https://oneuptime.com/blog/tag/gateway-api?page=4&pageSize=25
Contents
GatewayAPI 1
001. GatewayAPI - 1.Cài đặt 1
002. ingress2gateway 2
003. Tạo pod mẫu để test 2
TESTED-1: Gateway&Httproute Basic 2
TESTED-2: Tích hợp certmanager 3
Ví dụ 3: Nhiều Hostname và ssl - Basic 4
Ví dụ 4: Nhiều Hostname và ssl – ListenerSet 5
TESTED-5: Traffic Split 7
TESTED-6: Header Route 7
TESTED-7.1: Header Modify 8
TESTED-7.2: Header Modify - improve security 9
TESTED-8: Method Matching 9
TESTED-9: Path route 10
TESTED-11: Query Parameter Routing 10
TESTED-12: URL rewrite 11
TESTED-13: Mirror request 12
OK-12: Cross NS HttpRoute->Services 12
OK-13: Cross NS Gateway->Secret 13
OK-14: Cross NS HttpRoute->Gateway 14
(NOT)Ví dụ 20: ReferenceGrant 14
TESTED-17: Increase timeout 15
TESTED-18: Redirect 301/302 15
(NOT)Ví dụ 8: TLS route 15
Ví dụ 16: TLS Passthought 16
Ví dụ 18: Multi condition 16
(NOT)Ví dụ 19: TCP/UDP Route 16
Ví dụ 22: keepalived_timeout 17
Ví dụ 23: BackendTLSPolicy (Force trust) 17
(NOT)Ví dụ 24: CORS 17
(NOT)Ví dụ 26: mTLS 17
(NOT)Ví dụ 27: HTTP2.0 Support Backend 17
(NOT)Ví dụ 30: ListenerSet 17
GatewayAPI
001. GatewayAPI - 1.Cài đặt
Tham khảo trong file cilium đã viết để cài đặt
Toàn bộ tài liệu https://gateway-api.sigs.k8s.io/guides/getting-started/
Cài CRD
wget https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
k apply -f standard-install.yaml
Cài gatewayclass: nginx
Kiểm tra độ tương thích trước khi cài version: https://github.com/nginx/nginx-gateway-fabric#technical-specifications
helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric \
--namespace nginx-gateway \
--create-namespace \
--version 2.5.1 \
--wait
cat <<EOF > gatewayclass.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: nginx
spec:
controllerName: gateway.nginx.org/nginx-gateway-controller
EOF
k apply -f gatewayclass.yaml
k get gatewayclasses.gateway.networking.k8s.io
002. ingress2gateway
wget https://github.com/kubernetes-sigs/ingress2gateway/releases/download/v1.0.0/ingress2gateway_Linux_x86_64.tar.gz
ingress2gateway print --providers=ingress-nginx --all-namespaces > gateway-api-manifests.yaml
ingress2gateway print --providers=ingress-nginx --input-file=./ingress1.yaml
003. Tạo pod mẫu để test
k create ns app-namespace1
k create ns app-namespace2
k -n app-namespace1 create deployment web1 --image=traefik/whoami --replicas=1
k -n app-namespace1 expose deployment web1 --name=svc-web1 --port=80 --target-port=80 --type=ClusterIP
k -n app-namespace1 create deployment web1a --image=traefik/whoami --replicas=1
k -n app-namespace1 expose deployment web1a --name=svc-web1a --port=80 --target-port=80 --type=ClusterIP
k -n app-namespace1 create deployment web1b --image=traefik/whoami --replicas=1
k -n app-namespace1 expose deployment web1b --name=svc-web1b --port=80 --target-port=80 --type=ClusterIP
k -n app-namespace2 create deployment web2 --image=traefik/whoami --replicas=1
k -n app-namespace2 expose deployment web2 --name=svc-web2 --port=80 --target-port=80 --type=ClusterIP
TESTED-1: Gateway&Httproute Basic
https://gateway-api.sigs.k8s.io/guides/getting-started/simple-gateway/
***Chú ý: có thể tạo nhiều gateway, mỗi gw sẽ có 1 ip LB riêng
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=default-gateway/O=Default Certificate"
kubectl create secret tls default-cert --key tls.key --cert tls.crt -n nginx-gateway
cat << EOF > 01.simple-gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gateway
namespace: app-namspace
spec:
gatewayClassName: nginx
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: default-cert chú ý trùng secret tạo ở trên
allowedRoutes:
namespaces:
from: All
EOF
cat << EOF > 01.simple-httproute.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-http
namespace: app-namespace1
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-web1 #chú ý trùng tên svc
port: 80
EOF
TESTED-2: Tích hợp certmanager
Xem mục chính CertManager, cài như bình thường
https://freedium-mirror.cfd/https://faun.pub/kubernetes-gateway-api-a-complete-step-by-step-setup-guide-397d0ff5375f
*** Chú ý Tuấn: ở đây ta phải tạo Certificate.yaml mới, sau đó mới add vào gateway
cat << EOF > 02.certmanager-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-tuan-name-vn-tls
namespace: nginx-gateway
spec:
secretName: test-tuan-name-vn-tls-secret
duration: 2160h # 90 ngày
renewBefore: 360h # Tự Gia hạn trước khi hết hạn 15 ngày (360 giờ)
issuerRef:
name: letsencrypt-stag
kind: ClusterIssuer
commonName: test.tuan.name.vn
dnsNames: #có hỗ trợ multi ssl trên cùng 1 ssl file
- test.tuan.name.vn
EOF
cat << EOF > 02.certmanager-gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gateway
namespace: nginx-gateway
annotations:
# Tùy chọn: Một số controller dùng annotation này để tự động map cert
cert-manager.io/cluster-issuer: letsencrypt-stag
spec:
gatewayClassName: nginx
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: default-cert
allowedRoutes:
namespaces:
from: All
- name: https-test-tuan-name-vn
protocol: HTTPS
port: 443
hostname: "test.tuan.name.vn"
tls:
mode: Terminate
certificateRefs:
- name: test-tuan-name-vn-tls-secret
allowedRoutes:
namespaces:
from: All
EOF
cat << EOF > 02.certmanager-httproute.yaml
# HTTP
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-web1-http-redirect
namespace: app-namespace1
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 302 # Chuyển hướng tạm thời 302 sang 443
---
# HTTPS
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-web1-https-route
namespace: app-namespace1
spec:
parentRefs:
- name: my-gateway
namespace: nginx-gateway
sectionName: https-test-tuan-name-vn # Khớp với 'name' của listener 443 trong Gateway
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-web1 #chú ý trùng tên svc
port: 80
EOF
Kết quả:
curl -v http://test.tuan.name.vn
#< HTTP/1.1 302 Moved Temporarily
#< Location: https://test.tuan.name.vn/
curl -v https://test.tuan.name.vn
#* subject: CN=test.tuan.name.vn
#* start date: May 1 16:43:03 2026 GMT
#* expire date: Jul 30 16:43:02 2026 GMT
#* issuer: C=US; O=(STAGING) Let's Encrypt; CN=(STAGING) Tenuous Tomato R13
Ví dụ 3: Nhiều Hostname và ssl - Basic
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: wildcard-gateway
namespace: nginx-gateway
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
gatewayClassName: nginx
listeners:
- name: http
protocol: HTTP
port: 80 # Đây là default
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443 # Đây là default
tls:
mode: Terminate
certificateRefs:
- name: default-cert
allowedRoutes:
namespaces:
from: All
- name: https-wildcard-domain1
protocol: HTTPS
port: 443
hostname: "*.domain1.com"
tls:
mode: Terminate
certificateRefs:
- name: domain1-wildcard-tls
allowedRoutes:
namespaces:
from: All
- name: https-wildcard-domain2
protocol: HTTPS
port: 443
hostname: "*.domain2.com"
tls:
mode: Terminate
certificateRefs:
- name: domain2-wildcard-tls
allowedRoutes:
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app1-domain1-route
namespace: app-namespace
spec:
parentRefs:
- name: wildcard-gateway
namespace: nginx-gateway
sectionName: https-wildcard-domain1 # Gắn đúng vào listener của domain1
hostnames:
- "app1.domain1.com" # Chỉ định subdomain cụ thể
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-app1-domain1
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app22-domain1-route
namespace: app-namespace
spec:
parentRefs:
- name: wildcard-gateway
namespace: nginx-gateway
sectionName: https-wildcard-domain1 # Gắn đúng vào listener của domain1
hostnames:
- "app2.domain1.com" # Chỉ định subdomain cụ thể
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-app2-domain1
port: 80
Ví dụ 4: Nhiều Hostname và ssl – ListenerSet
Cách tiếp cận này giúp bạn giải quyết 2 vấn đề lớn:
• Phân quyền (Self-service): Đội Platform chỉ cần quản lý 1 Gateway dùng chung. Từng đội phát triển ứng dụng ở các namespace khác nhau tự tạo ListenerSet để cài đặt domain và SSL của riêng họ.
• Vượt giới hạn: Giúp cluster phá vỡ giới hạn cứng 64 listeners trên một Gateway duy nhất của Kubernetes.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: shared-gateway
namespace: nginx-gateway # Namespace của Platform
spec:
gatewayClassName: nginx
listeners:
- name: default-http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2 # Hoặc v1 tùy thuộc phiên bản CRD bạn cài
kind: ListenerSet
metadata:
name: team-a-listeners
namespace: team-a
spec:
parentRef:
name: shared-gateway
namespace: nginx-gateway
listeners:
- name: https-teama
protocol: HTTPS
port: 443
hostname: "*.team-a.com" # Sử dụng wildcard thoải mái
tls:
mode: Terminate
certificateRefs:
- name: team-a-wildcard-tls # Secret nằm ngay trong namespace team-a
allowedRoutes:
namespaces:
from: Same # Chỉ cho phép app trong namespace này bind route vào
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ListenerSet
metadata:
name: team-b-listeners
namespace: team-b
spec:
parentRef:
name: shared-gateway
namespace: nginx-gateway
listeners:
- name: https-teamb
protocol: HTTPS
port: 443
hostname: "*.team-b.com"
tls:
mode: Terminate
certificateRefs:
- name: team-b-wildcard-tls
allowedRoutes: # Nhớ phải có cái này
namespaces:
from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-route
namespace: team-a
spec:
parentRefs:
- name: shared-gateway
namespace: nginx-gateway
sectionName: https-teama # Tên listener định nghĩa trong ListenerSet của Đội A
hostnames:
- "://team-a.com"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: app-service
port: 80
TESTED-5: Traffic Split
https://gateway-api.sigs.k8s.io/guides/traffic-splitting/
cat << EOF > 05.traffic-splitting-httproute.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-route-split
namespace: app-namespace1
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-web1 #đây là svc1 của pod1
port: 80
weight: 90
- name: svc-web1a #đây là svc2 của pod1
port: 80
weight: 10
EOF
# Run multiple requests
for i in {1..20}; do
curl -s http://test.tuan.name.vn | grep Hostname;
done
k delete -f 05.traffic-splitting.yaml
TESTED-6: Header Route
https://gateway-api.sigs.k8s.io/guides/traffic-splitting/#canary-traffic-rollout
cat << EOF > 06.traffic-splitting-header-route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-route-headers
namespace: app-namespace1
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- headers:
- name: version #vị trí header nằm ở đây version=v2
value: v2
backendRefs:
- name: svc-web1a
port: 80
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-web1
port: 80
EOF
# Default request goes to v1
curl test.tuan.name.vn
Hostname: web1-888886b4d-tg4jv
# Request with header goes to v2
curl -H "version: v2" test.tuan.name.vn
Hostname: web1-888886b4d-t6rbg
k delete -f 06.traffic-splitting-header-route.yaml
Ví dụ khác về header route
https://oneuptime.com/blog/post/2026-02-09-httproute-traffic-routing/view
# httproute-headers.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: header-routing
namespace: default
spec:
parentRefs:
- name: http-gateway
hostnames:
- "example.com"
rules:
# Route mobile users to mobile backend
- matches:
- headers:
- name: User-Agent
type: RegularExpression
value: ".*(Mobile|Android|iPhone).*"
backendRefs:
- name: mobile-service
port: 8080
# Route beta users to canary backend
- matches:
- headers:
- name: X-Beta-User
type: Exact
value: "true"
backendRefs:
- name: canary-service
port: 8080
# Default backend
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: stable-service
port: 8080
TESTED-7.1: Header Modify
https://gateway-api.sigs.k8s.io/guides/http-header-modifier/
cat << EOF > 07.http-header-modifier.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: header-manipulation-route
namespace: app-namespace1 # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- path:
type: PathPrefix
value: /api
# 🛠️ CẤU HÌNH THAO TÁC VỚI HEADER NẰM Ở ĐÂY
filters:
# 1. Thao tác với REQUEST HEADERS (Gửi từ Client -> Backend)
- type: RequestHeaderModifier
requestHeaderModifier:
# Thêm header mới (Nếu đã tồn tại sẽ bị ghi đè)
set:
- name: X-Environment-Type
value: "Production"
# Cộng dồn thêm giá trị vào header đã có
add:
- name: X-Forwarded-For-Custom
value: "nginx-fabric-gateway"
# Xóa bỏ header nhạy cảm trước khi đẩy vào Backend
remove:
- "X-Internal-Secret"
- "Authorization-Debug"
# 2. Thao tác với RESPONSE HEADERS (Trả từ Backend -> Client)
- type: ResponseHeaderModifier
responseHeaderModifier:
# Thêm header chuẩn bảo mật cho Client
set:
- name: Strict-Transport-Security
value: "max-age=999999; includeSubDomains"
- name: X-Frame-Options
value: "DENY"
# Thêm thông tin định danh hệ thống
add:
- name: Server-Trace
value: "gateway-node-01"
# Ẩn bớt các header lộ thông tin hệ thống backend
remove:
- "X-Powered-By"
- "X-AspNet-Version"
backendRefs:
- name: svc-web1
port: 80
EOF
curl -vk http://test.tuan.name.vn/api
< Server-Trace: gateway-node-01
< Strict-Transport-Security: max-age=999999; includeSubDomains
k delete -f 07.http-header-modifier.yaml
TESTED-7.2: Header Modify - improve security
https://oneuptime.com/blog/post/2026-02-09-gateway-tls-certificate-refs/view#security-best-practices
# secure-headers-route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: secure-headers
spec:
parentRefs:
- name: tls-gateway
rules:
- filters:
- type: ResponseHeaderModifier
responseHeaderModifier:
add:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: "nosniff"
- name: X-Frame-Options
value: "DENY"
backendRefs:
- name: app-service
port: 8080
TESTED-8: Method Matching
https://gateway-api.sigs.k8s.io/guides/http-method-matching/
• A POST request to / will be routed to infra-backend-v1.
• A GET request to / will be routed to infra-backend-v2.
cat << EOF > 08.http-method-matching.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: method-matching
namespace: app-namespace1 # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- method: POST
backendRefs:
- name: svc-web1
port: 80
- matches:
- method: GET
backendRefs:
- name: svc-web1a
port: 80
EOF
Kiểm tra
curl -XGET test.tuan.name.vn
curl -XPOST test.tuan.name.vn
k delete -f 08.http-method-matching.yaml
TESTED-9: Path route
cat << EOF > 09.path-route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-route-paths
namespace: app-namespace1 # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- path:
type: PathPrefix
value: /v1a
backendRefs:
- name: svc-web1a
port: 80
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-web1
port: 80
EOF
Kiểm tra
curl test.tuan.name.vn
curl test.tuan.name.vn/v1a
k delete -f 09.path-route.yaml
TESTED-11: Query Parameter Routing
https://gateway-api.sigs.k8s.io/guides/http-query-param-matching/
cat << EOF > 11.httproute-query-params.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: query-routing
namespace: app-namespace1 # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
# Route debug requests to debug backend
- matches:
- queryParams:
- name: debug
type: Exact
value: "true"
backendRefs:
- name: svc-web1a
port: 80
# Route specific API versions
- matches:
- queryParams:
- name: api_version
type: Exact
value: "2.0"
backendRefs:
- name: svc-web1b
port: 80
# Default routing
- backendRefs:
- name: svc-web1
port: 80
EOF
Kiểm tra
Nguyên lý
grep -r 'api_version' /etc/nginx/conf.d/matches.json
{"1_0":[{"redirectPath":"/_ngf-internal-rule0-route0","params":["debug=Exact=true"]},{"redirectPath":"/_ngf-internal-rule0-route1","params":["api_version=Exact=2.0"]},{"redirectPath":"/_ngf-internal-rule0-route2","any":true}]}
curl test.tuan.name.vn/v1a?debug=true
curl test.tuan.name.vn/v1a?debug=api_version=2.0
k delete -f 11.httproute-query-params.yaml
TESTED-12: URL rewrite
cat << EOF > 12.httproute-url-rewrite.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: url-rewrite
namespace: app-namespace1 # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
# Rewrite /v1/api/* to /api/*
- matches:
- path:
type: PathPrefix
value: "/v1/api"
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplacePrefixMatch
replacePrefixMatch: "/api"
backendRefs:
- name: svc-web1
port: 80
# Rewrite /old-path to /new-path
- matches:
- path:
type: PathPrefix
value: "/old-path"
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplaceFullPath
replaceFullPath: "/new-path"
backendRefs:
- name: svc-web1
port: 80
EOF
Kiểm tra
curl test.tuan.name.vn/v1/api/111
#Hostname: web1-888886b4d-tg4jv
#GET /api/111 HTTP/1.1
curl test.tuan.name.vn/old-path
#Hostname: web1-888886b4d-tg4jv
#GET /new-path HTTP/1.1
k delete -f 12.httproute-url-rewrite.yaml
TESTED-13: Mirror request
https://gateway-api.sigs.k8s.io/guides/http-request-mirroring/
k -n app-namespace1 expose deployment nginx --name=svc-nginx --port=80 --target-port=80 --type=ClusterIP
k -n app-namespace1 create deployment nginx --image=nginx:alpine
cat << EOF > 13.httproute-mirroring.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: traffic-mirroring
namespace: app-namespace1
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
- matches:
- path:
type: PathPrefix
value: "/api"
backendRefs:
# Primary backend main pod
- name: svc-web1
port: 80
filters:
# Mirror to debug-pod
- type: RequestMirror
requestMirror:
backendRef:
name: svc-nginx
port: 80
EOF
Kiểm tra
curl test.tuan.name.vn/api
curl test.tuan.name.vn/api
curl test.tuan.name.vn/api
k -n app-namespace1 logs nginx-7977cdf8f5-czbkj
k delete -f 13.httproute-mirroring.yaml
k -n app-namespace1 delete deployment nginx
k -n app-namespace1 delete svc svc-nginx
OK-12: Cross NS HttpRoute->Services
https://oneuptime.com/blog/post/2026-02-09-gateway-api-referencegrant-cross-namespace/view
Kịch bản cho việc /aaa vào namespace1, và /bbb vào service của namespace2
# httproute-cross-namespace.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: cross-namespace-route
namespace: frontend-namespace
spec:
parentRefs:
- name: shared-gateway
namespace: gateway-namespace
hostnames:
- "example.com"
rules:
- matches:
- path:
type: PathPrefix
value: "/api"
backendRefs:
- name: api-service
namespace: backend-namespace
port: 8080
---
# ReferenceGrant allowing cross-namespace reference
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-frontend-to-backend
namespace: backend-namespace
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: frontend-namespace
to:
- group: ""
kind: Service
name: api-service
OK-13: Cross NS Gateway->Secret
https://oneuptime.com/blog/post/2026-02-09-gateway-api-referencegrant-cross-namespace/view
https://gateway-api.sigs.k8s.io/guides/tls/#cross-namespace-certificate-references
# Certificate in certs namespace
apiVersion: v1
kind: Secret
metadata:
name: shared-tls-cert
namespace: certs
type: kubernetes.io/tls
data:
tls.crt: <base64-cert>
tls.key: <base64-key>
---
# Grant access from infrastructure namespace
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-gateway-to-certs
namespace: certs
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: infrastructure
to:
- group: ""
kind: Secret
name: shared-tls-cert
---
# Gateway in infrastructure namespace
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: cross-ns-gateway
namespace: infrastructure
spec:
gatewayClassName: kong
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: shared-tls-cert
namespace: certs # Cross-namespace reference
allowedRoutes:
namespaces:
from: All
OK-14: Cross NS HttpRoute->Gateway
https://oneuptime.com/blog/post/2026-02-09-gateway-api-referencegrant-cross-namespace/view
trường hợp này sử dụng khi gateway chưa setting allowedRoutes.namespcae.from=All
# Gateway in shared infrastructure namespace
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: shared-gateway
namespace: gateway-system
spec:
gatewayClassName: istio
listeners:
- name: http
protocol: HTTP
port: 80
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: default-tls
namespace: certificates
---
# Allow tenant-a to use the gateway
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-tenant-a
namespace: gateway-system
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: tenant-a
to:
- group: gateway.networking.k8s.io
kind: Gateway
name: shared-gateway
---
# Tenant-a HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: tenant-a-route
namespace: tenant-a
spec:
parentRefs:
- kind: Gateway
name: shared-gateway
namespace: gateway-system # Cross-namespace reference
hostnames:
- "app.tenant-a.example.com"
rules:
- backendRefs:
- kind: Service
name: app-service
port: 80
(NOT)Ví dụ 20: ReferenceGrant
https://oneuptime.com/blog/post/2026-02-09-gateway-api-referencegrant-cross-namespace/view
https://oneuptime.com/blog/post/2026-02-09-cross-namespace-referencegrant/view#multi-tenant-gateway-architecture
TESTED-17: Increase timeout
All of timeout Gateway Api https://oneuptime.com/blog/post/2026-02-09-httproute-timeout-policies/view#graceful-timeout-handling
cat << EOF > 17.httproute-timeouts.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: timeout-configuration
namespace: app-namespace1 # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
# Fast endpoints with short timeout
- matches:
- path:
type: PathPrefix
value: "/health"
timeouts:
request: "5s"
backendRequest: "3s"
backendRefs:
- name: svc-web1
port: 80
# Slow endpoints with longer timeout
- matches:
- path:
type: PathPrefix
value: "/reports"
timeouts:
request: "60s"
backendRequest: "55s"
backendRefs:
- name: svc-web1
port: 80
EOF
Chạy oke nhưng chưa biết test, để sau đi
TESTED-18: Redirect 301/302
cat << EOF > 18.httproute-redirect.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: redirect-example
namespace: app-namespace1 # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: my-gateway #chú ý trùng tên gateway
namespace: nginx-gateway
sectionName: http #chú ý trùng tên section
hostnames:
- "test.tuan.name.vn"
rules:
# Redirect to new domain
- filters:
- type: RequestRedirect
requestRedirect:
hostname: new.example.com
statusCode: 302
scheme: https
EOF
Kết quả
curl -vk http://test.tuan.name.vn
< HTTP/1.1 301 Moved Permanently
< Location: https://new.example.com/
(NOT)Ví dụ 8: TLS route
https://oneuptime.com/blog/post/2026-02-09-tlsroute-passthrough/view
https://gateway-api.sigs.k8s.io/guides/tls-routing/
Ví dụ 16: TLS Passthought
https://oneuptime.com/blog/post/2026-02-09-gateway-api-tlsroute-passthrough-tls/view
# passthrough-gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: passthrough-gateway
spec:
gatewayClassName: kong
listeners:
- name: tls-passthrough
protocol: TLS
port: 443
tls:
mode: Passthrough # No termination, forward encrypted
allowedRoutes:
kinds:
- kind: TLSRoute
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: passthrough-route
spec:
parentRefs:
- name: passthrough-gateway
hostnames:
- "secure.example.com"
rules:
- backendRefs:
- name: secure-backend
port: 443
Ví dụ 18: Multi condition
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: complex-matching
spec:
parentRefs:
- name: production-gateway
hostnames:
- "api.example.com"
rules:
# Match requires ALL conditions to be true
- matches:
- path:
type: PathPrefix
value: /api
headers:
- type: Exact
name: X-API-Key
value: secret-key
queryParams:
- type: Exact
name: format
value: json
backendRefs:
- name: authenticated-api
port: 8080
(NOT)Ví dụ 19: TCP/UDP Route
https://oneuptime.com/blog/post/2026-02-09-gateway-api-tcproute-udproute-layer4/view
https://gateway-api.sigs.k8s.io/guides/tcp/
Ví dụ 22: keepalived_timeout
https://gateway-api.sigs.k8s.io/guides/http-timeouts/
Thay vì dùng chung một biến keepalive_timeout như Nginx truyền thống, Gateway API chia timeout thành hai cấp độ chính trong tài nguyên HTTPRoute:
• Request Timeout (request): Tổng thời gian tối đa để toàn bộ vòng đời của một request kết thúc (từ lúc Gateway nhận đến lúc gửi xong phản hồi cuối cùng cho client).
• Backend Timeout (backendRequest): Thời gian chờ tối đa cho một phản hồi từ backend phục vụ (upstream) sau khi request đã được gửi đi.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: my-route
spec:
rules:
- timeouts:
request: 10s # Tổng thời gian request tối đa
backendRequest: 2s # Thời gian chờ Backend phản hồi (tương tự proxy_read_timeout)
backendRefs:
- name: my-service
port: 80
Ví dụ 23: BackendTLSPolicy (Force trust)
https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/#:~:text=are%20not%20allowed.-,WellKnownCACertificates,of%20choice%20for%20more%20information.
https://gateway-api.sigs.k8s.io/guides/tls/#using-system-certificates
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: secure-backend-policy
namespace: my-app-namespace # <--- Namespace của bạn ở đây
spec:
targetRefs:
- group: ""
kind: Service
name: my-backend-service
# Lưu ý: BackendTLSPolicy chỉ có hiệu lực cho Service
# nằm trong cùng namespace với chính nó.
validation:
hostname: xxx.example.com
wellKnownCACertificates: System
(NOT)Ví dụ 24: CORS
https://gateway-api.sigs.k8s.io/guides/http-cors/
Cần nghiên cứu thêm
(NOT)Ví dụ 26: mTLS
https://gateway-api.sigs.k8s.io/guides/tls/#basic-client-validation
(NOT)Ví dụ 27: HTTP2.0 Support Backend
https://gateway-api.sigs.k8s.io/guides/backend-protocol/
(NOT)Ví dụ 30: ListenerSet
https://gateway-api.sigs.k8s.io/guides/listener-set/
