Skip to main content

Gateway Domain

The Gateway domain configures the API Gateway at runtime. It manages routes, consumers, and their access relationships. While the architecture is designed to be gateway-agnostic, the current implementation uses Kong as the underlying gateway technology.

Custom Resources

Consumer

Consumer is the Schema for the consumers API

Group: gateway.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ConsumerSpec

Appears in: Consumer

ConsumerSpec defines the desired state of Consumer

FieldTypeDefaultValidation
namestringRequired
realmObjectRefRequired
securitySecurityOptional

ObjectRef

Appears in: ConsumerSpec, ConsumeRouteSpec, RealmSpec, RealmStatus, RouteSpec

ObjectRef is a reference to a Kubernetes object It is similar to types.NamespacedName but has the required json tags for serialization

FieldTypeDefaultValidation
namestringRequired
namespacestringRequired
uidstringOptional

Security

Appears in: ConsumerSpec

Security defines the security configuration for the Rover Security is optional, but if provided, exactly one of m2m or h2m must be set

FieldTypeDefaultValidation
ipRestrictionsIpRestrictionsOptional

IpRestrictions

Appears in: Security

FieldTypeDefaultValidation
allowstring[]Optional
denystring[]Optional

ConsumerStatus

Appears in: Consumer, ConsumeRoute

ConsumerStatus defines the observed state of Consumer

FieldTypeDefaultValidation
conditionsCondition[]Optional
propertiesmap<string, string>Optional

Condition

Appears in: ConsumerStatus, GatewayStatus, RealmStatus, RouteStatus

FieldTypeDefaultValidation
lastTransitionTimestringRequired, Format: date-time
messagestringRequired, maxLength: 32768
observedGenerationintegerOptional, Format: int64, minimum: 0
reasonstringRequired, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
statusstringRequired, Enum: True \| False \| Unknown
typestringRequired, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

ConsumeRoute

ConsumeRoute is the Schema for the consumeroutes API

Group: gateway.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ConsumeRouteSpec

Appears in: ConsumeRoute

ConsumeRouteSpec defines the desired state of ConsumeRoute

FieldTypeDefaultValidation
consumerNamestringRequired
routeObjectRefRequired
securityConsumeRouteSecurityOptional
trafficTrafficOptional

ConsumeRouteSecurity

Appears in: ConsumeRouteSpec

FieldTypeDefaultValidation
m2mM2MOptional

M2M

Appears in: ConsumeRouteSecurity

M2M defines machine-to-machine authentication configuration

FieldTypeDefaultValidation
basicBasicOptional
clientClientOptional
scopesstring[]Optional, maxItems: 10

Basic

Appears in: M2M, RouteM2M, ExternalIDP

Basic defines basic authentication configuration

FieldTypeDefaultValidation
passwordstringRequired, minLength: 1
usernamestringRequired, minLength: 1

Client

Appears in: M2M, ExternalIDP

Client defines client credentials for OAuth2

FieldTypeDefaultValidation
clientIdstringRequired, minLength: 1
clientKeystringOptional
clientSecretstringOptional

Traffic

Appears in: ConsumeRouteSpec

FieldTypeDefaultValidation
rateLimitRateLimitOptional

RateLimit

Appears in: Traffic

RateLimit defines the rate limit configuration for the ConsumeRoute

FieldTypeDefaultValidation
limitsLimitsRequired

Limits

Appears in: RateLimit, RouteRateLimit

Limits defines the actual rate limit values for different time windows

FieldTypeDefaultValidation
hourintegerOptional, minimum: 0
minuteintegerOptional, minimum: 0
secondintegerOptional, minimum: 0

Gateway

Gateway is the Schema for the gateways API

Group: gateway.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

GatewaySpec

Appears in: Gateway

GatewaySpec defines the desired state of Gateway

FieldTypeDefaultValidation
adminAdminOptional
featuresstring[]Optional
redisRedisOptional

Admin

Appears in: GatewaySpec

FieldTypeDefaultValidation
clientIdstringRequired
clientSecretstringRequired
issuerUrlstringRequired
urlstringRequired

Redis

Appears in: GatewaySpec

FieldTypeDefaultValidation
enableTLSbooleanRequired
hoststringRequired
passwordstringRequired
portintegerRequired

GatewayStatus

Appears in: Gateway

GatewayStatus defines the observed state of Gateway

FieldTypeDefaultValidation
conditionsCondition[]Optional

Realm

Realm is the Schema for the realms API

Group: gateway.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

RealmSpec

Appears in: Realm

RealmSpec defines the desired state of Realm

FieldTypeDefaultValidation
defaultConsumersstring[]
Required
gatewayObjectRefOptional
issuerUrlsstring[]Required, minItems: 1
urlsstring[]Required, minItems: 1

RealmStatus

Appears in: Realm

RealmStatus defines the observed state of Realm

FieldTypeDefaultValidation
certsRouteObjectRefOptional
certsUrlstringOptional
conditionsCondition[]Optional
discoveryRouteObjectRefOptional
discoveryUrlstringOptional
issuerRouteObjectRefOptional
issuerUrlstringOptional
virtualbooleanRequired

Route

Route is the Schema for the routes API

Group: gateway.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

RouteSpec

Appears in: Route

RouteSpec defines the desired state of Route

FieldTypeDefaultValidation
bufferingBufferingOptional
downstreamsDownstream[]Required, minItems: 1
passThroughbooleanfalseRequired
realmObjectRefRequired
securityRouteSecurityOptional
trafficRouteTrafficRequired
transformationTransformationOptional
upstreamsUpstream[]Required, minItems: 1

Buffering

Appears in: RouteSpec

Buffering configures Kong request/response body buffering for this route

FieldTypeDefaultValidation
disableRequestBufferingbooleanfalseOptional
disableResponseBufferingbooleanfalseOptional

Downstream

Appears in: RouteSpec

FieldTypeDefaultValidation
hoststringRequired
issuerUrlstringOptional
pathstringRequired
portintegerRequired

RouteSecurity

Appears in: RouteSpec, Failover

Security is the security configuration for the route

FieldTypeDefaultValidation
defaultConsumersstring[]Optional
disableAccessControlbooleanfalseOptional
m2mRouteM2MOptional

RouteM2M

Appears in: RouteSecurity

M2M defines machine-to-machine authentication configuration

FieldTypeDefaultValidation
basicBasicOptional
externalIDPExternalIDPOptional
scopesstring[]Optional, maxItems: 10

ExternalIDP

Appears in: RouteM2M

ExternalIDP defines external identity provider configuration

FieldTypeDefaultValidation
basicBasicOptional
clientClientOptional
grantTypestringOptional, Enum: client_credentials \| authorization_code \| password
tokenEndpointstringRequired, Format: uri
tokenRequeststringOptional, Enum: body \| header

RouteTraffic

Appears in: RouteSpec

FieldTypeDefaultValidation
circuitBreakerCircuitBreakerOptional
dynamicUpstreamDynamicUpstreamOptional
failoverFailoverOptional
rateLimitRouteRateLimitOptional

CircuitBreaker

Appears in: RouteTraffic

FieldTypeDefaultValidation
enabledbooleanOptional

DynamicUpstream

Appears in: RouteTraffic

DynamicUpstream configures runtime upstream URL resolution. When set, the gateway resolves the actual upstream target from a request query parameter instead of using the static upstream.

FieldTypeDefaultValidation
queryParameterstringRequired, minLength: 1, pattern: ^[a-zA-Z0-9_-]+$

Failover

Appears in: RouteTraffic

FieldTypeDefaultValidation
securityRouteSecurityOptional
targetZoneNamestringRequired
upstreamsUpstream[]Required

Upstream

Appears in: Failover, RouteSpec

FieldTypeDefaultValidation
clientIdstringOptional
clientSecretstringOptional
hoststringRequired
issuerUrlstringOptional
pathstringRequired
portintegerRequired
schemestringRequired
weightintegerOptional

RouteRateLimit

Appears in: RouteTraffic

RateLimit defines rate limits for different time windows

FieldTypeDefaultValidation
limitsLimitsRequired
optionsOptionsOptional

Options

Appears in: RouteRateLimit

Options defines additional configuration options for rate limiting

FieldTypeDefaultValidation
faultTolerantbooleantrueOptional
hideClientHeadersbooleanfalseOptional

Transformation

Appears in: RouteSpec

Transformation defines optional request/response transformations for this API

FieldTypeDefaultValidation
requestRequestOptional

Request

Appears in: Transformation

Request defines transformations applied to incoming API requests

FieldTypeDefaultValidation
headersHeadersOptional

Headers

Appears in: Request

Headers defines HTTP header modifications for requests

FieldTypeDefaultValidation
addstring[]Optional, minItems: 1, maxItems: 5
removestring[]Optional, minItems: 1, maxItems: 5

RouteStatus

Appears in: Route

RouteStatus defines the observed state of Route

FieldTypeDefaultValidation
conditionsCondition[]Optional
consumersstring[]Optional
propertiesmap<string, string>Optional

Feature Architecture

The Gateway operator uses a plugin-based feature system for configuring route behavior:

FeatureDescription
PassThroughBasic request forwarding.
AccessControlConsumer-based access control.
RateLimitRequest rate limiting via Redis.
ExternalIDPExternal identity provider authentication.
CustomScopesFine-grained OAuth2 scope enforcement.
LastMileSecurityEnd-to-end security in cross-mesh scenarios.

Domain Interactions

  • Admin domain — Zones define which gateway instance to use.
  • API domain — Creates Routes for exposed APIs and ConsumeRoutes for subscriptions.
  • Application domain — Creates Consumers for applications.
  • Organization domain — Creates Consumers for teams.
  • Event domain — Creates Routes for event publishing and SSE delivery.
  • Rover domain — Configures rate limiting and load balancing via traffic management settings.