To create a Spring Cloud Gateway instance, you must create a resource of type SpringCloudGateway.

Resource specification

The definition for SpringCloudGateway specifies:


apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
  name:                         # (Required) Name given to this Gateway instance
  labels:
    my-label: hello             # Labels defined on the Gateway resource will also be applied to the Gateway Pods for simplified management
  annotations:
    my-annotation: my-value     # Annotations defined on the Gateway resource will also be applied to the Gateway Pods for simplified management.
                                # Spring Cloud Gateway for Kubernetes build-in annotations:
                                #     'apis.tanzu.vmware.com/api-title': use instead of deprecated 'spec.api.title'
                                #     'apis.tanzu.vmware.com/api-description': use instead of deprecated 'spec.api.description'
                                #     'apis.tanzu.vmware.com/api-documentation': use instead of deprecated 'spec.api.documentation'
spec:
  api:
    cors:                       # Cross-Origin Resource Sharing (CORS) configurations, to be applied globally across all routes
      allowCredentials: []      # Whether user credentials are supported on cross-site requests (applied to all routes)
      allowedHeaders: []        # Allowed headers in cross-site request (applied to all routes)
      allowedMethods: []        # Allowed HTTP methods on cross-site requests (applied to all routes)
      allowedOriginPatterns: [] # Allowed origin patterns to make cross-site requests (applied to all routes)
      allowedOrigins: []        # Allowed origins to make cross-site requests (applied to all routes)
      exposedHeaders: []        # HTTP response headers to expose for cross-site requests (applied to all routes)
      maxAge:                   # How long, in seconds, the response from a pre-flight request can be cached by clients (applied to all routes)
      perRoute:                 # DEPRECATED, per-route CORS can be configured using Route Metadata Configuration
    description:                # Detailed description of the APIs available on the Gateway instance (default: `Generated OpenAPI 3 document that describes the API routes configured for '[Gateway instance name]' Spring Cloud Gateway instance deployed under '[namespace]' namespace.`)
    documentation:              # Location of additional documentation for the APIs available on the Gateway instance
    groupId:                    # Unique identifier for the group of APIs available on the Gateway instance (default: normalized title of the Gateway instance)
    serverUrl:                  # Base URL that API consumers will use to access APIs on the Gateway instance
    title:                      # Title describing the context of the APIs available on the Gateway instance (default: name of the Gateway instance)
    version:                    # Version of APIs available on this Gateway instance (default: `unspecified`)
  bindings:                     # Map of secrets classified by service name that contains the properties to bind into API gateway instance (currently supported services: 'redis')

  client:
    tls:              # Configure trusted certificates for upstream connections
      secretNames: [] # Array of TLS secret names containing trusted certificates for upstream connections

  count:              # Number of gateway pods per gateway instance. Set to 2 or more for high availability (HA) configuration

  env:                # List of additional environment variables to apply to the gateway
    - name:           # Name of the environment variable
      value:          # Value of environment variable

  extensions:                 # Additional configurations for global features (e.g. custom filters, Api Key,...)
    custom: []                # Array of custom extensions to load (name must match the ConfigMap name).
    filters:
      apiKey:                 # API Key specific configurations
        enabled:
        secretsProviderName:  # Currently only supports Vault with the Agent Injector
        headerName:           # Name of the HTTP header used to send keys
      jwtKey:                 # JWT Key specific configurations
        enabled:
        secretsProviderName:  # Currently only supports Vault with the Agent Injector
    secretsProviders:         # Array of secret providers. Only one can be set at this time.
    - awsSecretsManager:      # AWS Secrets Manager configuration parameters
        iamRoleArn:           # The IAM Role ARN to associate with the service account. e.g. arn:aws:iam::111122223333:role/iam-role-name
      azureKeyVault:          # Azure Key Vault configuration parameters
        aadpodidbinding:      # Your Azure AD Pod Identity. e.g. my-pod-identity
      googleSecretManager:    # Google Secret Manager configuration parameters
        iamServiceAccount:    # The email address of the GCP IAM Service Account. e.g. [email protected]
      name:                   # Name of the secret provider
      vault:                  # Vault integration configuration parameters. Requires the Vault Agent Injector
        authPath:             # Authentication path for the Kubernetes auth method.
        path:                 # Vault secrets' path (e.g. 'my-secrets/context').
        roleName:             # Vault role name with access to the secrets according to the Vault policies.

  healthCheck:
    enabled:         # Active upstream health check, activates validation of upstream endpoints before routing requests (default: false)
    interval:        # Time to check Health Check endpoints (300s, 5m, ..) (default: '25s')

  java-opts:         # JVM parameters for the Gateway instance

  observability:
    metrics:
      prometheus:
        annotations:
          enabled:   # If Prometheus scraping annotations should be included in the gateway Pod definition(s)
        enabled:     # If a Prometheus endpoint should be exposed
        serviceMonitor:
          enabled:   # If a Prometheus ServiceMonitor should be added
          labels:    # Labels to add to the service monitor, e.g. to be picked up by the Prometheus serviceMonitorSelector
      wavefront:
        enabled:     # If Wavefront metrics should be pushed
    tracing:
      wavefront:
        enabled:     # If Wavefront traces should be pushed
      zipkin:
        enabled:     # If Zipkin traces should be pushed
        url:         # The Zipkin server url
    wavefront:
      application:   # The Wavefront application (default: Gateway Namespace `namespace`).
      secret:        # Secret name to be used for Wavefront configuration
      service:       # The Wavefront service (default: Gateway name `my-gateway`).
      source:        # The Wavefront source (default: Gateway Pod name, `gateway-0`).

  podOverrides:      # Used to override the gateway pod's default specs. To configure the gateway container, specify the specs under a container with the name 'gateway'.

  resources:
    limits:          # Maximum amount of compute resources allowed for the Gateway instance
      cpu:
      memory:
    requests:        # Requested amount of compute resources for the Gateway instance
      cpu:
      memory:

  responseCache:
    local:           # Configuration for local cache feature
      global:        # If the value is true, the response cache filter will be applied automatically to every route
      size:          # Maximum allowed size of cache (10MB, 900KB, 1GB...) before the eviction algorithm will start to evict entries
      timeToLive:    # Time before a cached entry is expired (300s, 5m, 1h...)

  securityContext:
    fsGroup:         # Set to 1000 by default
    runAsGroup:
    runAsUser:

  server:
    tls:            # Configures gateway's TLS termination behavior
      - hosts: []   # Array of hostnames for which to perform TLS termination using the specified certificate
        secretName: # Name of TLS secret to load certificate and key from

  service:          # Configuration of the Kubernetes service for the gateway
    nodePort:       # The port on which this service is exposed when type=NodePort or LoadBalancer.
    type:           # Determines how the Service is exposed. Either ClusterIP, NodePort, or LoadBalancer. Defaults to ClusterIP.

  serviceAccount:
    name:           # Name of the ServiceAccount associated to the Gateway instance

  sso:
    inactive-session-expiration-in-minutes: # Time to life of inactive sessions in minutes, 0 means sessions won't expire.
    roles-attribute-name:                   # Roles attribute name used to extract user roles for Roles filter (default: 'roles')
    secret:                                 # Secret name to be used for SSO configuration
    tls:                                    # TLS configuration for authorization servers using custom CAs or self-signed certificates.
      secretName:                           # Secret name containing the certificate (must contain 'type' and 'ca.pem' keys)

  tls:              # DEPRECATED: Use server.tls instead to set a list of hosts for which TLS is active
    - hosts: []     # Array of hostnames for which to perform TLS termination using the specified certificate
      secretName:   # Name of TLS secret to load certificate and key from

See Getting Started with Spring Cloud Gateway for Kubernetes for examples of how to populate these fields.

Example

The following is an example SpringCloudGateway resource file:

apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
  name: my-gateway
  annotations:
    apis.tanzu.vmware.com/api-title: 'My Exciting APIs'
    apis.tanzu.vmware.com/api-description: 'Lots of new exciting APIs for you to use!'
spec:
  count: 3
  api:
    version: 0.1.0
    serverUrl: https://gateway.example.com
  env:
    - name: spring.cloud.gateway.httpclient.connect-timeout
      value: "90s"
check-circle-line exclamation-circle-line close-line
Scroll to top icon