Last active
August 18, 2025 16:01
-
-
Save rvennam/252e55743dda8fcb7a2b04a1fe5cd5be to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ztunnel egress: | |
| # egressPolicies: | |
| # - namespaces: [common-infrastructure] | |
| # policy: Passthrough | |
| # - gateway: egress-gateway.common-infrastructure.svc.cluster.local | |
| # policy: Gateway | |
| # matchCidrs: | |
| # - 0.0.0.0/0 | |
| # - ::/0 | |
| # kgateway won't set up a listener for 15008 unless you have this: | |
| # kubectl label ns common-infrastructure istio.io/use-waypoint=egress-gateway | |
| # Gateway configuration for the egress gateway | |
| apiVersion: gateway.networking.k8s.io/v1 | |
| kind: Gateway | |
| metadata: | |
| name: egress-gateway | |
| namespace: common-infrastructure | |
| spec: | |
| gatewayClassName: kgateway-waypoint | |
| infrastructure: | |
| parametersRef: | |
| name: debug-gateway | |
| group: gateway.kgateway.dev | |
| kind: GatewayParameters | |
| listeners: | |
| - name: proxy | |
| port: 15088 | |
| protocol: istio.io/PROXY | |
| allowedRoutes: | |
| namespaces: | |
| from: All | |
| # - name: mesh | |
| # port: 15008 | |
| # protocol: HBONE | |
| --- | |
| # Backend configuration for Dynamic Forward Proxy | |
| apiVersion: gateway.kgateway.dev/v1alpha1 | |
| kind: Backend | |
| metadata: | |
| name: dfp-backend | |
| namespace: common-infrastructure | |
| spec: | |
| type: DynamicForwardProxy | |
| dynamicForwardProxy: | |
| enableTls: true | |
| --- | |
| # Catch all routes | |
| # Not needed?? | |
| apiVersion: gateway.networking.k8s.io/v1 | |
| kind: HTTPRoute | |
| metadata: | |
| name: example-route | |
| namespace: common-infrastructure | |
| spec: | |
| parentRefs: | |
| - name: egress-gateway | |
| rules: | |
| - backendRefs: | |
| - name: dfp-backend | |
| kind: Backend | |
| group: gateway.kgateway.dev | |
| --- | |
| apiVersion: networking.istio.io/v1 | |
| kind: ServiceEntry | |
| metadata: | |
| name: httpbin.dev | |
| namespace: common-infrastructure | |
| labels: | |
| istio.io/use-waypoint: egress-gateway | |
| istio.io/use-waypoint-namespace: common-infrastructure | |
| spec: | |
| hosts: | |
| - httpbin.dev | |
| ports: | |
| - number: 80 | |
| name: http | |
| protocol: HTTP | |
| - number: 443 | |
| name: https | |
| protocol: HTTPS | |
| resolution: DNS | |
| --- | |
| # Not needed?? | |
| apiVersion: networking.istio.io/v1 | |
| kind: DestinationRule | |
| metadata: | |
| name: httpbin.dev-tls | |
| namespace: common-infrastructure | |
| spec: | |
| host: httpbin.dev | |
| trafficPolicy: | |
| tls: | |
| mode: SIMPLE | |
| --- | |
| apiVersion: gateway.kgateway.dev/v1alpha1 | |
| kind: GatewayExtension | |
| metadata: | |
| name: extauth | |
| namespace: common-infrastructure | |
| spec: | |
| type: ExtAuth | |
| extAuth: | |
| grpcService: | |
| backendRef: | |
| name: ext-authz | |
| port: 9000 | |
| --- | |
| apiVersion: gateway.kgateway.dev/v1alpha1 | |
| kind: TrafficPolicy | |
| metadata: | |
| namespace: common-infrastructure | |
| name: gateway-ext-auth-policy | |
| labels: | |
| app: ext-authz | |
| spec: | |
| targetRefs: | |
| - group: gateway.networking.k8s.io | |
| kind: Gateway | |
| name: egress-gateway | |
| extAuth: | |
| extensionRef: | |
| name: extauth |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment