| // Copyright 2019 CUE Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| // Copyright 2017 Istio Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| // $title: Gateway |
| // $description: Configuration affecting edge load balancer. |
| // $location: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html |
| |
| // `Gateway` describes a load balancer operating at the edge of the mesh |
| // receiving incoming or outgoing HTTP/TCP connections. The specification |
| // describes a set of ports that should be exposed, the type of protocol to |
| // use, SNI configuration for the load balancer, etc. |
| // |
| // For example, the following Gateway configuration sets up a proxy to act |
| // as a load balancer exposing port 80 and 9080 (http), 443 (https), |
| // 9443(https) and port 2379 (TCP) for ingress. The gateway will be |
| // applied to the proxy running on a pod with labels `app: |
| // my-gateway-controller`. While Istio will configure the proxy to listen |
| // on these ports, it is the responsibility of the user to ensure that |
| // external traffic to these ports are allowed into the mesh. |
| // |
| // ```yaml |
| // apiVersion: networking.istio.io/v1alpha3 |
| // kind: Gateway |
| // metadata: |
| // name: my-gateway |
| // namespace: some-config-namespace |
| // spec: |
| // selector: |
| // app: my-gateway-controller |
| // servers: |
| // - port: |
| // number: 80 |
| // name: http |
| // protocol: HTTP |
| // hosts: |
| // - uk.bookinfo.com |
| // - eu.bookinfo.com |
| // tls: |
| // httpsRedirect: true # sends 301 redirect for http requests |
| // - port: |
| // number: 443 |
| // name: https-443 |
| // protocol: HTTPS |
| // hosts: |
| // - uk.bookinfo.com |
| // - eu.bookinfo.com |
| // tls: |
| // mode: SIMPLE # enables HTTPS on this port |
| // serverCertificate: /etc/certs/servercert.pem |
| // privateKey: /etc/certs/privatekey.pem |
| // - port: |
| // number: 9443 |
| // name: https-9443 |
| // protocol: HTTPS |
| // hosts: |
| // - "bookinfo-namespace/*.bookinfo.com" |
| // tls: |
| // mode: SIMPLE # enables HTTPS on this port |
| // credentialName: bookinfo-secret # fetches certs from Kubernetes secret |
| // - port: |
| // number: 9080 |
| // name: http-wildcard |
| // protocol: HTTP |
| // hosts: |
| // - "*" |
| // - port: |
| // number: 2379 # to expose internal service via external port 2379 |
| // name: mongo |
| // protocol: MONGO |
| // hosts: |
| // - "*" |
| // ``` |
| // |
| // The Gateway specification above describes the L4-L6 properties of a load |
| // balancer. A `VirtualService` can then be bound to a gateway to control |
| // the forwarding of traffic arriving at a particular host or gateway port. |
| // |
| // For example, the following VirtualService splits traffic for |
| // `https://uk.bookinfo.com/reviews`, `https://eu.bookinfo.com/reviews`, |
| // `http://uk.bookinfo.com:9080/reviews`, |
| // `http://eu.bookinfo.com:9080/reviews` into two versions (prod and qa) of |
| // an internal reviews service on port 9080. In addition, requests |
| // containing the cookie "user: dev-123" will be sent to special port 7777 |
| // in the qa version. The same rule is also applicable inside the mesh for |
| // requests to the "reviews.prod.svc.cluster.local" service. This rule is |
| // applicable across ports 443, 9080. Note that `http://uk.bookinfo.com` |
| // gets redirected to `https://uk.bookinfo.com` (i.e. 80 redirects to 443). |
| // |
| // ```yaml |
| // apiVersion: networking.istio.io/v1alpha3 |
| // kind: VirtualService |
| // metadata: |
| // name: bookinfo-rule |
| // namespace: bookinfo-namespace |
| // spec: |
| // hosts: |
| // - reviews.prod.svc.cluster.local |
| // - uk.bookinfo.com |
| // - eu.bookinfo.com |
| // gateways: |
| // - some-config-namespace/my-gateway |
| // - mesh # applies to all the sidecars in the mesh |
| // http: |
| // - match: |
| // - headers: |
| // cookie: |
| // exact: "user=dev-123" |
| // route: |
| // - destination: |
| // port: |
| // number: 7777 |
| // host: reviews.qa.svc.cluster.local |
| // - match: |
| // - uri: |
| // prefix: /reviews/ |
| // route: |
| // - destination: |
| // port: |
| // number: 9080 # can be omitted if it's the only port for reviews |
| // host: reviews.prod.svc.cluster.local |
| // weight: 80 |
| // - destination: |
| // host: reviews.qa.svc.cluster.local |
| // weight: 20 |
| // ``` |
| // |
| // The following VirtualService forwards traffic arriving at (external) |
| // port 27017 to internal Mongo server on port 5555. This rule is not |
| // applicable internally in the mesh as the gateway list omits the |
| // reserved name `mesh`. |
| // |
| // ```yaml |
| // apiVersion: networking.istio.io/v1alpha3 |
| // kind: VirtualService |
| // metadata: |
| // name: bookinfo-Mongo |
| // namespace: bookinfo-namespace |
| // spec: |
| // hosts: |
| // - mongosvr.prod.svc.cluster.local # name of internal Mongo service |
| // gateways: |
| // - some-config-namespace/my-gateway # can omit the namespace if gateway is in same |
| // namespace as virtual service. |
| // tcp: |
| // - match: |
| // - port: 27017 |
| // route: |
| // - destination: |
| // host: mongo.prod.svc.cluster.local |
| // port: |
| // number: 5555 |
| // ``` |
| // |
| // It is possible to restrict the set of virtual services that can bind to |
| // a gateway server using the namespace/hostname syntax in the hosts field. |
| // For example, the following Gateway allows any virtual service in the ns1 |
| // namespace to bind to it, while restricting only the virtual service with |
| // foo.bar.com host in the ns2 namespace to bind to it. |
| // |
| // ```yaml |
| // apiVersion: networking.istio.io/v1alpha3 |
| // kind: Gateway |
| // metadata: |
| // name: my-gateway |
| // namespace: some-config-namespace |
| // spec: |
| // selector: |
| // app: my-gateway-controller |
| // servers: |
| // - port: |
| // number: 80 |
| // name: http |
| // protocol: HTTP |
| // hosts: |
| // - "ns1/*" |
| // - "ns2/foo.bar.com" |
| // ``` |
| // |
| package v1alpha3 |
| |
| #Gateway: { |
| // REQUIRED: A list of server specifications. |
| servers?: [...#Server] @protobuf(1) |
| |
| // REQUIRED: One or more labels that indicate a specific set of pods/VMs |
| // on which this gateway configuration should be applied. The scope of |
| // label search is restricted to the configuration namespace in which the |
| // the resource is present. In other words, the Gateway resource must |
| // reside in the same namespace as the gateway workload instance. |
| selector?: { |
| [string]: string |
| } @protobuf(2,type=map<string,string>) |
| selector?: [name=_]: name |
| } |
| |
| // `Server` describes the properties of the proxy on a given load balancer |
| // port. For example, |
| // |
| // ```yaml |
| // apiVersion: networking.istio.io/v1alpha3 |
| // kind: Gateway |
| // metadata: |
| // name: my-ingress |
| // spec: |
| // selector: |
| // app: my-ingress-gateway |
| // servers: |
| // - port: |
| // number: 80 |
| // name: http2 |
| // protocol: HTTP2 |
| // hosts: |
| // - "*" |
| // ``` |
| // |
| // Another example |
| // |
| // ```yaml |
| // apiVersion: networking.istio.io/v1alpha3 |
| // kind: Gateway |
| // metadata: |
| // name: my-tcp-ingress |
| // spec: |
| // selector: |
| // app: my-tcp-ingress-gateway |
| // servers: |
| // - port: |
| // number: 27018 |
| // name: mongo |
| // protocol: MONGO |
| // hosts: |
| // - "*" |
| // ``` |
| // |
| // The following is an example of TLS configuration for port 443 |
| // |
| // ```yaml |
| // apiVersion: networking.istio.io/v1alpha3 |
| // kind: Gateway |
| // metadata: |
| // name: my-tls-ingress |
| // spec: |
| // selector: |
| // app: my-tls-ingress-gateway |
| // servers: |
| // - port: |
| // number: 443 |
| // name: https |
| // protocol: HTTPS |
| // hosts: |
| // - "*" |
| // tls: |
| // mode: SIMPLE |
| // serverCertificate: /etc/certs/server.pem |
| // privateKey: /etc/certs/privatekey.pem |
| // ``` |
| #Server: { |
| // REQUIRED: The Port on which the proxy should listen for incoming |
| // connections. |
| port?: #Port @protobuf(1) |
| port?: >10 & <100 |
| |
| // $hide_from_docs |
| // The ip or the Unix domain socket to which the listener should be bound |
| // to. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar` |
| // (Linux abstract namespace). When using Unix domain sockets, the port |
| // number should be 0. |
| bind?: string @protobuf(4) |
| |
| // REQUIRED. One or more hosts exposed by this gateway. |
| // While typically applicable to |
| // HTTP services, it can also be used for TCP services using TLS with SNI. |
| // A host is specified as a `dnsName` with an optional `namespace/` prefix. |
| // The `dnsName` should be specified using FQDN format, optionally including |
| // a wildcard character in the left-most component (e.g., `prod/*.example.com`). |
| // Set the `dnsName` to `*` to select all `VirtualService` hosts from the |
| // specified namespace (e.g.,`prod/*`). If no `namespace/` is specified, |
| // the `VirtualService` hosts will be selected from any available namespace. |
| // Any associated `DestinationRule` in the same namespace will also be used. |
| // |
| // A `VirtualService` must be bound to the gateway and must have one or |
| // more hosts that match the hosts specified in a server. The match |
| // could be an exact match or a suffix match with the server's hosts. For |
| // example, if the server's hosts specifies `*.example.com`, a |
| // `VirtualService` with hosts `dev.example.com` or `prod.example.com` will |
| // match. However, a `VirtualService` with host `example.com` or |
| // `newexample.com` will not match. |
| // |
| // NOTE: Only virtual services exported to the gateway's namespace |
| // (e.g., `exportTo` value of `*`) can be referenced. |
| // Private configurations (e.g., `exportTo` set to `.`) will not be |
| // available. Refer to the `exportTo` setting in `VirtualService`, |
| // `DestinationRule`, and `ServiceEntry` configurations for details. |
| hosts?: [...string] @protobuf(2) |
| |
| #TLSOptions: { |
| // If set to true, the load balancer will send a 301 redirect for all |
| // http connections, asking the clients to use HTTPS. |
| httpsRedirect?: bool @protobuf(1,name=https_redirect) |
| |
| // TLS modes enforced by the proxy |
| #TLSmode: |
| // The SNI string presented by the client will be used as the match |
| // criterion in a VirtualService TLS route to determine the |
| // destination service from the service registry. |
| "PASSTHROUGH" | |
| |
| // Secure connections with standard TLS semantics. |
| "SIMPLE" | |
| |
| // Secure connections to the upstream using mutual TLS by presenting |
| // client certificates for authentication. |
| "MUTUAL" | |
| |
| // Similar to the passthrough mode, except servers with this TLS mode |
| // do not require an associated VirtualService to map from the SNI |
| // value to service in the registry. The destination details such as |
| // the service/subset/port are encoded in the SNI value. The proxy |
| // will forward to the upstream (Envoy) cluster (a group of |
| // endpoints) specified by the SNI value. This server is typically |
| // used to provide connectivity between services in disparate L3 |
| // networks that otherwise do not have direct connectivity between |
| // their respective endpoints. Use of this mode assumes that both the |
| // source and the destination are using Istio mTLS to secure traffic. |
| "AUTO_PASSTHROUGH" |
| |
| #TLSmode_value: { |
| PASSTHROUGH: 0 |
| SIMPLE: 1 |
| MUTUAL: 2 |
| AUTO_PASSTHROUGH: 3 |
| } |
| |
| // Optional: Indicates whether connections to this port should be |
| // secured using TLS. The value of this field determines how TLS is |
| // enforced. |
| mode?: #TLSmode @protobuf(2) |
| |
| // Extra comment. |
| |
| // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file |
| // holding the server-side TLS certificate to use. |
| serverCertificate?: string @protobuf(3,name=server_certificate) |
| |
| // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file |
| // holding the server's private key. |
| privateKey?: string @protobuf(4,name=private_key) |
| |
| // REQUIRED if mode is `MUTUAL`. The path to a file containing |
| // certificate authority certificates to use in verifying a presented |
| // client side certificate. |
| caCertificates?: string @protobuf(5,name=ca_certificates) |
| |
| // The credentialName stands for a unique identifier that can be used |
| // to identify the serverCertificate and the privateKey. The |
| // credentialName appended with suffix "-cacert" is used to identify |
| // the CaCertificates associated with this server. Gateway workloads |
| // capable of fetching credentials from a remote credential store such |
| // as Kubernetes secrets, will be configured to retrieve the |
| // serverCertificate and the privateKey using credentialName, instead |
| // of using the file system paths specified above. If using mutual TLS, |
| // gateway workload instances will retrieve the CaCertificates using |
| // credentialName-cacert. The semantics of the name are platform |
| // dependent. In Kubernetes, the default Istio supplied credential |
| // server expects the credentialName to match the name of the |
| // Kubernetes secret that holds the server certificate, the private |
| // key, and the CA certificate (if using mutual TLS). Set the |
| // `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to |
| // enable the dynamic credential fetching feature. |
| credentialName?: string @protobuf(10,name=credential_name) |
| |
| // A list of alternate names to verify the subject identity in the |
| // certificate presented by the client. |
| subjectAltNames?: [...string] @protobuf(6,name=subject_alt_names) |
| |
| // TLS protocol versions. |
| #TLSProtocol: "TLS_AUTO" | // Automatically choose the optimal TLS version. |
| "TLSV1_0" | // TLS version 1.0 |
| "TLSV1_1" | // TLS version 1.1 |
| "TLSV1_2" | // TLS version 1.2 |
| "TLSV1_3" // TLS version 1.3 |
| |
| #TLSProtocol_value: { |
| TLS_AUTO: 0 |
| TLSV1_0: 1 |
| TLSV1_1: 2 |
| TLSV1_2: 3 |
| TLSV1_3: 4 |
| } |
| |
| // Optional: Minimum TLS protocol version. |
| minProtocolVersion?: #TLSProtocol @protobuf(7,name=min_protocol_version) |
| |
| // Optional: Maximum TLS protocol version. |
| maxProtocolVersion?: #TLSProtocol @protobuf(8,name=max_protocol_version) |
| |
| // Optional: If specified, only support the specified cipher list. |
| // Otherwise default to the default cipher list supported by Envoy. |
| cipherSuites?: [...string] @protobuf(9,name=cipher_suites) |
| } |
| |
| // Set of TLS related options that govern the server's behavior. Use |
| // these options to control if all http requests should be redirected to |
| // https, and the TLS modes to use. |
| tls?: #TLSOptions @protobuf(3) |
| |
| // The loopback IP endpoint or Unix domain socket to which traffic should |
| // be forwarded to by default. Format should be `127.0.0.1:PORT` or |
| // `unix:///path/to/socket` or `unix://@foobar` (Linux abstract namespace). |
| defaultEndpoint?: string @protobuf(5,name=default_endpoint) |
| } |
| |
| // Port describes the properties of a specific port of a service. |
| #Port: { |
| // REQUIRED: A valid non-negative integer port number. |
| number?: uint32 @protobuf(1) |
| |
| // REQUIRED: The protocol exposed on the port. |
| // MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. |
| // TLS implies the connection will be routed based on the SNI header to |
| // the destination without terminating the TLS connection. |
| protocol?: string @protobuf(2) |
| |
| // Label assigned to the port. |
| name?: string @protobuf(3) |
| } |