Alibaba Cloud Service Mesh (ASM) allows you to create and manage gateways by using CustomResourceDefinitions (CRDs). This topic describes the CRD fields that define a gateway.

CRD fields

FieldDescriptionDefault value
metadata.nameThe name of the gateway. The generated Kubernetes Service and Deployment are both named istio-{The value of the metadata.name field}. -
metadata.namespaceThe namespace where the generated Kubernetes Service and Deployment reside.
Important To ensure that the generated Kubernetes Service and Deployment are available when the Istio version is 1.6 or later, the namespace must be istio-system.
istio-system
clusterIdsThe IDs of the clusters in which you want to deploy the ingress gateway. The value is an array. The clusters must be managed in the current ASM instance. -
envThe environment variables of the ingress gateway pod. The value is an array. -
externalTrafficPolicySpecifies whether the gateway routes inbound traffic to node-local or cluster-wide endpoints. Valid values: Cluster and Local. Cluster
portsThe ports and protocols that are defined for the ingress gateway pod. The value is an array. Examples:
  • name: http2 port: 80 targetPort: 80 protocol: HTTP2
  • name: https port: 443 targetPort: 443 protocol: HTTPS
Note In versions earlier than 1.9.7.107, the protocol field must be set to TCP.
-
replicaCountThe number of pod replicas. 1
configVolumesThe information about the ConfigMap volume that is mounted to the ingress gateway pod. Example:
- name: config-volume-lua
  configMapName: lua-libs
  mountPath: /var/lib/lua
-
resourcesThe resource configurations of the ingress gateway pod.
  • limits:
    • cpu: '2'
    • memory: 2G
  • requests:
    • cpu: 200m
    • memory: 256Mi
secretVolumesThe information about the secret volume that is mounted to the ingress gateway pod. Example:
- name: myexample-customingressgateway-certs 
  secretName: istio-myexample-customingressgateway-certs
  mountPath: /etc/istio/myexample-customingressgateway-certs
-
serviceTypeThe type of the ingress gateway. Valid values: LoadBalancer, Nodeport, and ClusterIP.
Important If you use a registered cluster on the data plane and the value of this field is set to LoadBalancer, make sure that the cluster supports LoadBalancer Services. Otherwise, ASM gateways may fail to be created.
LoadBalancer
serviceAnnotationsThe annotations of the ingress gateway. Example: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: 'on' service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: '20'
Note For more information about common annotations, see Use annotations to configure load balancing.
-
serviceLabelsThe labels of the ingress gateway. -
podLabelsThe labels of the ingress gateway pod. -
podAnnotationsThe annotations of the ingress gateway pod. -
rollingMaxSurgeThe maximum number of pods that are scheduled above the expected number of replicas during a rolling update. The value can be an absolute value or a percentage. "100%"
rollingMaxUnavailableThe maximum number of pods that can be unavailable during a rolling update. The value can be an absolute value or a percentage. "25%"
overridesConfigures distinct settings for specific clusters. This field is available when the clusterIds field specifies two or more clusters. You can use this field when you want to configure specific clusters with settings that are different from the preceding cluster settings. The value is of the MAP type that contains key-value pairs.
Note
  • key: a cluster ID that is specified in the clusterIds field.
  • value: assignments of the serviceAnnotations, resources, and replicaCount fields.
-
kernel.enabled Specifies whether to enable custom kernel fields. false
kernel.parametersThe kernel fields. The following kernel fields are supported:
Note

Specific kernel fields that are supported by ASM may become invalid due to the kernel version of a host. If this situation occurs, the ingress gateway pod may report errors.

You can run the kubectl describe pod command to view the errors that are reported by the ingress gateway pod. After you delete invalid fields, containers can start as expected.

The values of all the kernel fields must be in the string format. YAML recognizes numbers as numeric values. Therefore, you must enclose each value in double quotation marks ("). Example: net.core.somaxconn: "65535".

  • net.core.somaxconn
  • net.core.netdev_max_backlog
  • net.ipv4.tcp_rmem
  • net.ipv4.tcp_wmem
  • net.ipv4.ip_local_port_range
  • net.ipv4.tcp_fin_timeout
  • net.ipv4.tcp_tw_timeout
  • net.ipv4.tcp_tw_reuse
  • net.ipv4.tcp_tw_recycle
  • net.ipv4.tcp_timestamps
  • net.ipv4.tcp_retries2
  • net.ipv4.tcp_slow_start_after_idle
  • net.ipv4.tcp_max_orphans
  • net.ipv4.tcp_max_syn_backlog
  • net.ipv4.tcp_no_metrics_save
  • net.ipv4.tcp_autocorking
  • kernel.printk
  • vm.swappiness
-
compression.enabledSpecifies whether to enable the compression feature for the ingress gateway. false
compression.content_typeThe types of data to be compressed, which are indicated by the Content-Type header. Examples:
  • text/html
  • application/json
-
compression.disable_on_etag_header
  • Specifies whether to disable the compression feature when an HTTP response includes the ETag header. If the field is set to true, the compression feature is disabled when the ETag header is included in an HTTP response.
  • If the field is set to false, the compression feature is enabled when the ETag header is included in an HTTP response.
false
compression.min_content_lengthThe threshold at which compression is triggered. The field value indicates the size of the Content-Length header. 30
compression.remove_accept_encoding_header
  • Specifies whether to remove the Accept-Encoding header from an HTTP request that is sent by a client before the ingress gateway forwards the HTTP request to an upstream server. If the field is set to true, the Accept-Encoding header is removed from the HTTP request.
  • If the field is set to false, the Accept-Encoding header is retained in the HTTP request.
false
compression.gzipThe compression format. Currently, only the GZIP format is supported. If you want to enable the compression feature, this field is required. If the default values are used for all the other fields, you must leave this field empty. Example: gzip: {}. -
compression.gzip.memory_levelThe memory usage level of the zlib library. Valid values: 1 to 9. A larger value of this field results in a higher memory usage but a higher compression speed and a better compression quality. 5
compression.gzip.compression_levelThe compression level that is used by the zlib library. Valid values:
Note BEST_COMPRESSION indicates the highest compression quality. BEST_SPEED indicates the highest compression speed. The following list describes some compression levels:
  • COMPRESSION_LEVEL_1 is equivalent to BEST_SPEED.
  • COMPRESSION_LEVEL_9 is equivalent to BEST_COMPRESSION.
  • COMPRESSION_LEVEL_6 is equivalent to DEFAULT_COMPRESSION.
  • COMPRESSION_LEVEL_1
  • COMPRESSION_LEVEL_2
  • COMPRESSION_LEVEL_3
  • COMPRESSION_LEVEL_4
  • COMPRESSION_LEVEL_5
  • COMPRESSION_LEVEL_6
  • COMPRESSION_LEVEL_7
  • COMPRESSION_LEVEL_8
  • COMPRESSION_LEVEL_9
  • DEFAULT_COMPRESSION
  • BEST_COMPRESSION
  • BEST_SPEED
DEFAULT_COMPRESSION
compression.gzip.compression_strategyThe compression policy that is used by the zlib library. Valid values:
  • FILTERED
  • FIXED
  • HUFFMAN_ONLY
  • RLE
DEFAULT_STRATEGY
compression.gzip.window_bitsThe window size of the zlib library. Valid values: 9 to 15. 12
compression.gzip.chunk_sizeThe output buffer size of the zlib library. 4096
hostNetworkSpecifies whether to allow the ingress gateway pod to access the network namespace of the host. Valid values:
  • true: The ingress gateway pod is allowed to use the network namespace of the host.
  • false: The ingress gateway pod is not allowed to use the network namespace of the host.
false
dnsPolicyThe Domain Name System (DNS) policy set for the gateway pod. For more information about DNS policies, see DNS for Services and Pods. ClusterFirst
cpu.targetAverageUtilizationThe expected CPU utilization when Horizontal Pod Autoscaling (HPA) is enabled. Valid values: 1 to 100. If the CPU utilization exceeds this value, the number of pod replicas increases. If the CPU utilization is less than this value, the number of pod replicas decreases. -
memory.targetAverageUtilizationThe expected memory usage when HPA is enabled. Valid values: 1 to 100. If the memory usage exceeds this value, the number of pod replicas increases. If the memory usage is less than this value, the number of pod replicas decreases. -
maxReplicasThe maximum number of pod replicas that can be scaled to by the HPA feature for the gateway. The value of this field must be a positive integer. -
minReplicasThe minimum number of pod replicas that can be scaled to by the HPA feature for the gateway. The value is a positive integer. The minimum value is 1. -
nodeSelectorSpecifies the label of the node where the gateway pod resides. You can customize the key and value.
nodeSelector:  
  key1: value1
-
affinityYou can configure the node affinity to schedule the gateway pod to a node. For more information, see Affinity and anti-affinity. -
tolerationsYou can configure tolerations for the gateway pod to tolerate the taints on a node. For more information, see Taints and Tolerations. -

Sample YAML code

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
  name: "myexample-customingressgateway"
  namespace: "myexample"
spec:
  clusterIds:
    - "cluster1Id"
    - "cluster2Id"
  cpu:
    targetAverageUtilization: 80
  env:
    - name: "envname1"
      value: "envvalue1"
  externalTrafficPolicy: Local
  maxReplicas: 2
  minReplicas: 1
  ports:
  - name: status-port
    port: 15020
    targetPort: 15020
  - name: http2
    port: 80
    targetPort: 80
  - name: https
    port: 443
    targetPort: 0
  - name: tls
    port: 15443
    targetPort: 15443
  replicaCount: 1
  resources:
    limits:
      cpu: '2'
      memory: 2G
    requests:
      cpu: 200m
      memory: 256Mi
  sds:
    enabled: false
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
# secretVolumes:
# - name: myexample-customingressgateway-certs
#   secretName: istio-myexample-customingressgateway-certs
#   mountPath: /etc/istio/myexample-customingressgateway-certs
  serviceType: LoadBalancer
  serviceAnnotations:
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
  serviceLabels:
    serviceLabelKey1: "serviceLabelValue1"
  podAnnotations:
    podAnnotationsKey1: "podAnnotationsValue1"
  rollingMaxSurge: "100%"
  rollingMaxUnavailable: "25%"
  overrides:
    cluster1Id:
      replicaCount: 1
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      serviceAnnotations:
        service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s1.small"
    cluster2Id:
      replicaCount: 2
      resources:
        limits:
          cpu: '4'
          memory: 4G
        requests:
          cpu: 400m
          memory: 512Mi
      serviceAnnotations:
        service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s2.small"

Go structs for a gateway

Sample file:

package v1beta1

import (
    corev1 "k8s.io/api/core/v1"
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

type GatewayType string
type ConfigState string

const (
    GatewayTypeIngress GatewayType = "ingress"
    GatewayTypeEgress  GatewayType = "egress"
)

// IstioGatewaySpec defines the desired state of Istio
// +k8s:openapi-gen=true
type IstioGatewaySpec struct {
    // +kubebuilder:validation:Enum=ingress;egress
    GatewayType                    GatewayType `json:"gatewayType,omitempty"`
    IstioGatewayBasicConfiguration `json:",inline"`
    ClusterIds                     []string                                  `json:"clusterIds,omitempty"`
    clusterId                      string                                    `json:"clusterId,omitempty"`
    Overrides                      map[string]IstioGatewayBasicConfiguration `json:"overrides,omitempty"`
}

type KernelParameters struct {
    NetCoreSoMaxConn             *string `json:"net.core.somaxconn,omitempty"`
    NetCoreNetdevMaxBacklog      *string `json:"net.core.netdev_max_backlog,omitempty"`
    NetIpv4TcpRMem               *string `json:"net.ipv4.tcp_rmem,omitempty"`
    NetIpv4TcpWMem               *string `json:"net.ipv4.tcp_wmem,omitempty"`
    NetIpv4IpLocalPortRange      *string `json:"net.ipv4.ip_local_port_range,omitempty"`
    NetIpv4TcpFinTimeout         *string `json:"net.ipv4.tcp_fin_timeout,omitempty"`
    NetIpv4TcpTwTimeout          *string `json:"net.ipv4.tcp_tw_timeout,omitempty"`
    NetIpv4TcpTwReuse            *string `json:"net.ipv4.tcp_tw_reuse,omitempty"`
    NetIpv4TcpTwRecycle          *string `json:"net.ipv4.tcp_tw_recycle,omitempty"`
    NetIpv4TcpTimestamps         *string `json:"net.ipv4.tcp_timestamps,omitempty"`
    NetIpv4TcpRetries2           *string `json:"net.ipv4.tcp_retries2,omitempty"`
    NetIpv4TcpSlowStartAfterIdle *string `json:"net.ipv4.tcp_slow_start_after_idle,omitempty"`
    NetIpv4TcpMaxOrphans         *string `json:"net.ipv4.tcp_max_orphans,omitempty"`
    NetIpv4TcpMaxSynBacklog      *string `json:"net.ipv4.tcp_max_syn_backlog,omitempty"`
    NetIpv4TcpNoMetricsSave      *string `json:"net.ipv4.tcp_no_metrics_save,omitempty"`
    NetIpv4TcpAutocorking        *string `json:"net.ipv4.tcp_autocorking,omitempty"`
    KernelPrintk                 *string `json:"kernel.printk,omitempty"`
    VmSwappiness                 *string `json:"vm.swappiness,omitempty"`
}

type KernelConfiguration struct {
    Enabled    *bool            `json:"enabled,omitempty"`
    Parameters KernelParameters `json:"parameters,omitempty"`
}

type GzipCompressorConfiguration struct {
    MemoryLevel         *uint32 `json:"memory_level,omitempty"`
    CompressionLevel    *string `json:"compression_level,omitempty"`
    CompressionStrategy *string `json:"compression_strategy,omitempty"`
    WindowBits          *uint32 `json:"window_bits,omitempty"`
    ChunkSize           *uint32 `json:"chunk_size,omitempty"`
}

type CompressorConfiguration struct {
    Enabled                    *bool                        `json:"enabled,omitempty"`
    MinContentLength           *uint32                      `json:"min_content_length,omitempty"`
    ContentType                *[]string                    `json:"content_type,omitempty"`
    DisableOnETagHeader        *bool                        `json:"disable_on_etag_header,omitempty"`
    RemoveAcceptEncodingHeader *bool                        `json:"remove_accept_encoding_header,omitempty"`
    Gzip                       *GzipCompressorConfiguration `json:"gzip,omitempty"`
}

type ReadinessProbeConfiguration struct {
    FailureThreshold int32 `json:"failureThreshold,omitempty"`
    PeriodSeconds    int32 `json:"periodSeconds,omitempty"`
    SuccessThreshold int32 `json:"successThreshold,omitempty"`
}

// +k8s:openapi-gen=true
type IstioGatewayBasicConfiguration struct {
    ReplicaCount     int32 `json:"replicaCount,omitempty"`
    AutoscaleEnabled bool  `json:"autoscaleEnabled,omitempty"`
    MinReplicas      int32 `json:"minReplicas,omitempty"`
    MaxReplicas      int32 `json:"maxReplicas,omitempty"`
    // +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer
    ServiceType           corev1.ServiceType           `json:"serviceType,omitempty"`
    LoadBalancerIP        string                       `json:"loadBalancerIP,omitempty"`
    ExternalTrafficPolicy string                       `json:"externalTrafficPolicy,omitempty"`
    ServiceAnnotations    map[string]string            `json:"serviceAnnotations,omitempty"`
    PodAnnotations        map[string]string            `json:"podAnnotations,omitempty"`
    ServiceLabels         map[string]string            `json:"serviceLabels,omitempty"`
    PodLabels             map[string]string            `json:"podLabels,omitempty"`
    Resources             *corev1.ResourceRequirements `json:"resources,omitempty"`
    EnvVars               []corev1.EnvVar              `json:"env,omitempty"`
    Ports                 []corev1.ServicePort         `json:"ports,omitempty"`
    MeshExpansionPorts    []corev1.ServicePort         `json:"meshExpansionPorts,omitempty"`
    NodeSelector          map[string]string            `json:"nodeSelector,omitempty"`
    ApplicationPorts      string                       `json:"applicationPorts,omitempty"`
    RequestedNetworkView  string                       `json:"requestedNetworkView,omitempty"`
    Affinity              *corev1.Affinity             `json:"affinity,omitempty"`
    Tolerations           []corev1.Toleration          `json:"tolerations,omitempty"`
    SecretVolumes         []SecretVolume               `json:"secretVolumes,omitempty"`
    ConfigVolumes         []ConfigVolume               `json:"configVolumes,omitempty"`
    RollingMaxSurge       *string                      `json:"rollingMaxSurge,omitempty"`
    RollingMaxUnavailable *string                      `json:"rollingMaxUnavailable,omitempty"`
    CPU                   HpaCPU                       `json:"cpu,omitempty"`
    Memory                HpaMemory                    `json:"memory,omitempty"`
    Kernel                KernelConfiguration          `json:"kernel,omitempty"`
    Compressor            CompressorConfiguration      `json:"compression,omitempty"`
    RunAsRoot             *bool                        `json:"runAsRoot,omitempty"`
    Lifecycle             *corev1.Lifecycle            `json:"lifecycle,omitempty"`
    ReadinessProbe        ReadinessProbeConfiguration  `json:"readinessProbe,omitempty"`
    HostNetwork           *bool                        `json:"hostNetwork,omitempty"`
    DnsPolicy             corev1.DNSPolicy             `json:"dnsPolicy,omitempty"`
    AutoCreateGatewayYaml *bool                        `json:"autoCreateGatewayYaml,omitempty"`
}

type SecretVolume struct {
    Name       string `json:"name,omitempty"`
    SecretName string `json:"secretName,omitempty"`
    MountPath  string `json:"mountPath,omitempty"`
}

type ConfigVolume struct {
    Name          string `json:"name,omitempty"`
    ConfigMapName string `json:"configMapName,omitempty"`
    MountPath     string `json:"mountPath,omitempty"`
}

// +k8s:openapi-gen=true
type HpaCPU struct {
    TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty"`
}

// +k8s:openapi-gen=true
type HpaMemory struct {
    TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty"`
}

// +k8s:openapi-gen=true
type IstioGatewayStatus struct {
    // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
    // Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
    // Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
    Status                     ConfigState      `json:"Status,omitempty"`
    GatewayAddress             []string         `json:"GatewayAddress,omitempty"`
    ClusterIdGatewayAddressMap []GatewayAddress `json:"ClusterIdGatewayAddressMap,omitempty"`

    ErrorMessage string `json:"ErrorMessage,omitempty"`
}

// +k8s:openapi-gen=true
type GatewayAddress struct {
    IPAddress string `json:"ipAddress,omitempty"`
    ClusterId string `json:"clusterId,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// IstioGateway is the Schema for the istiogateways API
// +k8s:openapi-gen=true
// +kubebuilder:subresource:status
type IstioGateway struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    Spec   IstioGatewaySpec   `json:"spec,omitempty"`
    Status IstioGatewayStatus `json:"status,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// IstioGatewayList contains a list of IstioGateway
type IstioGatewayList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata,omitempty"`
    Items           []IstioGateway `json:"items"`
}