A list of server specifications.

One or more labels that indicate a specific set of pods/VMson which this gateway configuration should be applied.By default workloads are searched across all namespaces based on label selectors.This implies that a gateway resource in the namespace “foo” can select pods inthe namespace “bar” based on labels.This behavior can be controlled via thePILOT_SCOPE_GATEWAY_TO_NAMESPACEenvironment variable in istiod. If this variable is setto true, the scope of label search is restricted to the configurationnamespace in which the the resource is present. In other words, the Gatewayresource must reside in the same namespace as the gateway workloadinstance.If selector is nil, the Gateway will be applied to all workloads.

The Port on which the proxy should listen for incomingconnections.

The ip or the Unix domain socket to which the listener should be boundto. Format:x.x.x.x orunix:///path/to/uds orunix://@foobar(Linux abstract namespace). When using Unix domain sockets, the portnumber should be 0.This can be used to restrict the reachability of this server to be gateway internal only.This is typically used when a gateway needs to communicate to another mesh servicee.g. publishing metrics. In such case, the server created with thespecified bind will not be available to external gateway clients.

One or more hosts exposed by this gateway.While typically applicable toHTTP services, it can also be used for TCP services using TLS with SNI.A host is specified as adnsName with an optionalnamespace/ prefix.ThednsName should be specified using FQDN format, optionally includinga wildcard character in the left-most component (e.g.,prod/*.example.com).Set thednsName to* to select allVirtualService hosts from thespecified namespace (e.g.,prod/*).

Thenamespace can be set to* or., representing any or the currentnamespace, respectively. For example,*/foo.example.com selects theservice from any available namespace while./foo.example.com only selectsthe service from the namespace of the sidecar. The default, if nonamespace/is specified, is*/, that is, select services from any namespace.Any associatedDestinationRule in the selected namespace will also be used.

AVirtualService must be bound to the gateway and must have one ormore hosts that match the hosts specified in a server. The matchcould be an exact match or a suffix match with the server’s hosts. Forexample, if the server’s hosts specifies*.example.com, aVirtualService with hostsdev.example.com orprod.example.com willmatch. However, aVirtualService with hostexample.com ornewexample.com will not match.

NOTE: Only virtual services exported to the gateway’s namespace(e.g.,exportTo value of*) can be referenced.Private configurations (e.g.,exportTo set to.) will not beavailable. Refer to theexportTo setting inVirtualService,DestinationRule, andServiceEntry configurations for details.

Set of TLS related options that govern the server’s behavior. Usethese options to control if all http requests should be redirected tohttps, and the TLS modes to use.

An optional name of the server, when set must be unique across all servers.This will be used for variety of purposes like prefixing stats generated withthis name etc.

A valid non-negative integer port number.

The protocol exposed on the port.MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.TLS can be either used to terminate non-HTTP based connections on a specific portor to route traffic based on SNI header to the destination without terminating the TLS connection.

Label assigned to the port.

If set to true, the load balancer will send a 301 redirect forall http connections, asking the clients to use HTTPS.

Indicates whether connections to this port should besecured using TLS. The value of this field determines how TLS isenforced.

REQUIRED if mode isSIMPLE orMUTUAL. The path to the fileholding the server-side TLS certificate to use.

REQUIRED if mode isSIMPLE orMUTUAL. The path to the fileholding the server’s private key.

REQUIRED if mode isMUTUAL orOPTIONAL_MUTUAL. The path to a filecontaining certificate authority certificates to use in verifying a presentedclient side certificate.

OPTIONAL: The path to the file containing the certificate revocation list (CRL)to use in verifying a presented client side certificate.CRL is a list of certificatesthat have been revoked by the CA (Certificate Authority) before their scheduled expiration date.If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.If omitted, the proxy will not verify the certificate against thecrl.

For gateways running on Kubernetes, the name of the secret thatholds the TLS certs including the CA certificates. Applicableonly on Kubernetes. An Opaque secret should contain the followingkeys and values:tls.key: <privateKey> andtls.crt: <serverCert> orkey: <privateKey> andcert: <serverCert>.For mutual TLS,cacert: <CACertificate> andcrl: <CertificateRevocationList>can be provided in the same secret or a separate secret named<secret>-cacert.A TLS secret for server certificates with an additionaltls.ocsp-staple keyfor specifying OCSP staple information,ca.crt key for CA certificatesandca.crl for certificate revocation list is also supported.Only one of server certificates and CA certificateor credentialName can be specified.

Same as CredentialName but for multiple certificates. Mainly used for specifyingRSA and ECDSA certificates for the same server.

For mutual TLS, the name of the secret or the configmap that holds CA certificates.Takes precedence over CA certificates in the Secret referenced withcredentialName(s).

Only one ofserver_certificate,private_key orcredential_nameorcredential_names ortls_certificates should be specified.This is mainly used for specifying RSA and ECDSA certificates for the same server.

A list of alternate names to verify the subject identity in thecertificate presented by the client.Requires TLS mode to be set toMUTUAL.When multiple certificates are provided viacredential_names ortls_certificates,the subject alternate names are validated against the selected certificate.

An optional list of base64-encoded SHA-256 hashes of the SPKIs ofauthorized client certificates.Note: When both verify_certificate_hash and verify_certificate_spkiare specified, a hash matching either value will result in thecertificate being accepted.

An optional list of hex-encoded SHA-256 hashes of theauthorized client certificates. Both simple and colon separatedformats are acceptable.Note: When both verify_certificate_hash and verify_certificate_spkiare specified, a hash matching either value will result in thecertificate being accepted.

Minimum TLS protocol version. By default, it isTLSV1_2.TLS protocol versions below TLSV1_2 require setting compatible ciphers with thecipherSuites setting as they no longer include compatible ciphers.

Note: Using TLS protocol versions below TLSV1_2 has serious security risks.

Maximum TLS protocol version.

If specified, only support the specified cipher list.Otherwise default to the default cipher list supported by Envoyas specifiedhere.The supported list of ciphers are:

• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-CHACHA20-POLY1305
• ECDHE-ECDSA-AES128-SHA
• ECDHE-RSA-AES128-SHA
• ECDHE-ECDSA-AES256-SHA
• ECDHE-RSA-AES256-SHA
• AES128-GCM-SHA256
• AES256-GCM-SHA384
• AES128-SHA
• AES256-SHA
• DES-CBC3-SHA

REQUIRED if mode isSIMPLE orMUTUAL. The path to the fileholding the server-side TLS certificate to use.

REQUIRED if mode isSIMPLE orMUTUAL. The path to the fileholding the server’s private key.