ApigConfig is a Custom Resource Definition (CRD) provided by the APIG Controller. Use it to manage the lifecycle of APIG gateway instances, configure Ingress listener options, and set instance-level global configurations including IP access control, log collection, and Tracing Analysis.
Key concepts
One ApigConfig, one gateway instance. Each ApigConfig maps to exactly one APIG gateway instance. To run multiple gateway instances in a cluster, create a separate ApigConfig for each.
Deletion behavior. Deleting an ApigConfig cascades to the associated gateway instance — except in reuse scenarios, where the gateway instance is retained. See Delete an APIG gateway instance.
Resource tags. Every gateway instance created or reused through ApigConfig is assigned the following tags. Do not edit these tags from the APIG console — doing so can affect your gateway instance.
| Tag | Description |
|---|---|
ack.aliyun.com | Manages inbound traffic of the Container Service for Kubernetes cluster for the APIG gateway |
ingress.k8s.alibaba/ApigConfig | Associates the APIG gateway with ApigConfig |
kubernetes.reused.by.user | Marks the gateway as reused. When set, the gateway instance is not deleted when the associated ApigConfig is deleted |
Create an APIG gateway instance
Prerequisites
Before you begin, ensure that you have:
A running ACK cluster with the APIG Controller installed
Sufficient permissions to create CRDs in the cluster
Create the ApigConfig
Apply a minimal ApigConfig to create a pay-as-you-go gateway instance named apig-ingress with the apigw.small.x1 instance type:
apiVersion: apig.alibabacloud.com/v1alpha1
kind: ApigConfig
metadata:
name: apig-ingress
spec:
name: apig-ingress
common:
instance:
spec: apigw.small.x1Adjust common.instance.spec to match your traffic requirements. For all available parameters, see ApigConfig parameter reference.
Declare an Ingress processor
Create an IngressClass resource and associate it with the ApigConfig through spec.parameters. This tells the cluster which APIG gateway instance processes Ingress resources tagged with this IngressClass.
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: apig
spec:
controller: apig.alibabacloud.com/ingress
parameters:
apiGroup: apig.alibabacloud.com
kind: ApigConfig
name: apig-ingressAfter applying this, Ingress resources in the cluster that reference the apig IngressClass are routed through the associated APIG gateway instance.
Associating ApigConfig through an IngressClass resource takes priority over the ingress.local.ingressClass field in the ApigConfig spec.Verify gateway status
Run the following command to check the ApigConfig status:
kubectl get ApigConfigStatus transitions in order: Pending → Running → Listening
| Status | Description |
|---|---|
Pending | The gateway is being created. This takes about 3 minutes. |
Running | The gateway is created and running. |
Listening | The gateway is running and listening for Ingress resources in the cluster. |
Failed | The gateway is in an invalid state. Check the status.message field for details. |
Reuse an existing APIG gateway instance
To associate an existing gateway with your cluster instead of creating a new one, specify the gateway ID in spec.id. Use spec.override to control whether ApigConfig overwrites the gateway's existing configuration.
apiVersion: apig.alibabacloud.com/v1alpha1
kind: ApigConfig
metadata:
name: reuse
spec:
id: gw-xxxx
override: false
ingress:
local:
ingressClass: apigReplace gw-xxxx with the actual gateway ID (format: gw-xxx).
`spec.override` behavior:
When override is false (recommended for most reuse scenarios):
The gateway's existing Ingress listener options and global configurations are preserved.
If the gateway is not yet associated with the cluster, it is automatically associated.
The Ingress listener is configured to watch Ingress resources whose
ingressClassmatchesspec.ingress.local.ingressClass(in this example,apig).If the gateway is already associated with the cluster, its original Ingress listener options are retained unchanged.
When override is true:
All existing gateway configurations are overwritten — including Ingress listener options, hardware acceleration, global IP access control, and observability settings.
Before setting
override: true, specify every required gateway parameter in the ApigConfig. Missing parameters will erase the corresponding existing settings, which may disrupt live traffic.
Delete an APIG gateway instance
Deleting an ApigConfig deletes the corresponding gateway instance, except when the gateway was reused from the console.
| Scenario | Result |
|---|---|
| Gateway created automatically by the APIG Controller (pay-as-you-go) | Delete the ApigConfig to automatically delete the gateway instance |
| Gateway purchased in the console and reused via ApigConfig | Delete the ApigConfig; the gateway instance is retained |
Run the following command to delete an ApigConfig:
kubectl delete ApigConfig your-config-nameConfigure IP access control
Configure a global, instance-level IP whitelist or blacklist to control which source IPs can reach the APIG Ingress.
Configure an IP whitelist
Only the specified source IPs or CIDR blocks can access the gateway.
apiVersion: apig.alibabacloud.com/v1alpha1
kind: ApigConfig
metadata:
name: apig-ingress
spec:
...
global:
ipAccessControl:
whitelist:
- 1.1.XX.XX
- 2.0.XX.XX/8
...Configure an IP blacklist
The specified source IPs or CIDR blocks are denied access to the gateway.
apiVersion: apig.alibabacloud.com/v1alpha1
kind: ApigConfig
metadata:
name: apig-ingress
spec:
...
global:
ipAccessControl:
blacklist:
- 1.1.XX.XX
- 2.0.XX.XX/8
...Enable Simple Log Service (SLS) logs
Before enabling SLS logs, grant the required SLS permissions to the APIG Controller.
The following example delivers access logs to an existing SLS project named demo. To use a default project instead, leave reuseProject blank.
apiVersion: apig.alibabacloud.com/v1alpha1
kind: ApigConfig
metadata:
name: apig-ingress
spec:
...
monitor:
logging:
sls:
reuseProject: "demo"
...Enable OpenTelemetry Tracing Analysis
Configure OpenTelemetry Tracing Analysis to build an end-to-end tracing system for diagnosing live traffic issues.
The following example enables tracing with a 100% sample rate:
apiVersion: apig.alibabacloud.com/v1alpha1
kind: ApigConfig
metadata:
name: apig-ingress
spec:
...
monitor:
tracing:
openTelemetry:
sampleRate: "100"
...ApigConfig parameter reference
The following table lists all ApigConfig parameters. Parameters marked Yes in the Required column must be set; all others are optional.
| Parameter | Type | Description | Default | Required |
|---|---|---|---|---|
name | String | The name of the gateway. | apig-ingress | No |
common.pay.payType | String | The billing method. Currently, only POSTPAY (pay-as-you-go) is supported. | POSTPAY | No |
common.instance.spec | String | The instance type. Valid values: apigw.small.x1, apigw.small.x2, apigw.small.x4, apigw.medium.x1, apigw.medium.x2, apigw.medium.x3, apigw.large.x1, apigw.large.x2, apigw.large.x3 | apigw.small.x1 | No |
common.network.vSwitches | List\<String\> | The primary and secondary vSwitches, listed in order (primary first). Specify one or two vSwitches. If left blank, vSwitches are obtained from the node running the APIG Controller pod. | None | No |
common.network.networkType | String | The type of the Internet-facing SLB instance for the gateway. Valid values: Internet, Intranet. | Internet | No |
common.securityGroupType | String | The type of the security group. Valid values: enterprise (advanced security group), normal (basic security group). | normal | No |
global.tls.enableHardwareAcceleration | Bool | Enables TLS hardware acceleration to improve HTTPS traffic performance. Not compatible with EnableHttp3. | Enabled | No |
global.ipAccessControl.whitelist | List\<String\> | The global IP whitelist. Accepts IP addresses and CIDR blocks. | Not configured | No |
global.ipAccessControl.blacklist | List\<String\> | The global IP blacklist. Accepts IP addresses and CIDR blocks. | Not configured | No |
monitor.logging.sls | Object | Enables Simple Log Service (SLS) log collection. Grant the APIG Controller the required SLS permissions before enabling. | shutdown | No |
monitor.logging.sls.reuseProject | String | The destination SLS project for access logs. Leave blank to use a default project; specify a project name to use an existing one. | Empty (default project) | No |
monitor.tracing.xTrace.sampleRate | String | The sample rate for OpenTelemetry Tracing Analysis. | 0 | No |
monitor.tracing.openTelemetry | Object | Enables OpenTelemetry Tracing Analysis. Mutually exclusive with xTrace. | Disabled | No |
monitor.tracing.openTelemetry.sampleRate | String | The sample rate for OpenTelemetry tracing, as a percentage string (e.g., "100" for 100%). | "100" | No |
ingress.local.ingressClass | String | The IngressClass that the gateway listens to. Valid values: not configured (no Ingress resources), apig (Ingress resources with IngressClass apig), "" (all Ingress resources), nginx (Ingress resources with IngressClass nginx or no IngressClass), or any custom value. Lower priority than associating ApigConfig through an IngressClass resource. | Not configured | No |
ingress.local.watchNamespace | String | The namespace whose Ingress resources the gateway listens to. Leave blank to watch all namespaces. Only one namespace can be specified. | Empty (all namespaces) | No |
spec.id | String | (Reuse only) The ID of the existing APIG gateway instance to reuse. Format: gw-xxx. | — | Yes (reuse) |
spec.override | Bool | (Reuse only) Whether to overwrite the reused gateway's existing configurations with the ApigConfig settings. See Reuse an existing APIG gateway instance. | — | No |
Complete ApigConfig example
The following example shows a fully configured ApigConfig with all major sections:
apiVersion: apig.alibabacloud.com/v1alpha1
kind: ApigConfig
metadata:
name: apig-ingress
spec:
name: apig-ingress
common:
pay:
payType: POSTPAY
instance:
spec: apigw.small.x1
network:
vSwitches:
- "vsw-1"
- "vsw-2"
networkType: Internet
securityGroupType: enterprise
global:
tls:
enableHardwareAcceleration: true
ipAccessControl:
whitelist:
- 1.1.XX.XX
- 2.2.XX.XX
monitor:
logging:
sls:
reuseProject: "xxx" # Leave blank to use the default project.
tracing:
openTelemetry:
sampleRate: "100"
ingress:
local:
ingressClass: apig
watchNamespace: "" # "" watches all namespaces.Additional gateway configurations
Some gateway parameters are not configurable through ApigConfig and must be set in the console. In the Cloud-native API Gateway console, go to APIG Gateway > Gateway List, click the instance ID, and then click Parameter Settings in the left navigation pane.
| Parameter | Type | Description |
|---|---|---|
EnableGenerateRequestId | Bool | Generates a request ID in the request header for request tracing. |
EnableGzip | Bool | Compresses requests and responses using software-based gzip. Reduces gateway traffic but increases CPU usage. |
EnableSlashMerge | Bool | Merges redundant / characters in request URIs. For example, www.a.com//b becomes www.a.com/b. |
DownstreamConnectionBufferLimits | Int | Buffer size per downstream connection. Affects throughput and gateway memory usage. Range: [0, 2147483647]. |
XffTrustedNum | Int | Number of trusted proxies in front of the gateway. Affects how the gateway handles client-generated headers such as x-forwarded-for and x-request-id. Range: [0, 10]. Unit: proxies. |
DownstreamHttp2MaxConcurrentStream | Int | Maximum concurrent streams per connection when the client uses HTTP/2. Range: [0, 2147483647]. Unit: byte. |
InitialStreamWindowSize | Int | Initial stream-level window size for HTTP/2 connections. Range: [65535, 2147483647]. Unit: byte. |
InitialConnectionWindowSize | Int | Initial connection-level window size for HTTP/2 connections. Range: [65535, 2147483647]. Unit: byte. |
EnableHttp3 | Bool | Enables HTTP/3 support. Not compatible with TLS hardware acceleration — disable hardware acceleration before enabling this. |
PathWithEscapedSlashes | String | Action for requests with escaped characters in URI paths (such as %2F, %2f, %5C, %5c). Valid values: KEEP_UNCHANGED, REJECT_REQUEST, UNESCAPE_AND_REDIRECT, UNESCAPE_AND_FORWARD. Default: KEEP_UNCHANGED. |
ZipAlgorithm | List\<String\> | Compression algorithm when compression is enabled. Valid values: brotli, gzip. If EnableGzip is disabled, it is automatically enabled when this parameter is set. |
EnableProxyProtocol | Bool | Enables the PROXY protocol. Required when inbound traffic reaches the gateway through an NLB (Network Load Balancer) and you need to preserve the originating client IP. Does not affect non-PROXY protocol requests. |
EnableCustomAuthConfigPush | Bool | For self-built authorization services. When enabled, authorization rule changes do not interrupt existing connections. Suitable for WebSocket and online business scenarios. |
KeepaliveHeaderTimeout | Int | Generates a keep-alive: timeout=<value> response header to inform clients about the connection keepalive duration. Set to 0 to suppress this header. Range: [0, 600]. Unit: seconds. |
WebsocketTermGracePeriod | Int | Grace period for WebSocket connections when the gateway needs to close connections (such as during an upgrade or restart). Range: [20, 900]. Unit: seconds. |
EnableGzipHardwareAccelerate | Bool | Enables hardware-based gzip compression. Offers higher performance and lower CPU usage than software-based gzip (EnableGzip). Cannot be enabled in unsupported regions or if gzip hardware acceleration was not specified at purchase. When enabled, EnableGzip and ZipAlgorithm have no effect. |
EnableK8sSourceWorkloadFilter | Bool | Filters Ingress, Service, and pod resources by tags when adding a service source. Supports inverse filtering. |