Tasks for Envoy Gateway

Prerequisites

Introduction

When applying configuration changes in the Gateway API, there are three primary approaches available:

Direct modification of the HTTP/TCP/UDP Route or Gateway.
Modification through PolicyAttachment provided by Gateway Api and Envoy Gateway.
Modification on the global configuration level of the envoy-gateway instance.

HTTP/TCP/UDP Route

PolicyAttachment Via TargetRefs

Envoy Gateway provides a rich custom policy mechanism that can be attached to gateway resources through the Gateway API's PolicyAttachment model.

Envoy Gateway policies are divided into multiple types, including security policies, traffic management policies and more. These policies can be applied to different levels of resources, such as Gateway, HTTPRoute, or Service.

The Gateway API's PolicyAttachment mechanism allows users to attach policies to gateway resources in a declarative way. This mechanism is implemented through the targetRefs field, which specifies the target resource for policy application. For example, policies can be attached to specific Gateways, HTTPRoutes, or Services.

Policy types supported by Envoy Gateway include:

Policy Type	Description
ClientTrafficPolicy	Configuration related to the client-to-proxy communication path, including parameters such as timeouts, retries, keepalive settings, etc.
BackendTrafficPolicy	Configuration related to the proxy-to-backend communication path, including parameters such as timeouts, retries, keepalive settings, etc.
SecurityPolicy	Configuration related to security mechanisms and controls, such as authentication and authorization.

Using the PolicyAttachment mechanism, users can flexibly add, modify, or delete policies without modifying core resource definitions, achieving separation of concerns and better resource management.

Global Configuration

The configuration related to envoy-gateway instance itself or global-level configuration related to all gateways belongs to this envoy-gateway instance, such as deployment mode or backend routing.

We recommend using EnvoyGatewayCtl to manage those global configurations.

Common Tasks For Route Config

Feature	CR	Description
Auth	envoygateway:SecurityPolicy	Authorization
CORS	gatewayapi:HTTPRoute	Cross-Origin Resource Sharing
Header Modification	gatewayapi:HTTPRoute	HTTP Header Modification
HTTP Redirect	gatewayapi:HTTPRoute	HTTP Redirect
L7 Timeout	gatewayapi:HTTPRoute	Request Timeouts
SessionAffinity	gatewayapi:HTTPRoute	Session Affinity/Sticky Sessions
L7 Keepalive	envoygateway:ClientTrafficPolicy	L7 Keepalive Timeout Settings
L4 Keepalive	envoygateway:ClientTrafficPolicy	L4 TCP Keepalive Settings
UrlRewrite	gatewayapi:HTTPRoute	URL Rewrite
Retry	gatewayapi:HTTPRoute or envoygateway:BackendTrafficPolicy	Request Retries Config Via HTTPRoute Request Retries Config Via EnvoyGateway
GZip	envoygateway:BackendTrafficPolicy	HTTP Compression

Advanced Configuration

OpenTelemetry(Otel)

Please follow instructions in OpenTelemetry Integration, but use EnvoyGatewayCtl to modify the envoy-gateway-config.

How To Attach to Listener Created In Other Namespace

In the Gateway's listener configuration, you need to specify which namespaces are allowed to attach Routes to it.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
spec:
  listeners:
    - name: http-80
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All # without limit
    - name: http-81
      protocol: HTTP
      port: 81
      allowedRoutes:
        namespaces:
          from: Same # only allow routes in the same namespace
    - name: http-82
      protocol: HTTP
      port: 82
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              team: frontend # only allow routes in the namespace with label team=frontend

Please refer to Cross-Namespace routing for more details.

How To Use Cert Created In Other Namespace

To use a certificate created in another namespace, you need to create a ReferenceGrant in the namespace where the certificate is created. Please follow instructions in cross-namespace-certificate-references and referencegrant.

NOTE

You cannot specify individual secret resources; you must allow the entire namespace

How To Use SSL passthrough

Please follow instructions in

How To Change SSL Cipher

Please follow instructions in customize-gateway-tls-parameters

cat <<EOF | kubectl apply -f -
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: enforce-tls-13
  namespace: default
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: eg
  tls:
    minVersion: "1.3"
EOF

the .spec.tls in ClientTrafficPolicy is clienttlssettings

How To Specify NodePort When Using NodePort Service

When using a NodePort service, kubernetes assigns a NodePort port number to each service port. When accessing the service through a node IP, you should use the corresponding NodePort port number rather than the service port.

There are two approaches to handle this:

Manually retrieve the NodePort assignment by following get nodeport from svc port

Manually specify the NodePort in the EnvoyProxy configuration instead of letting Kubernetes automatically assign it.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: demo
spec:
  ipFamily: DualStack
  provider:
    kubernetes:
      envoyDeployment:
        container:
          imageRepository: registry.alauda.cn:60080/acp/envoyproxy/envoy
      envoyService:
        patch:
          type: StrategicMerge
          value:
            spec:
              ports:
                - nodeport: 31888
                  port: 80
        type: NodePort
    type: Kubernetes

Use patch field to patch the generated service resource to specify the NodePort

NOTE

NodePort can only be within a specific range, typically 30000-32767. If you want the Gateway listener port and NodePort to be consistent, your listener port must also be within the NodePort range.

How To Add Pod Annotation in EnvoyGateway

Add pod annotation

How To Set NodeSelector And Tolerations For envoy-gateway-operator

update the Subscription resources

# example of nodeSelector and tolerations
kubectl patch subscription envoy-gateway-operator  -n envoy-gateway-operator   --type='merge' -p '
{
  "spec": {
    "config": {
      "nodeSelector": {
        "node-role.kubernetes.io/infra": ""
      },
      "tolerations": [
        {
          "effect": "NoSchedule",
          "key": "node-role.kubernetes.io/infra",
          "operator": "Equal",
          "value": "reserved"
        }
      ]
    }
  }
}'

How To Set NodeSelector And Tolerations For envoy-gateway

update the EnvoyGatewayCtl resources

# in default $NAME=cpaas-default and $NS=envoy-gateway-operator
kubectl patch envoygatewayctl $NAME -n $NS --type='merge' -p '
{
  "spec": {
    "deployment": {
      "pod": {
        "nodeSelector": {
          "node-role.kubernetes.io/infra": ""
        },
        "tolerations": [
          {
            "effect": "NoSchedule",
            "key": "node-role.kubernetes.io/infra",
            "operator": "Equal",
            "value": "reserved"
          }
        ]
      }
    }
  }
}'

How To Set NodeSelector And Tolerations For envoy-proxy

update the EnvoyProxy resources

kubectl patch envoyproxy $NAME -n $NS --type='merge' -p '
{
  "spec": {
    "provider": {
      "kubernetes": {
        "envoyDeployment": {
          "pod": {
            "nodeSelector": {
              "node-role.kubernetes.io/infra": ""
            },
            "tolerations": [
              {
                "effect": "NoSchedule",
                "key": "node-role.kubernetes.io/infra",
                "operator": "Equal",
                "value": "reserved"
              }
            ]
          }
        }
      }
    }
  }
}'

More configuration

Please refer to EnvoyGateway Tasks

Tasks for Envoy Gateway

Prerequisites

Introduction

When applying configuration changes in the Gateway API, there are three primary approaches available:

Direct modification of the HTTP/TCP/UDP Route or Gateway.
Modification through PolicyAttachment provided by Gateway Api and Envoy Gateway.
Modification on the global configuration level of the envoy-gateway instance.

HTTP/TCP/UDP Route

PolicyAttachment Via TargetRefs

Envoy Gateway provides a rich custom policy mechanism that can be attached to gateway resources through the Gateway API's PolicyAttachment model.

Policy types supported by Envoy Gateway include:

Policy Type	Description
ClientTrafficPolicy	Configuration related to the client-to-proxy communication path, including parameters such as timeouts, retries, keepalive settings, etc.
BackendTrafficPolicy	Configuration related to the proxy-to-backend communication path, including parameters such as timeouts, retries, keepalive settings, etc.
SecurityPolicy	Configuration related to security mechanisms and controls, such as authentication and authorization.

Using the PolicyAttachment mechanism, users can flexibly add, modify, or delete policies without modifying core resource definitions, achieving separation of concerns and better resource management.

Global Configuration

We recommend using EnvoyGatewayCtl to manage those global configurations.

Common Tasks For Route Config

Feature	CR	Description
Auth	envoygateway:SecurityPolicy	Authorization
CORS	gatewayapi:HTTPRoute	Cross-Origin Resource Sharing
Header Modification	gatewayapi:HTTPRoute	HTTP Header Modification
HTTP Redirect	gatewayapi:HTTPRoute	HTTP Redirect
L7 Timeout	gatewayapi:HTTPRoute	Request Timeouts
SessionAffinity	gatewayapi:HTTPRoute	Session Affinity/Sticky Sessions
L7 Keepalive	envoygateway:ClientTrafficPolicy	L7 Keepalive Timeout Settings
L4 Keepalive	envoygateway:ClientTrafficPolicy	L4 TCP Keepalive Settings
UrlRewrite	gatewayapi:HTTPRoute	URL Rewrite
Retry	gatewayapi:HTTPRoute or envoygateway:BackendTrafficPolicy	Request Retries Config Via HTTPRoute Request Retries Config Via EnvoyGateway
GZip	envoygateway:BackendTrafficPolicy	HTTP Compression

Advanced Configuration

OpenTelemetry(Otel)

Please follow instructions in OpenTelemetry Integration, but use EnvoyGatewayCtl to modify the envoy-gateway-config.

How To Attach to Listener Created In Other Namespace

In the Gateway's listener configuration, you need to specify which namespaces are allowed to attach Routes to it.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
spec:
  listeners:
    - name: http-80
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All # without limit
    - name: http-81
      protocol: HTTP
      port: 81
      allowedRoutes:
        namespaces:
          from: Same # only allow routes in the same namespace
    - name: http-82
      protocol: HTTP
      port: 82
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              team: frontend # only allow routes in the namespace with label team=frontend

Please refer to Cross-Namespace routing for more details.

How To Use Cert Created In Other Namespace

NOTE

You cannot specify individual secret resources; you must allow the entire namespace

How To Use SSL passthrough

Please follow instructions in

How To Change SSL Cipher

Please follow instructions in customize-gateway-tls-parameters

cat <<EOF | kubectl apply -f -
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: enforce-tls-13
  namespace: default
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: eg
  tls:
    minVersion: "1.3"
EOF

the .spec.tls in ClientTrafficPolicy is clienttlssettings

How To Specify NodePort When Using NodePort Service

There are two approaches to handle this:

Manually retrieve the NodePort assignment by following get nodeport from svc port

Manually specify the NodePort in the EnvoyProxy configuration instead of letting Kubernetes automatically assign it.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: demo
spec:
  ipFamily: DualStack
  provider:
    kubernetes:
      envoyDeployment:
        container:
          imageRepository: registry.alauda.cn:60080/acp/envoyproxy/envoy
      envoyService:
        patch:
          type: StrategicMerge
          value:
            spec:
              ports:
                - nodeport: 31888
                  port: 80
        type: NodePort
    type: Kubernetes

Use patch field to patch the generated service resource to specify the NodePort

NOTE

NodePort can only be within a specific range, typically 30000-32767. If you want the Gateway listener port and NodePort to be consistent, your listener port must also be within the NodePort range.

How To Add Pod Annotation in EnvoyGateway

Add pod annotation

How To Set NodeSelector And Tolerations For envoy-gateway-operator

update the Subscription resources

# example of nodeSelector and tolerations
kubectl patch subscription envoy-gateway-operator  -n envoy-gateway-operator   --type='merge' -p '
{
  "spec": {
    "config": {
      "nodeSelector": {
        "node-role.kubernetes.io/infra": ""
      },
      "tolerations": [
        {
          "effect": "NoSchedule",
          "key": "node-role.kubernetes.io/infra",
          "operator": "Equal",
          "value": "reserved"
        }
      ]
    }
  }
}'

How To Set NodeSelector And Tolerations For envoy-gateway

update the EnvoyGatewayCtl resources

# in default $NAME=cpaas-default and $NS=envoy-gateway-operator
kubectl patch envoygatewayctl $NAME -n $NS --type='merge' -p '
{
  "spec": {
    "deployment": {
      "pod": {
        "nodeSelector": {
          "node-role.kubernetes.io/infra": ""
        },
        "tolerations": [
          {
            "effect": "NoSchedule",
            "key": "node-role.kubernetes.io/infra",
            "operator": "Equal",
            "value": "reserved"
          }
        ]
      }
    }
  }
}'

How To Set NodeSelector And Tolerations For envoy-proxy

update the EnvoyProxy resources

kubectl patch envoyproxy $NAME -n $NS --type='merge' -p '
{
  "spec": {
    "provider": {
      "kubernetes": {
        "envoyDeployment": {
          "pod": {
            "nodeSelector": {
              "node-role.kubernetes.io/infra": ""
            },
            "tolerations": [
              {
                "effect": "NoSchedule",
                "key": "node-role.kubernetes.io/infra",
                "operator": "Equal",
                "value": "reserved"
              }
            ]
          }
        }
      }
    }
  }
}'

More configuration

Please refer to EnvoyGateway Tasks

ACP CLI (ac)

Node Management

Managed Clusters

Import Clusters

Public Cloud Cluster Initialization

Network Initialization

Storage Initialization

How to

How to

Backup Management

Recovery Management

Guides

How To

Kube OVN

alb

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Object Storage

Guides

How To

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

How To

ALB Operator

Compliance

HowTo

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Namespaces

Creating Applications

Operation and Maintaining Applications

Application Rollout

KEDA(Kubernetes Event-driven Autoscaling)

How To

Workloads

Configurations

Application Observability

How To

How To

Install

How To

Overview

Install

Upgrade