To create a Spring Cloud Gateway instance, you must create a resource of type SpringCloudGateway.
Resource specification
The definition for SpringCloudGateway specifies:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
name: # (Required) Name given to this Gateway instance
labels:
my-label: hello # Labels defined on the Gateway resource will also be applied to the Gateway Pods for simplified management
annotations:
my-annotation: my-value # Annotations defined on the Gateway resource will also be applied to the Gateway Pods for simplified management.
# Spring Cloud Gateway for Kubernetes build-in annotations:
# 'apis.tanzu.vmware.com/api-title': use instead of deprecated 'spec.api.title'
# 'apis.tanzu.vmware.com/api-description': use instead of deprecated 'spec.api.description'
# 'apis.tanzu.vmware.com/api-documentation': use instead of deprecated 'spec.api.documentation'
spec:
api:
cors: # Cross-Origin Resource Sharing (CORS) configurations, to be applied globally across all routes
allowCredentials: [] # Whether user credentials are supported on cross-site requests (applied to all routes)
allowedHeaders: [] # Allowed headers in cross-site request (applied to all routes)
allowedMethods: [] # Allowed HTTP methods on cross-site requests (applied to all routes)
allowedOriginPatterns: [] # Allowed origin patterns to make cross-site requests (applied to all routes)
allowedOrigins: [] # Allowed origins to make cross-site requests (applied to all routes)
exposedHeaders: [] # HTTP response headers to expose for cross-site requests (applied to all routes)
maxAge: # How long, in seconds, the response from a pre-flight request can be cached by clients (applied to all routes)
perRoute: # DEPRECATED, per-route CORS can be configured using Route Metadata Configuration
description: # Detailed description of the APIs available on the Gateway instance (default: `Generated OpenAPI 3 document that describes the API routes configured for '[Gateway instance name]' Spring Cloud Gateway instance deployed under '[namespace]' namespace.`)
documentation: # Location of additional documentation for the APIs available on the Gateway instance
groupId: # Unique identifier for the group of APIs available on the Gateway instance (default: normalized title of the Gateway instance)
serverUrl: # Base URL that API consumers will use to access APIs on the Gateway instance
title: # Title describing the context of the APIs available on the Gateway instance (default: name of the Gateway instance)
version: # Version of APIs available on this Gateway instance (default: `unspecified`)
bindings: # Map of secrets classified by service name that contains the properties to bind into API gateway instance (currently supported services: 'redis')
client:
tls: # Configure trusted certificates for upstream connections
secretNames: [] # Array of TLS secret names containing trusted certificates for upstream connections
count: # Number of gateway pods per gateway instance. Set to 2 or more for high availability (HA) configuration
env: # List of additional environment variables to apply to the gateway
- name: # Name of the environment variable
value: # Value of environment variable
extensions: # Additional configurations for global features (e.g. custom filters, Api Key,...)
custom: [] # Array of custom extensions to load (name must match the ConfigMap name).
filters:
apiKey: # API Key specific configurations
enabled:
secretsProviderName: # Currently only supports Vault with the Agent Injector
headerName: # Name of the HTTP header used to send keys
jwtKey: # JWT Key specific configurations
enabled:
secretsProviderName: # Currently only supports Vault with the Agent Injector
secretsProviders: # Array of secret providers. Only one can be set at this time.
- awsSecretsManager: # AWS Secrets Manager configuration parameters
iamRoleArn: # The IAM Role ARN to associate with the service account. e.g. arn:aws:iam::111122223333:role/iam-role-name
azureKeyVault: # Azure Key Vault configuration parameters
aadpodidbinding: # Your Azure AD Pod Identity. e.g. my-pod-identity
googleSecretManager: # Google Secret Manager configuration parameters
iamServiceAccount: # The email address of the GCP IAM Service Account. e.g. [email protected]
name: # Name of the secret provider
vault: # Vault integration configuration parameters. Requires the Vault Agent Injector
authPath: # Authentication path for the Kubernetes auth method.
path: # Vault secrets' path (e.g. 'my-secrets/context').
roleName: # Vault role name with access to the secrets according to the Vault policies.
healthCheck:
enabled: # Active upstream health check, activates validation of upstream endpoints before routing requests (default: false)
interval: # Time to check Health Check endpoints (300s, 5m, ..) (default: '25s')
java-opts: # JVM parameters for the Gateway instance
observability:
metrics:
prometheus:
annotations:
enabled: # If Prometheus scraping annotations should be included in the gateway Pod definition(s)
enabled: # If a Prometheus endpoint should be exposed
serviceMonitor:
enabled: # If a Prometheus ServiceMonitor should be added
labels: # Labels to add to the service monitor, e.g. to be picked up by the Prometheus serviceMonitorSelector
wavefront:
enabled: # If Wavefront metrics should be pushed
tracing:
wavefront:
enabled: # If Wavefront traces should be pushed
zipkin:
enabled: # If Zipkin traces should be pushed
url: # The Zipkin server url
wavefront:
application: # The Wavefront application (default: Gateway Namespace `namespace`).
secret: # Secret name to be used for Wavefront configuration
service: # The Wavefront service (default: Gateway name `my-gateway`).
source: # The Wavefront source (default: Gateway Pod name, `gateway-0`).
podOverrides: # Used to override the gateway pod's default specs. To configure the gateway container, specify the specs under a container with the name 'gateway'.
resources:
limits: # Maximum amount of compute resources allowed for the Gateway instance
cpu:
memory:
requests: # Requested amount of compute resources for the Gateway instance
cpu:
memory:
responseCache:
local: # Configuration for local cache feature
global: # If the value is true, the response cache filter will be applied automatically to every route
size: # Maximum allowed size of cache (10MB, 900KB, 1GB...) before the eviction algorithm will start to evict entries
timeToLive: # Time before a cached entry is expired (300s, 5m, 1h...)
securityContext:
fsGroup: # Set to 1000 by default
runAsGroup:
runAsUser:
server:
tls: # Configures gateway's TLS termination behavior
- hosts: [] # Array of hostnames for which to perform TLS termination using the specified certificate
secretName: # Name of TLS secret to load certificate and key from
service: # Configuration of the Kubernetes service for the gateway
nodePort: # The port on which this service is exposed when type=NodePort or LoadBalancer.
type: # Determines how the Service is exposed. Either ClusterIP, NodePort, or LoadBalancer. Defaults to ClusterIP.
serviceAccount:
name: # Name of the ServiceAccount associated to the Gateway instance
sso:
inactive-session-expiration-in-minutes: # Time to life of inactive sessions in minutes, 0 means sessions won't expire.
roles-attribute-name: # Roles attribute name used to extract user roles for Roles filter (default: 'roles')
secret: # Secret name to be used for SSO configuration
tls: # TLS configuration for authorization servers using custom CAs or self-signed certificates.
secretName: # Secret name containing the certificate (must contain 'type' and 'ca.pem' keys)
tls: # DEPRECATED: Use server.tls instead to set a list of hosts for which TLS is active
- hosts: [] # Array of hostnames for which to perform TLS termination using the specified certificate
secretName: # Name of TLS secret to load certificate and key from
See the Getting Started guide for examples of how to populate these fields.
Example
The following is an example SpringCloudGateway resource file:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
name: my-gateway
annotations:
apis.tanzu.vmware.com/api-title: 'My Exciting APIs'
apis.tanzu.vmware.com/api-description: 'Lots of new exciting APIs for you to use!'
spec:
count: 3
api:
version: 0.1.0
serverUrl: https://gateway.example.com
env:
- name: spring.cloud.gateway.httpclient.connect-timeout
value: "90s"
