Declarative Configuration Reference Guide
Anypoint Flex Gateway running in Local Mode supports two configuration models:
-
The resource-based model, common in Kubernetes, is ideal for granular definitions. Resources each contain one of the following values for configuration
kind:-
ApiInstance -
Service -
PolicyBinding -
Configuration
-
-
The inline model is ideal for concise definitions, but is less versatile (for example, automated policies can only be applied in resource-based definitions.)
Inline definitions contain a single
ApiInstancevalue for configurationkind, under which services and policies are both defined.
Refer to the Examples section for examples of both.
This reference guide describes the available resources that are applicable to either resource-based configurations or inline configurations.
API Instance
apiVersion: gateway.mulesoft.com/v1alpha1
kind: ApiInstance
metadata:
name: <api instance name>
namespace: # optional namespace name
spec:
address: <proxy address including port and path>
services: # optional map of upstream services
<name>:
address: <service address>
routes: # optional array of routes to service
- config: # optional route configuration
destinationPath: <optional base path to upstream service>
rules: # optional route rules
policies: # optional array of policies
- policyRef:
name: <name of the policy>
namespace: <optional namespace of the policy>
config: # optional policy configuration
rules: # optional policy rules
| Parameter | Required or Optional | Default Value | Description |
|---|---|---|---|
|
Required |
N/A |
The API instance identifier that is used as a target reference for other resources, such as policy bindings. |
|
Optional |
|
|
|
Required |
N/A |
The proxy address URL, including protocol, host, port and optional path. If the base path is specified, it must be absent in any |
|
Optional |
Empty |
A map of named services and their routes. |
|
Required |
N/A |
The service address (and port). Supported format: |
|
Optional |
Empty |
An array of routes configured for this API instance towards the service. If left empty, a default route will be established to the service that will route all traffic. |
|
Optional |
Empty |
The configuration for this route. If left empty, a default configuration will be applied with an empty |
|
Optional |
Empty |
The path to prepend to forwarded requests to the upstream service. For example, if "destinationPath: /api/v1", requests to this API instance with a path like "/orders" will be routed upstream to "/api/v1/orders". |
|
Optional |
Empty |
An array of rules for this route. Refer to spec.rules in Policy Binding. |
|
Optional |
Empty |
An array of policies to apply to this API Instance. |
|
Required |
N/A |
The policy name. |
|
Optional |
The value of |
The namespace where the policy is defined. For provided policies, the value of this field should be |
|
Optional |
Empty |
The policy’s configuration. Refer to spec.config in Policy Binding. To use environment variables in |
|
Optional |
Empty |
An array of rules for applying this policy to the API Instance. spec.rules in Policy Binding. |
API Instance Examples
The following resource specifies an ApiInstance with metadata that describes the instance identifier. The metadata.name value is used as the target reference for other resources, such as policy bindings. The spec.services.routes.config.destinationPath value prepends /v1/apps to the specified paths under rules, acting in a similar manner as a base path.
apiVersion: gateway.mulesoft.com/v1alpha1
kind: ApiInstance
metadata:
name: hello-flex-gateway-instance
spec:
address: http://0.0.0.0:8080
services:
json:
address: https://<upstream address>:443/
routes:
- rules:
- path: /api(/users/.*)
- path: /api(/comments/.*)
config:
destinationPath: /v1/apps
Port Sharing
The following ApiInstance resources demonstrate API port sharing, with two distinct API instances listening on port 8080.
---
apiVersion: gateway.mulesoft.com/v1alpha1
kind: ApiInstance
metadata:
name: httpbin-example
spec:
address: http://0.0.0.0:8080/api/httpbin/
services:
upstream:
address: https://<upstream address>:443
---
apiVersion: gateway.mulesoft.com/v1alpha1
kind: ApiInstance
metadata:
name: json-example
spec:
address: http://0.0.0.0:8080/api/json/
services:
upstream:
address: https://<upstream address>:443
Both services listen on port 8080, for example:
curl http://localhost:8080/api/httpbin/get -v curl http://localhost:8080/api/json/users/1 -v
|
The base path of APIs sharing a port must not clash. For example, the following path combination is not allowed: http://0.0.0.0:8080/cats http://0.0.0.0:8080/cats/dogs |
|
TLS applies to the port. Therefore, the same TLS policy applies to all API instances sharing the port. |
Policy Binding
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: <policy binding name>
namespace: <namespace name>
spec:
targetRef:
name: <name of api instance or upstream service>
namespace: <optional namespace of api instance or upstream service>
policyRef:
name: <policy name>
namespace: <optional policy namespace>
config: # optional policy configuration
order: # optional policy read order
rules: # optional policy rules
- path: <path regular expression>
methods: <methods regular expression>
host: <host regular expression>
headers: <headers map>
<header-name>: <header value regular expression>
| Parameter | Required or Optional | Default Value | Description |
|---|---|---|---|
|
Required |
N/A |
The identifier of the policy binding. |
|
Optional |
|
|
|
Required |
N/A |
The API instance or upstream service identifier to which the policy is bound. |
|
Optional |
The value of |
The namespace where the target is defined. |
|
Required |
N/A |
The policy name. See the list of available policies. |
|
Optional |
The value of |
The namespace where the policy is defined. For provided policies, the value of this field should be |
|
Optional |
Empty |
The policy configuration. The content of this field depends on the specified policy. See the list of available policies. To use environment variables in |
|
Optional |
50 |
The policy read order in the overall policy execution chain. |
|
Optional |
Empty |
An array of rules that will determine if the policy applies to a given request. These rules are checked in an OR fashion. The first one to hold will enable applying the policy to the request. The attributes in each rule object apply in an AND fashion. If path and host are defined, both must match for that rule to hold true. |
|
Optional |
|
A regular expression to match the request path. Capture groups in this regular expression will be used to define path rewriting when routing the request upstream. If "path: /api(/.*)", requests with the path /api/orders will be routed upstream as /orders. Multiple capture groups can be specified, and the replacement will be the concatenation of all captured substrings. |
|
Optional |
|
A regular expression to match the request host. |
|
Optional |
|
A regular expression to match the request method. |
|
Optional |
Empty |
A map of header names and value regular expressions that must be present in the request. Each entry’s key is the expected header name and the value is a regular expression to match the header value. |
Policy Binding Examples
The following resource binds a route policy to the API instance, routing traffic specified by the rules to the proxy address specified in the Service configuration snippet:
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: hello-flex-gateway-route
namespace: e-commerce
spec:
targetRef:
name: hello-flex-gateway-instance
policyRef:
name: route
namespace: default
config:
destinationRef:
name: json
namespace: e-commerce
rules:
- path: /api/json(/.*)
The following resource binds a http-basic-authentication-flex policy to the API instance - requiring requests to include the basic credentials defined in config.username and config.password. The policy is given a read order value of 2.
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: hello-flex-gateway-auth
namespace: e-commerce
spec:
targetRef:
name: hello-flex-gateway-instance
namespace: e-commerce
policyRef:
name: http-basic-authentication-flex
namespace: default
config:
username: chris
password: admin
order: 2
Environment Variables for Policy Bindings
Both policy binding resources and inline policy bindings support environment variables in config fields. The environment variables available are dependent on your environment.
To reference your environment variable, specify your environment variable prefixed by $, for example:
- policyRef:
name: http-basic-authentication-flex
config:
username: $USERNAME
password: $PASSWORD
Service
apiVersion: gateway.mulesoft.com/v1alpha1 kind: Service metadata: name: <service name> namespace: <namespace name> spec: address: <service address including port>
| Parameter | Required or Optional | Default Value | Description |
|---|---|---|---|
|
Required |
N/A |
The service identifier. |
|
Optional |
|
|
|
Required |
N/A |
The service address URL, including protocol, host and port. Supported format: |
Service Example
The following resource defines a Service with metadata that describes the service identifier. The metadata.namespace value matches the namespace specified in the ApiInstance configuration. The spec.address is the address of the API implementation:
apiVersion: gateway.mulesoft.com/v1alpha1 kind: Service metadata: name: json-example namespace: e-commerce spec: address: https://<upstream address>:443/
Configuration
Define a desired gateway state by creating a Configuration entity. Configuration entities specify several runtime configuration aspects for Flex Gateway itself, such as logging and shared storage. The definition includes the following:
apiVersion: gateway.mulesoft.com/v1alpha1 kind: Configuration metadata: name: <value> namespace: <namespace name> spec: logging: # logging configuration sharedStorage: # shared storage configuration
| Parameter | Required or Optional | Default Value | Description |
|---|---|---|---|
|
Required |
N/A |
The Configuration entity. |
|
Optional |
|
The namespace value used to isolate Configuration entities. |
|
Required |
N/A |
The configuration object that defines gateway characteristics. Objects include: |
Logging
The logging object configures the delivery of runtime and access logs enabled via the message logging policy. Logs are delivered to any supported Fluent Bit v3.2.10 output.
apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
name: <value>
namespace: <namespace name>
spec:
logging:
outputs:
- name: <output-name>
type: <output-type>
parameters:
<param-name>: <param-value>
runtimeLogs:
logLevel: <value>
outputs: <value>
accessLogs:
outputs: <value>| Parameter | Required or Optional | Default Value | Description |
|---|---|---|---|
|
Required |
N/A |
The name of this output to later refer to in runtime and access logs configurations. |
|
Required |
N/A |
An output type supported by Fluent Bit. For Fluent Bit output types, see Fluent Bit documentation for your Fluent Bit version. |
|
Required |
N/A |
A map of parameters for the specific Fluent Bit output type. For Fluent Bit output type parameters, see Fluent Bit documentation for your Fluent Bit version. |
|
Optional |
Empty |
A list of output names to redirect access logs to. |
|
Optional |
|
A parameter specifying log detail. The supported |
|
Optional |
Empty |
A list of output names to redirect runtime logs to. |
Leaving a value blank applies the default value to your configuration.
In addition to parameters above, Flex Gateway offers variables for logging output. When configured, the variables render as one of their respective outputs in the logs:
| Variable | Description | Outputs |
|---|---|---|
|
Date and time of the logged event |
A specific time, for example, |
|
Flex Gateway service where the logged event occurred |
|
|
|
|
|
Log type |
|
Logging Example
apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
name: logging
spec:
logging:
outputs:
- name: log-to-file
type: file
parameters:
path: /var/log
file: log.txt
format: template
template: |
[{date}][{logger}][{level}][{kind}] {message}
runtimeLogs:
logLevel: info
outputs:
- log-to-file
accessLogs:
outputs:
- log-to-file
Shared Storage
The sharedStorage object configures the gateway for shared storage. Production workflows should use Redis (minimum version 4.0.0), though defining it is optional. If Redis is not defined, shared storage services at port 4000 are still available but will use an in-memory implementation.
Optionally, you can use Redis with Transport Layer Security (TLS) to protect sensitive data, prevent unauthorized access, and maintain the reliability of your services.
apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
name: shared-storage-redis
spec:
sharedStorage:
redis:
address: <string> // REQUIRED
username: <string> // OPTIONAL
password: <string> // OPTIONAL
db: <string> // OPTIONAL
tls: // OPTIONAL
trustedCA: <string> // OPTIONAL
certificate: // OPTIONAL
keyPassphrase <string> // OPTIONAL
key: <string> // REQUIRED
crt: <string> // REQUIRED
alpn: <array> // OPTIONAL
skipValidation: <boolean> // OPTIONAL
minversion: <string> // OPTIONAL
maxversion: <string> // OPTIONAL
ciphers: <array> // OPTIONAL
| Parameter | Required or Optional | Default Value | Description |
|---|---|---|---|
|
Required |
N/A |
The Redis instance address in |
|
Optional |
Empty |
The Redis user name |
|
Optional |
Empty |
The Redis user password |
|
Optional |
0 |
The Redis database number to use |
|
Optional |
Empty |
The Redis TLS configuration |
|
Optional |
N/A |
Root certificate authority to use when verifying server certificates |
|
Optional |
N/A |
Client certificate to present to the server |
|
Optional |
|
The certificate key passphrase. If specified, use the private key format that includes a DEK-Info header. If unspecified, the private key must not be encrypted. |
|
Required |
N/A |
The private key part of the certificate |
|
Required |
N/A |
The public key part of the certificate |
|
Optional |
|
If true, any certificate presented by the server is accepted. |
|
Optional |
|
The minimum TLS version allowed |
|
Optional |
|
The maximum TLS version allowed |
|
Optional |
Empty list |
A prioritized list of supported application level protocols; for example, h2, http/1.1 |
|
Optional |
|
TLS/Redis supports the same ciphers as the TLS policy, except the following:
|
Redis Shared Storage Example
The Redis storage service is an implementation of a REST API object store that functions as a bridge between the object store interface and a Redis backend.
apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
name: shared-storage-redis
spec:
sharedStorage:
redis:
address: redis.e-commerce.svc:6379
username: ecomm-user
password: ecomm-pwd-123
DB: 7Redis with TLS Shared Storage Example
Optionally, you can use Redis with TLS to protect data and ensure secure communication.
apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
name: shared-storage-redis
spec:
sharedStorage:
redis:
address: internal.redis.com:6379
tls:
skipValidation: false
minVersion: "1.1"
maxVersion: "1.3"
alpn:
- h2
- http/1.1
ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
trustedCA: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
certificate:
keyPassphrase: "****"
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
crt: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----Local Shared Storage Example
The local storage service is an implementation of a REST API object store that saves data in memory. All data is lost when Flex Gateway is stopped or restarted.
apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
name: rtm-config
namespace: sales
spec:
sharedStorage:
local:
enabled: trueExamples
Inline Configuration Example
apiVersion: gateway.mulesoft.com/v1alpha1
kind: ApiInstance
metadata:
name: api-example
spec:
address: http://0.0.0.0:8080
services:
api-example:
address: https://<your url>:443/
routes:
- rules:
- path: /api(/users/.*)
- path: /api(/comments/.*)
config:
destinationPath: /v1/apps
policies:
- policyRef:
name: http-basic-authentication-flex
config:
username: chris
password: admin
Resource-Based Configuration Example
---
apiVersion: gateway.mulesoft.com/v1alpha1
kind: ApiInstance
metadata:
name: ingress-http
spec:
address: http://0.0.0.0:8080
---
apiVersion: gateway.mulesoft.com/v1alpha1
kind: Service
metadata:
name: json
spec:
address: https://<your url>:443/
---
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: ingress-http-route
spec:
targetRef:
name: ingress-http
policyRef:
name: route
config:
destinationRef:
name: json
rules:
- path: /api(/users/.*)
- path: /api(/comments/.*)
---
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: ingress-http-authentication
spec:
targetRef:
name: ingress-http
policyRef:
name: http-basic-authentication-flex
config:
username: chris
password: admin