateway.airlock.com/insecure

Insecure disables ALL certificate validations, allowing insecure connections without proper trust verification.

true

microgateway.airlock.com/verifyCertificateHashes

VerifyCertificateHashes specifies a list of allowed certificate fingerprints for TLS connections as a multi-line string. Each line represents one fingerprint, blank lines and lines beginning with ‘#’ are ignored. Fingerprints must be hex-encoded SHA-256 hashes.

 
Example
spec:
  options:  
    microgateway.airlock.com/verifyCertificateHashes: |
      # Example with 64 hexadecimal characters
      df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

      # Example with 32 colon-separated byte pairs
      DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

For further details about the Envoy TLS settings, refer to the Envoy TLS protocol settings documentation.

CR ReferenceGrant

The CR ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy.

API reference

Consider the API reference for the defaults and all options.

References

spec.from[]

Specifies the HTTPRoute the ReferenceGrant is applied to.

spec.to[]

Specifies the Kubernetes service the ReferenceGrant is applied to.

Example:

 
Example
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: backend
  namespace: example-backend-app
spec:
  from:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: example-backend-gw
  to:
    - group: ""
      kind: Service
      name: example-backend