Alauda Container Platform

Configure GatewayAPI Gateway

TOC

OverviewPrerequisitesGateway BasicsWhat is a GatewayGateway Exposure (Service Type)LoadBalancer (Recommended)NodePortClusterIPListener ConfigurationPort and ProtocolAllowRouteNSTLS ConfigurationEnvoyProxy (Deployment Configuration)Image RepositoryCreate GatewayVia Web ConsoleListener ConfigurationVia YAMLComplete Example with Multiple Listener TypesView Gateway DetailsListener and Route ReferenceHostnameHostname Intersection RuleSupported Route KindsNext Step

Overview

This document explains how to configure a Gateway after the Envoy Gateway operator and EnvoyGatewayCtl are ready. A Gateway defines how traffic enters the gateway, while the companion EnvoyProxy controls how the underlying Envoy data plane is deployed.

In the recommended workflow, this document comes after Envoy Gateway Operator and before Configure GatewayAPI Route.

Prerequisites

Please ensure that you have completed the following before proceeding:

  1. Read Envoy Gateway Operator to understand the basic concepts and resource relationships
  2. Install the Envoy Gateway operator and create an EnvoyGatewayCtl
NOTE

This document first explains the main Gateway concepts and then shows how to create a Gateway. If you are already familiar with these concepts, you can skip to the Create Gateway section.

Gateway Basics

What is a Gateway

A Gateway is the entry point for traffic entering your cluster. It defines how external requests are received and routed to your backend services. A Gateway mainly defines:

  • Listeners: Define the ports, protocols, and hostnames the gateway listens on
  • GatewayClass: Selects which gateway controller manages this Gateway
  • Infrastructure reference: References an EnvoyProxy that controls how the underlying Envoy data plane is deployed

Gateway Exposure (Service Type)

Service Type configures how the gateway is exposed through the underlying Envoy Service. There are three modes: LoadBalancer, NodePort, and ClusterIP.

In YAML, this setting is configured in the companion EnvoyProxy resource at .spec.provider.kubernetes.envoyService.type.

The advantage is ease of use and high-availability load balancing capabilities. To use LoadBalancer, the cluster must have LoadBalancer support, which can be enabled via MetalLB.

NodePort

The advantage is that it doesn't require any external dependencies.

However, using NodePort has these disadvantages:

  • When using NodePort, Kubernetes assigns NodePort port numbers that differ from the service's own ports. You must use the NodePort port number for access, not the service port.
  • The service can be accessed via any node IP address in the cluster, which may pose potential security risks.
How to Get the Correct Port When Using NodePort

In the Gateway details page, when Service Type is NodePort, the listener list displays the NodePort column showing the assigned port numbers. You can also use the following command:

kubectl get svc -n ${ENVOYGATEWAYCTL_NS} -l gateway.envoyproxy.io/owning-gateway-name=${GATEWAY_NAME} -o=jsonpath="{.items[0].spec.ports[?(@.port==${PORT})].nodePort}"

The output is the NodePort.

ClusterIP

Very convenient if you don't need external exposure.

Listener Configuration

A Listener defines the port and protocol for the gateway to listen on. In HTTP or HTTPS protocols, different hostnames can be treated as different listeners.

You cannot create a listener with a conflicting port, protocol, or hostname.

You must create at least one listener in the Gateway.

Port and Protocol

Each listener is configured with a port number and a protocol. Supported protocols are: HTTP, HTTPS, TCP, UDP, TLS.

AllowRouteNS

By default, Routes can only attach to a Gateway in the Same namespace. To allow cross-namespace routing, use the Allowed Routes Namespace field:

  • Same: Allow Routes in the same namespace to attach to this listener.
  • All: Allow Routes in any namespace to attach to this listener.
  • Selector: Allow Routes in namespaces matched by the selector to attach to this listener.

In ACP, a project is identified by labels on namespaces, for example cpaas.io/project: <project-name>. If you want a listener to be used only by Routes from a specific project, use Selector and match the project label on the target namespaces.

The listener's Allowed Routes Namespace setting and its protocol together determine which listeners are available in the Route Web Console when you publish a route to a listener.

For more information, see attach to gateway created in other ns.

TLS Configuration

For HTTPS and TLS protocols, you need to configure TLS settings.

TLS Modes:

TLS ModeDescriptionCertificate Required
TerminateEnvoy terminates TLS and decrypts traffic before forwarding to backend servicesYes, must select a TLS certificate
PassthroughEnvoy passes through encrypted TLS traffic to backend services without decryptionNo
NOTE
  • HTTPS protocol only supports Terminate mode
  • TLS protocol supports both Terminate and Passthrough modes
  • TLS listeners with Passthrough mode support TLSRoute
  • TLS listeners with Terminate mode support TCPRoute

Certificate Requirements:

  • By default, you can only use secrets created in the same namespace
  • The secret must be of type kubernetes.io/tls and contain tls.crt and tls.key keys
  • For cross-namespace secrets, see use secret created in other ns

EnvoyProxy (Deployment Configuration)

Envoy Gateway uses the EnvoyProxy resource to control gateway deployment configurations. We recommend creating a dedicated EnvoyProxy resource for each Gateway and referencing it through the Gateway's .spec.infrastructure.parametersRef field.

When you create a Gateway from the Web Console by using a GatewayClass created by EnvoyGatewayCtl, the console automatically creates a companion EnvoyProxy resource with the same name and namespace.

When you create a Gateway by applying YAML, you are responsible for keeping the Gateway .spec.infrastructure.parametersRef and the referenced EnvoyProxy resource consistent.

This one-to-one mapping approach provides better isolation and more granular control over deployment configurations such as:

  • Replicas
  • Resource limits and requests
  • Node selectors
  • Service type and annotations
  • Image repository

Image Repository

The image repository is pre-configured with the default value for your cluster. Do not modify it unless necessary.

For other deployment configuration methods, see deployment-mode.

Create Gateway

Via Web Console

  1. Navigate to Alauda Container Platform -> Networking -> Gateway -> Gateways
  2. Click the Create Gateway button
  3. On the Create Gateway page, select the GatewayClass created by your EnvoyGatewayCtl. In the recommended default example from Envoy Gateway Operator, this is envoy-gateway-operator-cpaas-default.

The page displays the following configuration options:

FieldDescriptionYAML Path
NameGateway namegateway: .metadata.name
envoyproxy: .metadata.name
GatewayClassWhich GatewayClass to usegateway: .spec.gatewayClassName
Service TypeService Typeenvoyproxy: .spec.provider.kubernetes.envoyService.type
Service AnnotationService annotationsenvoyproxy: .spec.provider.kubernetes.envoyService.annotations
Resource LimitsDeployment resource limitsenvoyproxy: .spec.provider.kubernetes.envoyDeployment.container.resources
ReplicasDeployment replicasenvoyproxy: .spec.provider.kubernetes.envoyDeployment.replicas
Node LabelsDeployment node selectorsenvoyproxy: .spec.provider.kubernetes.envoyDeployment.nodeSelector
ListenerListenergateway: .spec.listeners
WARNING

The Web Console form only supports GatewayClasses created by EnvoyGatewayCtl. For other GatewayClasses, use the YAML editor.

NOTE

When using an EnvoyGatewayCtl-created GatewayClass, the Web Console automatically creates a companion EnvoyProxy resource matching the Gateway's name and namespace.

Listener Configuration

When creating or editing a listener, you can configure the following:

FieldDescriptionYAML Path
NameThe name of the listener.spec.listeners[].name
PortThe port number the listener listens on.spec.listeners[].port
ProtocolThe protocol for the listener. Options: HTTP, HTTPS, TCP, UDP, TLS.spec.listeners[].protocol
HostnameOptional. The hostname for the listener.spec.listeners[].hostname
Allowed Routes NamespaceControls which namespaces can attach routes to this listener.spec.listeners[].allowedRoutes.namespaces.from
HTTPS Protocol Configuration

When selecting HTTPS as the protocol:

FieldDescriptionYAML Path
CertificatesRequired. Select the Kubernetes secret containing the TLS certificate..spec.listeners[].tls.certificateRefs
NOTE
  • HTTPS protocol only supports Terminate mode
  • Certificate selection is mandatory for HTTPS listeners
  • You can only use secrets created in the same namespace by default
TLS Protocol Configuration

When selecting TLS as the protocol:

Configuration Fields

FieldDescriptionYAML Path
TLS ModeSelect the TLS mode. Options: Terminate, Passthrough. Default: Terminate.spec.listeners[].tls.mode
TLS CertificateRequired only when TLS Mode is Terminate. Select the secret containing the TLS certificate..spec.listeners[].tls.certificateRefs

For TLS mode details, see TLS Configuration.

Via YAML

Replace envoy-gateway-operator-cpaas-default with the GatewayClass created by your own EnvoyGatewayCtl if you are not using the recommended default example.

The following minimal example creates an HTTP Gateway and a dedicated EnvoyProxy.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: demo
  namespace: demo
spec:
  infrastructure:
    parametersRef:
      group: gateway.envoyproxy.io
      kind: EnvoyProxy
      name: demo
  gatewayClassName: envoy-gateway-operator-cpaas-default
  listeners:
    - name: http
      port: 80
      protocol: HTTP
      allowedRoutes:
        namespaces:
          from: Same
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: demo
  namespace: demo
spec:
  provider:
    kubernetes:
      envoyService:
        type: ClusterIP
      envoyDeployment:
        replicas: 1
        container:
          imageRepository: registry.alauda.cn:60080/acp/envoyproxy/envoy
          resources:
            limits:
              cpu: '1'
              memory: 1Gi
            requests:
              cpu: '1'
              memory: 1Gi
    type: Kubernetes

Complete Example with Multiple Listener Types

If you need more listener types, use the following complete example:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: demo
  namespace: demo
spec:
  infrastructure:
    parametersRef:
      group: gateway.envoyproxy.io
      kind: EnvoyProxy
      name: demo
  gatewayClassName: envoy-gateway-operator-cpaas-default
  listeners:
    - name: http
      port: 80
      hostname: a.com
      protocol: HTTP
      allowedRoutes:
        namespaces:
          from: Same
    - name: https
      port: 443
      hostname: a.com
      protocol: HTTPS
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        mode: Terminate
        certificateRefs:
          - name: demo-tls
    - name: tls-passthrough
      port: 8443
      hostname: tls.example.com
      protocol: TLS
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        mode: Passthrough
    - name: tls-terminate
      port: 9443
      hostname: secure.example.com
      protocol: TLS
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        mode: Terminate
        certificateRefs:
          - name: demo-tls
    - name: tcp
      port: 8080
      protocol: TCP
      allowedRoutes:
        namespaces:
          from: Same
    - name: udp
      port: 8081
      protocol: UDP
      allowedRoutes:
        namespaces:
          from: Same
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: demo
  namespace: demo
spec:
  provider:
    kubernetes:
      envoyService:
        type: ClusterIP
      envoyDeployment:
        replicas: 1
        container:
          imageRepository: registry.alauda.cn:60080/acp/envoyproxy/envoy
          resources:
            limits:
              cpu: '1'
              memory: 1Gi
            requests:
              cpu: '1'
              memory: 1Gi
    type: Kubernetes
  1. Reference to EnvoyProxy resource for deployment configuration
  2. Replace envoy-gateway-operator-cpaas-default with your own GatewayClass if needed
  3. listeners defines how traffic enters the gateway
  4. hostname affects how host-based routing matches the listener
  5. protocol determines which route kinds can attach to the listener
  6. allowedRoutes controls which namespaces can attach routes
  7. tls configures TLS termination or passthrough for HTTPS and TLS listeners
  8. The EnvoyProxy name must match .spec.infrastructure.parametersRef.name
  9. envoyService.type controls gateway exposure
  10. Keep imageRepository unchanged unless necessary for your environment
  11. resources configures the Envoy data plane resource limits and requests
  12. Keep provider.type as Kubernetes

View Gateway Details

In the Gateway details page, the listener list shows the following information:

ColumnDescription
NameThe listener name
ProtocolThe listener protocol (HTTP, HTTPS, TCP, UDP, TLS)
PortThe configured port number
NodePortDisplayed when Service Type is NodePort. Shows the assigned NodePort number for accessing the listener.
NOTE

When the Gateway Service Type is NodePort, the listener list displays an additional NodePort column. Use the NodePort value, not the service port, to access the gateway. For more details, see How to Get the Correct Port When Using NodePort.

Listener and Route Reference

Use the following rules when attaching Route resources to a Gateway.

Hostname

The hostname in a listener is a unique identifier for listeners that have the same protocol. You cannot add or update a conflicting listener in a gateway.

Hostname Intersection Rule

When a request arrives, it is matched against the intersection of the Listener's hostname and the Route's hostnames. Only hostnames in the intersection are used for routing traffic.

Listener HostnameRoute HostnamesIntersection ResultExample
No hostnameNo hostnamesMatches all hostsAny incoming host header is accepted
No hostnameHas hostnames (e.g., api.example.com)All Route hostnamesOnly requests with api.example.com are matched
Has hostname (e.g., api.example.com)No hostnamesAll Listener hostnamesOnly requests with api.example.com are matched
Has hostname (e.g., api.example.com)Has matching exact hostnameExact match hostnameOnly requests with api.example.com are matched
Has wildcard (e.g., *.example.com)Has matching hostnamesMatching specific hostnamesRequests with api.example.com or web.example.com are matched
Has hostname (e.g., api.example.com)Has non-matching hostnamesNo intersection - Route status is abnormalRoute cannot process traffic
NOTE

Wildcards (*) perform suffix matching. For example, *.example.com matches foo.example.com and bar.example.com, but not example.com.

WARNING

No intersection means the Route status becomes abnormal and traffic cannot be processed.

Supported Route Kinds

Each listener supports different route kinds based on its protocol:

Listener ProtocolSupported Route Kind
HTTPHTTPRoute, GRPCRoute
HTTPSHTTPRoute, GRPCRoute
TLS (Passthrough mode)TLSRoute
TLS (Terminate mode)TCPRoute
TCPTCPRoute
UDPUDPRoute

When configuring routes, ensure they match the protocol of the listener they attach to. For example, you cannot attach an HTTPRoute to a TCP listener.

Next Step

After the Gateway is ready, continue with Configure GatewayAPI Route. If you need advanced traffic control after routes are attached, continue with Configure GatewayAPI Policy.