--- layout: docs page_title: Gateway Resource Configuration description: >- Learn how to configure the `Gateway` resource to define how the Consul API Gateway handles incoming service mesh traffic with this configuration model and reference specifications. --- # Gateway Resource Configuration This topic provides full details about the `Gateway` resource. ## Introduction A `Gateway` is an instance of network infrastructure that determines how service traffic should be handled. A `Gateway` contains one or more [`listeners`](#listeners) that bind to a set of IP addresses. An `HTTPRoute` or `TCPRoute` can then attach to a gateway listener to direct traffic from the gateway to a service. Gateway instances derive their configurations from the [`GatewayClass`](/docs/api-gateway/configuration/gatewayclass) resource, which acts as a template for individual `Gateway` deployments. Refer to [GatewayClass](/docs/api-gateway/configuration/gatewayclass) for additional information. Specify the following parameters to declare a `Gateway`: | Parameter | Description | Required | | :----------- |:---------------------------------------------------------------------------------------------------------------------------------------------------------- |:-------- | | `kind` | Specifies the type of configuration object. The value should always be `Gateway`. | Required | | `description` | Human-readable string that describes the purpose of the `Gateway`. | Optional | | `version ` | Specifies the Kubernetes API version. The value should always be `gateway.networking.k8s.io/v1alpha2` | Required | | `scope` | Specifies the effective scope of the Gateway. The value should always be `namespaced`. | Required | | `fields` | Specifies the configurations for the Gateway. The fields are listed in the [configuration model](#configuration-model). Details for each field are described in the [specification](#specification). | Required | ## Configuration model The following outline shows how to format the configurations in the `Gateway` object. Click on a property name to view details about the configuration. * [`gatewayClassName`](#gatewayclassname): string | required * [`listeners`](#listeners): array of objects | required * [`allowedRoutes`](#listeners-allowedroutes): object | required * [`namespaces`](#listeners-allowedroutes-namespaces): object | required * [`from`](#listeners-namespaces-from): string | required * [`selector`](#listeners-allowedroutes-namespaces-selector): object | required if `from` is configured to `selector` * [`matchExpressions`](#listeners-allowedroutes-namespaces-selector-matchexpressions): array of objects | required if `matchLabels` is not configured * [`key`](#listeners-allowedroutes-namespaces-selector-matchexpressions): string | required if `matchExpressions` is declared * [`operator`](#listeners-allowedroutes-namespaces-selector-matchexpressions): string | required if `matchExpressions` is declared * [`values`](#listeners-allowedroutes-namespaces-selector-matchexpressions): array of strings | required if `matchExpressions` is declared * [`matchLabels`](#listeners-allowedroutes-namespaces-selector-matchlabels): map of strings | required if `matchExpressions` is not configured * [`hostname`](#listeners-hostname): string | required * [`name`](#listeners-name): string | required * [`port`](#listeners-port): integer | required * [`protocol`](#listeners-protocol): string | required * [`tls`](#listeners-tls): object | required if `protocol` is set to `HTTPS` * [`certificateRefs`](#listeners-tls): array or objects | required if `tls` is declared * [`name`](#listeners-tls): string | required if `certificateRefs` is declared * [`namespace`](#listeners-tls): string | required if `certificateRefs` is declared * [`mode`](#listeners-tls): string | required if `certificateRefs` is declared * [`options`](#listeners-tls): map of strings | optional ## Specification This topic provides details about the configuration parameters. ### gatewayClassName Specifies the name of the [`GatewayClass`](/docs/api-gateway/configuration/gatewayclass) resource used for the `Gateway` instance. Unless you are using a custom [GatewayClass](/docs/api-gateway/configuration/gatewayclass), this value should be set to `consul-api-gateway`. * Type: string * Required: required ### listeners Specifies the `listeners` associated with the `Gateway`. At least one `listener` must be specified. Each `listener` within a `Gateway` must have a unique combination of `hostname`, `port`, and `protocol`. * Type: array of objects * Required: required ### listeners.allowedRoutes Specifies a `namespace` object that defines the types of routes that may be attached to a listener. * Type: object * Required: required ### listeners.allowedRoutes.namespaces Determines which routes are allowed to attach to the `listener`. Only routes in the same namespace as the `Gateway` may be attached by default. * Type: string * Required: optional * Default: Same namespace as the parent Gateway ### listeners.allowedRoutes.namespaces.from Determines which namespaces are allowed to attach a route to the `Gateway`. You can specify one of the following strings: * `All`: Routes in all namespaces may be attached to the `Gateway`. * `Same` (default): Only routes in the same namespace as the `Gateway` may be attached. * `Selector`: Only routes in namespaces that match the [`selector`](#listeners-allowedroutes-namespaces-selector) may be attached. This parameter is required. ### listeners.allowedRoutes.namespaces.selector Specifies a method for selecting routes that are allowed to attach to the listener. The `Gateway` checks for namespaces in the network that match either a regular expression or a label. Routes from the matching namespace are allowed to attach to the listener. You can configure one of the following objects: * [`matchExpressions`](#listeners-allowedroutes-namespaces-selector-matchexpressions) * [`matchLabels`](#listeners-allowedroutes-namespaces-selector-matchlabels) This field is required when [`from`](#listeners-allowedroutes-namespaces-from) is configured to `Selector`. ### listeners.allowedRoutes.namespaces.selector.matchExpressions Specifies an array of requirements for matching namespaces. If a match is found, then routes from the matching namespace(s) are allowed to attach to the `Gateway`. The following table describes members of the `matchExpressions` array: | Requirement | Description | Type | Required | |--- |--- |--- |--- | |`key` | Specifies the label that the `key` applies to. | string | required when `matchExpressions` is declared | |`operator` | Specifies the key's relation to a set of values. You can use the following keywords: