GatewayParameters

microgateway.airlock.com/v1alpha1


GatewayParameters defines the configuration settings for deploying a Gateway in a Kubernetes, including options for logging, service type, deployment strategy, and resource management. It can be referenced by either a GatewayClass or a Gateway.
Note: More specific GatewayParameters takes precedence, e.g., if a Gateway references GatewayParameters, the parameters from its associated GatewayClass are completely overridden without merging.

apiVersion: microgateway.airlock.com/v1alpha1
kind: GatewayParameters
metadata:
  name: gateway-parameters-example
spec:
  # Enable debug logging
  logging:
    level: debug

  kubernetes:
    # Expose the Gateway using a service with an internet-facing AWS Network Load Balancer
    service:
      type: LoadBalancer
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing

    deployment:
      replicas: 3

      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxUnavailable: 1

      # Schedule the Airlock Microgateway Engine pods on a specific instance type and across availability zones
      placement:
        nodeSelector:
          node.kubernetes.io/instance-type: m3.medium
        topologySpreadConstraints:
          - maxSkew: 1
            topologyKey: topology.kubernetes.io/zone
            whenUnsatisfiable: ScheduleAnyway

      # Specify Volumes for the Airlock Microgateway Gateway deployment
      volumes:
        - name: vol-1
          emptyDir: {}

      engineContainer:
        # Set resource restrictions to apply to the Airlock Microgateway Engine container
        resources:
          limits:
            cpu: 500m
            memory: 128Mi
          requests:
            cpu: 10m
            memory: 40Mi
        # Specify VolumeMounts for the Airlock Microgateway Engine container
        volumeMounts:
          - name: vol-1
            mountPath: /tmp/data

  defaults:
    sessionHandlingRef:
      name: session-handling-example

    telemetryRef:
      name: telemetry-example

    downstream:
      # Configure 'remoteIP' extraction.
      remoteIP:
        xff:
          numTrustedHops: 1
apiVersion: microgateway.airlock.com/v1alpha1
kind: GatewayParameters
metadata:
  name: default
spec: 
  logging: 
    level: info
  kubernetes: 
    service: 
      type: ClusterIP
    deployment: 
      replicas: 2
      placement: {}
      engineContainer: {}
      automountServiceAccountToken: false
  defaults: 
    downstream: 
      remoteIP: 
        connectionIP: {}
  features: 
    envoyExtensionPolicyEnabled: false

GatewayParameters

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object GatewayParametersSpec defines additional configuration parameters for the Gateway. no

GatewayParameters.spec

Field Type Description Required Default Allowed Values
defaults object Defaults specifies default configurations and policies for the Gateway. no
features object Features specifies which optional features are enabled for the Gateway. no
kubernetes object Kubernetes defines the configuration for Kubernetes resources provisioned for the Gateway. no
logging object Logging specifies Envoy system logging settings for the Gateway. no

GatewayParameters.spec.defaults

Field Type Description Required Default Allowed Values
downstream object Downstream defines the downstream configuration for this Gateway. no
sessionHandlingRef object SessionHandlingRef selects the default SessionHandling configuration for the Gateway. no
telemetryRef object TelemetryRef selects the default Telemetry configuration (logging, metrics, and tracing) for the Gateway. no

GatewayParameters.spec.defaults.downstream

Field Type Description Required Default Allowed Values
remoteIP object RemoteIP defines how the remote IP of a client is propagated.
Default: connectionIP: {…}
no connectionIP{...} connectionIP{}, customHeader{}, proxyProtocol{}, xff{}

GatewayParameters.spec.defaults.downstream.remoteIP

Field Type Description Required Default Allowed Values
connectionIP object ConnectionIP configures to use the source IP address of the direct downstream connection. no
customHeader object CustomHeader specifies to use a custom header for remote IP extraction. no
proxyProtocol object ProxyProtocol configures to use the proxy protocol connection header for IP extraction. The proxy protocol adds a header to TCP connections to preserve the client’s IP address.
For more details, refer to the protocol specification: https://www.haproxy.org/download/3.1/doc/proxy-protocol.txt
Note: When this field is set, all incoming connections must use the proxy protocol, otherwise, the connection will be closed.
no
xff object XFF configures to use the standard ‘X-Forwarded-For’ header for IP extraction. no numTrustedHops{...} numTrustedHops{}, trustedCIDRRanges{}

GatewayParameters.spec.defaults.downstream.remoteIP.customHeader

Field Type Description Required Default Allowed Values
headerName string HeaderName specifies the name of the custom header containing the remote IP. yes
required bool Required specifies if the custom header is required. If true and not available the request will be rejected with 403. no true true, false

GatewayParameters.spec.defaults.downstream.remoteIP.proxyProtocol

Field Type Description Required Default Allowed Values
version enum Version specifies the version of the proxy protocol. If unspecified, all versions are accepted. no V1, V2

GatewayParameters.spec.defaults.downstream.remoteIP.xff

Field Type Description Required Default Allowed Values
numTrustedHops uint32 NumTrustedHops specifies to extract the client’s originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
Only one of numTrustedHops and trustedCIDRRanges can be set.
Default: 1
no 1 [1, 4294967295]
trustedCIDRRanges string[] TrustedCIDRRanges specifies the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28 to trust when evaluating the remote IP address to determine the original client’s IP address. When the remote IP address matches a trusted CIDR and the X-Forwarded-For header was sent, each entry in the X-Forwarded-For header is evaluated from right to left and the first non-trusted address is used as the original client address. If all addresses in X-Forwarded-For are within the trusted list, the first (leftmost) entry is used.
Only one of numTrustedHops and trustedCIDRRanges can be set.
no

GatewayParameters.spec.defaults.sessionHandlingRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

GatewayParameters.spec.defaults.telemetryRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

GatewayParameters.spec.features

Field Type Description Required Default Allowed Values
envoyExtensionPolicyEnabled bool EnvoyExtensionPolicyEnabled specifies whether the controller processes EnvoyExtensionPolicy resources for HTTPRoutes attached to the Gateway.
Use EnvoyExtensionPolicy only if the features of Airlock Microgateway and Kubernetes Gateway API do not provide this functionality. If you identify missing features or use cases, please report them to help improve our product.
Note: Invalid or malformed Envoy configurations may prevent the Gateway’s configuration from being updated.
no false true, false

GatewayParameters.spec.kubernetes

Field Type Description Required Default Allowed Values
deployment object Deployment configures the Kubernetes Deployment provisioned for the Gateway. no
service object Service configures the Kubernetes Service provisioned for the Gateway. no

GatewayParameters.spec.kubernetes.deployment

Field Type Description Required Default Allowed Values
automountServiceAccountToken bool AutomountServiceAccountToken configures whether a service account token should be automatically mounted. Set this to true only if a sidecar that requires a service account token (e.g., OpenShift ServiceMesh) is injected to the Gateway Deployment. no false true, false
engineContainer object EngineContainer configures the container running the Airlock Microgateway Engine. no
imagePullSecrets LocalObjectReference[] ImagePullSecrets configures the list of references to secrets in the same namespace, which will be used in the Gateway deployment for pulling any of the images.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
no
placement object Placement configures scheduling of the Airlock Microgateway Engine pod. no
replicas int32 Replicas sets the number of Gateway Deployment replicas. no 2 [1, 2147483647]
strategy DeploymentStrategy Strategy configures the deployment strategy which is used to replace existing Airlock Microgateway Engine pods with new ones.
If undefined, default settings (RollingUpdate) are applied.
no
volumes Volume[] Volumes specify the list of Kubernetes Volumes that can be mounted by EngineContainer belonging to the Gateway deployment. no

GatewayParameters.spec.kubernetes.deployment.engineContainer

Field Type Description Required Default Allowed Values
resources ResourceRequirements Resources specifies the compute resources required for this container.
If undefined, default resource settings are applied: {"requests":{"cpu":"100m","memory":"256Mi"}}.
Setting this field overrides the defaults entirely, values are not merged.
See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
no
volumeMounts Volume[] VolumeMounts specifies the list of volumes to mount into the EngineContainer’s filesystem. no

GatewayParameters.spec.kubernetes.deployment.placement

Field Type Description Required Default Allowed Values
affinity Affinity Affinity specifies affinity and anti-affinity rules for the Airlock Microgateway Engine pods. no
nodeSelector map[string]string NodeSelector is a selector which must be true for the Airlock Microgateway Engine pods to fit on a node. no
tolerations Toleration[] Tolerations allows scheduling of Airlock Microgateway Engine pods on tainted nodes. no
topologySpreadConstraints TopologySpreadConstraint[] TopologySpreadConstraints describes how the Airlock Microgateway Engine pods ought to spread across topology domains (e.g., nodes, zones).
If the label selector of the constraints is undefined, the label selector of the deployment will be used instead.
no

GatewayParameters.spec.kubernetes.service

Field Type Description Required Default Allowed Values
allocateLoadBalancerNodePorts bool AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.
If undefined, the default is true. It may be set to false if the cluster load-balancer does not rely on NodePorts.
no true, false
annotations map[string]string Annotations specifies additional annotations for the Service, e.g., for configuring cloud LoadBalancers. no
externalTrafficPolicy ServiceExternalTrafficPolicy ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, and LoadBalancer IPs). Meaning of the possible values:
Local: preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints).
Cluster: routes traffic to all endpoints. Be aware that this may break client IP detection and dependent features (e.g., deny rule exceptions or access control policies with request conditions matching remote IPs).
If undefined, the Local policy is applied.
no Cluster, Local
type ServiceType Type specifies the type of Kubernetes Service. no ClusterIP ClusterIP, LoadBalancer, NodePort

GatewayParameters.spec.logging

Field Type Description Required Default Allowed Values
level enum Level specifies the logging level for the Envoy system logs of the Airlock Microgateway Engine. no info off, critical, error, warn, info, debug, trace