Envoy Gateway

Overview of the Envoy Gateway ingress in Elastx Kubernetes CaaS

This section introduces Envoy Gateway as the ingress controller in our Elastx Kubernetes CaaS service. We manage and upgrade the controller, the Gateway API CRDs and the cluster-scoped GatewayClass named eg. You create the Gateway API objects that describe your own traffic in your own namespaces.

There are companion guides for the two ways traffic typically reaches the cluster. Pick the one that matches your setup:

Direct (PROXY-protocol) mode — clients connect straight to the load balancer.
Proxy (X-Forwarded-For) mode — a customer-owned upstream proxy (CDN, WAF, edge proxy) sits in front of the load balancer.

What you create

In your own namespaces:

Gateway — listeners, ports, protocols, TLS.
HTTPRoute, TCPRoute, GRPCRoute, TLSRoute — routing rules.
ClientTrafficPolicy — controls PROXY-protocol handling, TLS parameters, timeouts. Must live in the same namespace as your Gateway.
BackendTrafficPolicy — retries, circuit breaking.
SecurityPolicy — JWT, OIDC, CORS.
BackendTLSPolicy — mTLS toward your backends.
TLS Certificate / Issuer (cert-manager) — typically one per namespace.

You reference the cluster GatewayClass by its name eg from your Gateway. You do not need to create or modify any cluster-scoped resources.

Which variant fits your setup?

The OpenStack load balancer in front of Envoy runs in TCP mode in both cases. The variants differ in how the real client IP arrives at Envoy, and your ClientTrafficPolicy has to match.

Direct (PROXY-protocol) mode — clients connect straight to the load balancer. The load balancer is configured with PROXY protocol v2 and prepends a PROXY header carrying the real client IP. Your ClientTrafficPolicy must enable proxy-protocol parsing. See Direct (PROXY-protocol) mode.
Proxy (X-Forwarded-For) mode — you put your own upstream proxy (CDN, WAF, edge proxy) in front of the load balancer. That upstream injects the real client IP into X-Forwarded-For; the load balancer passes the request through unchanged. Your ClientTrafficPolicy must trust that header with the right hop count. See Proxy (X-Forwarded-For) mode.

TLS

Both walkthroughs use a per-namespace cert-manager Issuer. This gives you full self-service for custom domains and supports both HTTP-01 and DNS-01 validation. If you need a guide for installing cert-manager, see Install and upgrade cert-manager.

Advanced usage

For more advanced use cases please refer to the documentation provided by each project or contact our support:

Direct (PROXY-protocol) mode

A walkthrough of setting up Envoy Gateway when your cluster’s load balancer uses PROXY protocol v2

Proxy (X-Forwarded-For) mode

A walkthrough of setting up Envoy Gateway when your traffic arrives via an upstream proxy that injects X-Forwarded-For

Last modified April 27, 2026: Merge a717821e80f7cba285a8657ffafb45f4ec2e3e4b into abaac57d6826b1832f21a4d9781c274beea10ac0 (ab81ff8)