https://oneuptime.com/blog/tag/gateway-api?page=4&pageSize=25
Contents
GatewayAPI 1
GatewayAPI - 1.Cài đặt 1
ingress2gateway 1
Ví dụ 0: Tích hợp certmanager 2
Ví dụ 1: HTTPRoute Hostname 2
Ví dụ 2: Nhiều Hostname và ssl - Basic 2
Ví dụ 3: Nhiều Hostname và ssl – ListenerSet 3
Ví dụ 4: Chia tải weight 4
Ví dụ 5: Header route 4
Ví dụ 6: Header modify 5
Ví dụ 2: Path route 6
Ví dụ 8: TLS route 7
Ví dụ 9: Query Parameter Routing 7
Ví dụ 10: URL rewrite 7
Ví dụ 11 Mirror request 8
Ví dụ 12: Cross services ns 8
Ví dụ 13: Cross secret ns 9
Ví dụ 14: Cross gateway 9
Ví dụ 14: Increase timeout 10
Ví dụ 15: Redirect 10
Ví dụ 16: TLS Passthought 11
Ví dụ 17: Auto renew cert-manager 11
Ví dụ 18: Multi condition 12
Ví dụ 18: TCP/UDP Route 12
Ví dụ 19: ReferenceGrant 12
Ví dụ 20: TLS advance – security 12
GatewayAPI
GatewayAPI - 1.Cài đặt
Tham khảo trong file cilium đã viết để cài đặt
Toàn bộ tài liệu https://gateway-api.sigs.k8s.io/guides/getting-started/
wget https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
k apply -f standard-install.yaml
Kiểm tra độ tương thích trước khi cài version: https://github.com/nginx/nginx-gateway-fabric#technical-specifications
helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric \
--namespace nginx-gateway \
--create-namespace \
--version 2.5.1 \
--wait
cat <<EOF > gatewayclass.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: nginx
spec:
controllerName: gateway.nginx.org/nginx-gateway-controller
EOF
k apply -f gatewayclass.yaml
k get gatewayclasses.gateway.networking.k8s.io
ingress2gateway
wget https://github.com/kubernetes-sigs/ingress2gateway/releases/download/v1.0.0/ingress2gateway_Linux_x86_64.tar.gz
ingress2gateway print --providers=ingress-nginx --all-namespaces > gateway-api-manifests.yaml
ingress2gateway print --providers=ingress-nginx --input-file=./ingress1.yaml
Ví dụ 0: Tích hợp certmanager
Xem mục chính CertManager, cài như bình thường
we simply add the annotation cert-manager.io/cluster-issuer: letsencrypt-prod to the Gateway resource.
https://freedium-mirror.cfd/https://faun.pub/kubernetes-gateway-api-a-complete-step-by-step-setup-guide-397d0ff5375f
Ví dụ 1: HTTPRoute Hostname
Ví dụ 2: Nhiều Hostname và ssl - Basic
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: wildcard-gateway
namespace: nginx-gateway
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
gatewayClassName: nginx
listeners:
- name: https-wildcard-domain1
protocol: HTTPS
port: 443
hostname: "*.domain1.com"
tls:
mode: Terminate
certificateRefs:
- name: domain1-wildcard-tls
allowedRoutes:
namespaces:
from: All
- name: https-wildcard-domain2
protocol: HTTPS
port: 443
hostname: "*.domain2.com"
tls:
mode: Terminate
certificateRefs:
- name: domain2-wildcard-tls
allowedRoutes:
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app1-domain1-route
namespace: app-namespace
spec:
parentRefs:
- name: wildcard-gateway
namespace: nginx-gateway
sectionName: https-wildcard-domain1 # Gắn đúng vào listener của domain1
hostnames:
- "app1.domain1.com" # Chỉ định subdomain cụ thể
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-app1-domain1
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app22-domain1-route
namespace: app-namespace
spec:
parentRefs:
- name: wildcard-gateway
namespace: nginx-gateway
sectionName: https-wildcard-domain1 # Gắn đúng vào listener của domain1
hostnames:
- "app2.domain1.com" # Chỉ định subdomain cụ thể
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: svc-app2-domain1
port: 80
Ví dụ 3: Nhiều Hostname và ssl – ListenerSet
Cách tiếp cận này giúp bạn giải quyết 2 vấn đề lớn:
• Phân quyền (Self-service): Đội Platform chỉ cần quản lý 1 Gateway dùng chung. Từng đội phát triển ứng dụng ở các namespace khác nhau tự tạo ListenerSet để cài đặt domain và SSL của riêng họ.
• Vượt giới hạn: Giúp cluster phá vỡ giới hạn cứng 64 listeners trên một Gateway duy nhất của Kubernetes.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: shared-gateway
namespace: nginx-gateway # Namespace của Platform
spec:
gatewayClassName: nginx
listeners:
- name: default-http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2 # Hoặc v1 tùy thuộc phiên bản CRD bạn cài
kind: ListenerSet
metadata:
name: team-a-listeners
namespace: team-a
spec:
parentRef:
name: shared-gateway
namespace: nginx-gateway
listeners:
- name: https-teama
protocol: HTTPS
port: 443
hostname: "*.team-a.com" # Sử dụng wildcard thoải mái
tls:
mode: Terminate
certificateRefs:
- name: team-a-wildcard-tls # Secret nằm ngay trong namespace team-a
allowedRoutes:
namespaces:
from: Same # Chỉ cho phép app trong namespace này bind route vào
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ListenerSet
metadata:
name: team-b-listeners
namespace: team-b
spec:
parentRef:
name: shared-gateway
namespace: nginx-gateway
listeners:
- name: https-teamb
protocol: HTTPS
port: 443
hostname: "*.team-b.com"
tls:
mode: Terminate
certificateRefs:
- name: team-b-wildcard-tls
allowedRoutes:
namespaces:
from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-route
namespace: team-a
spec:
parentRefs:
- name: shared-gateway
namespace: nginx-gateway
sectionName: https-teama # Tên listener định nghĩa trong ListenerSet của Đội A
hostnames:
- "://team-a.com"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: app-service
port: 80
Ví dụ 4: Chia tải weight
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-route-split
namespace: demo-apps
spec:
parentRefs:
- name: example-gateway
namespace: default
hostnames:
- "demo.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: app-v1 #đây là svc1 của pod1
port: 80
weight: 90
- name: app-v2 #đây là svc2 của pod1
port: 80
weight: 10
# Run multiple requests
for i in {1..20}; do
curl -s -H "Host: demo.example.com" http://$GATEWAY_IP/
done
Ví dụ 5: Header route
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-route-headers
namespace: demo-apps
spec:
parentRefs:
- name: example-gateway
namespace: default
hostnames:
- "demo.example.com"
rules:
- matches:
- headers:
- name: version #vị trí header nằm ở đây version=v2
value: v2
backendRefs:
- name: app-v2
port: 80
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: app-v1
port: 80
# Default request goes to v1
curl -H "Host: demo.example.com" http://$GATEWAY_IP/
# Request with header goes to v2
curl -H "Host: demo.example.com" -H "version: v2" http://$GATEWAY_IP/
Ví dụ khác về header route
https://oneuptime.com/blog/post/2026-02-09-httproute-traffic-routing/view
# httproute-headers.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: header-routing
namespace: default
spec:
parentRefs:
- name: http-gateway
hostnames:
- "example.com"
rules:
# Route mobile users to mobile backend
- matches:
- headers:
- name: User-Agent
type: RegularExpression
value: ".*(Mobile|Android|iPhone).*"
backendRefs:
- name: mobile-service
port: 8080
# Route beta users to canary backend
- matches:
- headers:
- name: X-Beta-User
type: Exact
value: "true"
backendRefs:
- name: canary-service
port: 8080
# Default backend
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: stable-service
port: 8080
Ví dụ 6: Header modify
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: header-manipulation-route
namespace: app-space # Namespace chứa ứng dụng của bạn
spec:
parentRefs:
- name: shared-gateway
namespace: nginx-gateway
hostnames:
- "yourdomain.com"
rules:
- matches:
- path:
type: PathPrefix
value: /api
# 🛠️ CẤU HÌNH THAO TÁC VỚI HEADER NẰM Ở ĐÂY
filters:
# 1. Thao tác với REQUEST HEADERS (Gửi từ Client -> Backend)
- type: RequestHeaderModifier
requestHeaderModifier:
# Thêm header mới (Nếu đã tồn tại sẽ bị ghi đè)
set:
- name: X-Environment-Type
value: "Production"
# Cộng dồn thêm giá trị vào header đã có
add:
- name: X-Forwarded-For-Custom
value: "nginx-fabric-gateway"
# Xóa bỏ header nhạy cảm trước khi đẩy vào Backend
remove:
- "X-Internal-Secret"
- "Authorization-Debug"
# 2. Thao tác với RESPONSE HEADERS (Trả từ Backend -> Client)
- type: ResponseHeaderModifier
responseHeaderModifier:
# Thêm header chuẩn bảo mật cho Client
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Frame-Options
value: "DENY"
# Thêm thông tin định danh hệ thống
add:
- name: Server-Trace
value: "gateway-node-01"
# Ẩn bớt các header lộ thông tin hệ thống backend
remove:
- "X-Powered-By"
- "X-AspNet-Version"
backendRefs:
- name: backend-api-service
port: 80
Ví dụ 2: Path route
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-route-paths
namespace: demo-apps
spec:
parentRefs:
- name: example-gateway
namespace: default
hostnames:
- "demo.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /v1
backendRefs:
- name: app-v1
port: 80
- matches:
- path:
type: PathPrefix
value: /v2
backendRefs:
- name: app-v2
port: 80
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: app-v1
port: 80
Ví dụ 8: TLS route
https://oneuptime.com/blog/post/2026-02-09-tlsroute-passthrough/view
Ví dụ 9: Query Parameter Routing
# httproute-query-params.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: query-routing
namespace: default
spec:
parentRefs:
- name: http-gateway
hostnames:
- "example.com"
rules:
# Route debug requests to debug backend
- matches:
- queryParams:
- name: debug
type: Exact
value: "true"
backendRefs:
- name: debug-service
port: 8080
# Route specific API versions
- matches:
- queryParams:
- name: api_version
type: Exact
value: "2.0"
backendRefs:
- name: api-v2-service
port: 8080
# Default routing
- backendRefs:
- name: api-v1-service
port: 8080
Ví dụ 10: URL rewrite
# httproute-url-rewrite.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: url-rewrite
namespace: default
spec:
parentRefs:
- name: http-gateway
hostnames:
- "example.com"
rules:
# Rewrite /v1/api/* to /api/*
- matches:
- path:
type: PathPrefix
value: "/v1/api"
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplacePrefixMatch
replacePrefixMatch: "/api"
backendRefs:
- name: api-service
port: 8080
# Rewrite /old-path to /new-path
- matches:
- path:
type: PathPrefix
value: "/old-path"
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplaceFullPath
replaceFullPath: "/new-path"
backendRefs:
- name: new-service
port: 8080
Ví dụ 11 Mirror request
# httproute-mirroring.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: traffic-mirroring
namespace: default
spec:
parentRefs:
- name: http-gateway
hostnames:
- "example.com"
rules:
- matches:
- path:
type: PathPrefix
value: "/api"
backendRefs:
# Primary backend
- name: production-service
port: 8080
filters:
# Mirror to test backend
- type: RequestMirror
requestMirror:
backendRef:
name: test-service
port: 8080
Ví dụ 12: Cross services ns
Kịch bản cho việc /aaa vào namespace1, và /bbb vào service của namespace2
# httproute-cross-namespace.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: cross-namespace-route
namespace: frontend-namespace
spec:
parentRefs:
- name: shared-gateway
namespace: gateway-namespace
hostnames:
- "example.com"
rules:
- matches:
- path:
type: PathPrefix
value: "/api"
backendRefs:
- name: api-service
namespace: backend-namespace
port: 8080
---
# ReferenceGrant allowing cross-namespace reference
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-frontend-to-backend
namespace: backend-namespace
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: frontend-namespace
to:
- group: ""
kind: Service
name: api-service
Ví dụ 13: Cross secret ns
# Certificate in certs namespace
apiVersion: v1
kind: Secret
metadata:
name: shared-tls-cert
namespace: certs
type: kubernetes.io/tls
data:
tls.crt: <base64-cert>
tls.key: <base64-key>
---
# Grant access from infrastructure namespace
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-gateway-to-certs
namespace: certs
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: infrastructure
to:
- group: ""
kind: Secret
name: shared-tls-cert
---
# Gateway in infrastructure namespace
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: cross-ns-gateway
namespace: infrastructure
spec:
gatewayClassName: kong
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: shared-tls-cert
namespace: certs # Cross-namespace reference
allowedRoutes:
namespaces:
from: All
Ví dụ 14: Cross gateway
# Gateway in shared infrastructure namespace
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: shared-gateway
namespace: gateway-system
spec:
gatewayClassName: istio
listeners:
- name: http
protocol: HTTP
port: 80
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: default-tls
namespace: certificates
---
# Allow tenant-a to use the gateway
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-tenant-a
namespace: gateway-system
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: tenant-a
to:
- group: gateway.networking.k8s.io
kind: Gateway
name: shared-gateway
---
# Tenant-a HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: tenant-a-route
namespace: tenant-a
spec:
parentRefs:
- kind: Gateway
name: shared-gateway
namespace: gateway-system # Cross-namespace reference
hostnames:
- "app.tenant-a.example.com"
rules:
- backendRefs:
- kind: Service
name: app-service
port: 80
Ví dụ 14: Increase timeout
All of timeout Gateway Api https://oneuptime.com/blog/post/2026-02-09-httproute-timeout-policies/view#graceful-timeout-handling
# httproute-timeouts.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: timeout-configuration
namespace: default
spec:
parentRefs:
- name: http-gateway
hostnames:
- "example.com"
rules:
# Fast endpoints with short timeout
- matches:
- path:
type: PathPrefix
value: "/health"
timeouts:
request: "5s"
backendRequest: "3s"
backendRefs:
- name: health-service
port: 8080
# Slow endpoints with longer timeout
- matches:
- path:
type: PathPrefix
value: "/reports"
timeouts:
request: "60s"
backendRequest: "55s"
backendRefs:
- name: report-service
port: 8080
Ví dụ 15: Redirect
# httproute-redirect.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: redirect-example
namespace: production
spec:
parentRefs:
- name: main-gateway
namespace: gateway-system
hostnames:
- old.example.com
rules:
# Redirect to new domain
- filters:
- type: RequestRedirect
requestRedirect:
hostname: new.example.com
statusCode: 301
# Redirect HTTP to HTTPS
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
Ví dụ 16: TLS Passthought
https://oneuptime.com/blog/post/2026-02-09-gateway-api-tlsroute-passthrough-tls/view
# passthrough-gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: passthrough-gateway
spec:
gatewayClassName: kong
listeners:
- name: tls-passthrough
protocol: TLS
port: 443
tls:
mode: Passthrough # No termination, forward encrypted
allowedRoutes:
kinds:
- kind: TLSRoute
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: passthrough-route
spec:
parentRefs:
- name: passthrough-gateway
hostnames:
- "secure.example.com"
rules:
- backendRefs:
- name: secure-backend
port: 443
Ví dụ 17: Auto renew cert-manager
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gateway
namespace: default
annotations:
# 1. Chỉ định ClusterIssuer xử lý cấp chứng chỉ
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# 2. Tùy chỉnh thời gian sống và tự động gia hạn (Tùy chọn)
cert-manager.io/duration: "2160h" # 90 ngày
cert-manager.io/renew-before: "360h" # Tự động gia hạn trước 15 ngày
spec:
gatewayClassName: eg # Đặt theo GatewayClass của bạn (như Envoy, Istio, Nginx...)
listeners:
- name: https
protocol: HTTPS
port: 443
hostname: "example.com"
tls:
mode: Terminate # 🛑 Bắt buộc phải là Terminate để cert-manager hoạt động
certificateRefs:
- name: my-app-tls # cert-manager sẽ tự động sinh Secret này
Ví dụ 18: Multi condition
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: complex-matching
spec:
parentRefs:
- name: production-gateway
hostnames:
- "api.example.com"
rules:
# Match requires ALL conditions to be true
- matches:
- path:
type: PathPrefix
value: /api
headers:
- type: Exact
name: X-API-Key
value: secret-key
queryParams:
- type: Exact
name: format
value: json
backendRefs:
- name: authenticated-api
port: 8080
Ví dụ 18: TCP/UDP Route
https://oneuptime.com/blog/post/2026-02-09-gateway-api-tcproute-udproute-layer4/view
Ví dụ 19: ReferenceGrant
https://oneuptime.com/blog/post/2026-02-09-gateway-api-referencegrant-cross-namespace/view
https://oneuptime.com/blog/post/2026-02-09-cross-namespace-referencegrant/view#multi-tenant-gateway-architecture
Ví dụ 20: TLS advance – security
https://oneuptime.com/blog/post/2026-02-09-gateway-tls-certificate-refs/view#security-best-practices
# secure-headers-route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: secure-headers
spec:
parentRefs:
- name: tls-gateway
rules:
- filters:
- type: ResponseHeaderModifier
responseHeaderModifier:
add:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: "nosniff"
- name: X-Frame-Options
value: "DENY"
backendRefs:
- name: app-service
port: 8080
Không có nhận xét nào:
Đăng nhận xét