Configuration Examples
Both API7 and APISIX Ingress Controller support Ingress resources and Gateway API for traffic management in Kubernetes. While both are supported, the Gateway API provides greater flexibility and extensibility. New users are encouraged to adopt Gateway API for future deployments.
In addition to these standard Kubernetes APIs, the Ingress Controller also supports a set of CRDs (Custom Resource Definitions) designed specifically for APISIX-native functionality.
This document provides examples of common configurations covering how and when to use these resources. You should adjust custom values such as namespaces, route URIs, and credentials to match your environment.
Configure CP Endpoint and Admin Key
To update the Control Plane endpoint and admin key for connectivity between the Ingress Controller and Control Plane at runtime:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: aic
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
endpoints:
- http://127.0.0.1:9180
auth:
type: AdminKey
adminKey:
value: replace-with-your-admin-key
Define Controller and Gateway
To specify the controller responsible for handling resources before applying further configurations:
- Gateway API
- Ingress
- APISIX CRD
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: apisix
spec:
controllerName: "apisix.apache.org/apisix-ingress-controller"
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: aic
name: apisix
spec:
gatewayClassName: apisix
listeners:
- name: http
protocol: HTTP
port: 80
infrastructure:
parametersRef:
group: apisix.apache.org
kind: GatewayProxy
name: apisix-config
❶ The controller name should be customized if you are running multiple distinct instances of the Controller in the same cluster (not a single instance with multiple replicas). Each ingress controller instance must use a unique controllerName in its configuration file, and the corresponding GatewayClass should reference that value.
❷ API group of the referenced resource.
❸ Kind of the referenced resource.
❹ Name of the referenced resource. Should match the metadata.name of the GatewayProxy resource.
The port in the Gateway listener is required but ignored. This is due to limitations in the data plane: it cannot dynamically open new ports. Since the Ingress Controller does not manage the data plane deployment, it cannot automatically update the configuration or restart the data plane to apply port changes.
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: apisix
spec:
controller: apisix.apache.org/apisix-ingress-controller
parameters:
apiGroup: apisix.apache.org
kind: GatewayProxy
name: apisix-config
namespace: aic
scope: Namespace
❶ The controller name should be customized if you are running multiple distinct instances of the Controller in the same cluster (not a single instance with multiple replicas). Each ingress controller instance must use a unique controllerName in its configuration file, and the corresponding IngressClass should reference that value.
❷ API group of the referenced resource.
❸ Kind of the referenced resource.
❹ Name of the referenced resource. Should match the metadata.name of the GatewayProxy resource.
❺ Namespace where the referenced resource is defined.
❻ Scope of the referenced resource.
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: apisix
spec:
controller: apisix.apache.org/apisix-ingress-controller
parameters:
apiGroup: apisix.apache.org
kind: GatewayProxy
name: apisix-config
namespace: aic
scope: Namespace
❶ The controller name should be customized if you are running multiple distinct instances of the Controller in the same cluster (not a single instance with multiple replicas). Each ingress controller instance must use a unique controllerName in its configuration file, and the corresponding IngressClass should reference that value.
❷ API group of the referenced resource.
❸ Kind of the referenced resource.
❹ Name of the referenced resource. Should match the metadata.name of the GatewayProxy resource.
❺ Namespace where the referenced resource is defined.
❻ Scope of the referenced resource.
Route to K8s Services
To create a route that proxies requests to a service on K8s:
- Gateway API
- Ingress
- APISIX CRD
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: httpbin
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin
port: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: aic
name: httpbin
spec:
ingressClassName: apisix
rules:
- http:
paths:
- path: /ip
pathType: Exact
backend:
service:
name: httpbin
port:
number: 80
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: httpbin
spec:
ingressClassName: apisix
http:
- name: httpbin
match:
paths:
- /ip
backends:
- serviceName: httpbin
servicePort: 80
Route to External Services
To create a route that proxies requests to a service publicly hosted:
- Gateway API
- Ingress
- APISIX CRD
apiVersion: v1
kind: Service
metadata:
namespace: aic
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: get-ip
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-external-domain
port: 80
apiVersion: v1
kind: Service
metadata:
namespace: aic
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: aic
name: get-ip
spec:
ingressClassName: apisix
rules:
- http:
paths:
- path: /ip
pathType: Exact
backend:
service:
name: httpbin-external-domain
port:
number: 80
apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
namespace: aic
name: httpbin-external-domain
spec:
ingressClassName: apisix
externalNodes:
- type: Domain
name: httpbin.org
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: get-ip
spec:
ingressClassName: apisix
http:
- name: get-ip
match:
paths:
- /ip
upstreams:
- name: httpbin-external-domain
Configure Weighted Services
To create a route that proxies traffic to upstream services by weight:
- Gateway API
- APISIX CRD
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: httpbin
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-1
port: 80
weight: 3
- name: httpbin-2
port: 80
weight: 7
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: httpbin
spec:
ingressClassName: apisix
http:
- name: httpbin
match:
paths:
- /ip
backends:
- serviceName: httpbin-1
servicePort: 80
weight: 3
- serviceName: httpbin-2
servicePort: 80
weight: 7
This configuration is not supported by the Ingress resource.
Configure Upstream
To configure upstream related configurations, including load balancing algorithm, how the host header is passed to upstream, service timeout, and more:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: BackendTrafficPolicy
metadata:
namespace: aic
name: httpbin
spec:
targetRefs:
- name: httpbin
kind: Service
group: ""
timeout:
send: 10s
read: 10s
connect: 10s
scheme: http
retries: 10
loadbalancer:
type: roundrobin
passHost: rewrite
upstreamHost: httpbin.example.com
apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
namespace: aic
name: httpbin
spec:
ingressClassName: apisix
timeout:
send: 10s
read: 10s
connect: 10s
scheme: http
retries: 10
loadbalancer:
type: roundrobin
passHost: rewrite
upstreamHost: httpbin.example.com
Detect Upstream Protocol with appProtocol
The appProtocol field on a Service port tells APISIX how to communicate with the backend.
APISIX automatically configures the upstream scheme based on this value. If not set, the default scheme is http.
The Ingress Controller supports the following appProtocol values for Service ports:
| Value | Description |
|---|---|
http | The option sets the upstream scheme to http. |
https | The option sets the upstream scheme to https. |
kubernetes.io/ws | The option sets the upstream scheme to http and enable_websocket to true on the route. |
kubernetes.io/wss | The option sets the upstream scheme to https and enable_websocket to true on the route. |
Here is an example of a Service configured with appProtocol values for HTTP and HTTPS ports:
apiVersion: v1
kind: Service
metadata:
namespace: aic
name: httpbin
spec:
selector:
app: httpbin
ports:
- name: http
port: 80
targetPort: 80
appProtocol: http
- name: https
port: 443
targetPort: 443
appProtocol: https
You can then create a route that points to the Service port, allowing APISIX to detect the upstream protocol automatically. With the below configuration, APISIX automatically sets the upstream scheme to https:
- Gateway API
- Ingress
- APISIX CRD
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: httpbin-route
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /anything
backendRefs:
- name: httpbin
port: 443
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: aic
name: httpbin-route
spec:
ingressClassName: apisix
rules:
- http:
paths:
- path: /anything
pathType: Exact
backend:
service:
name: httpbin
port:
number: 443
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: httpbin-route
spec:
ingressClassName: apisix
http:
- name: httpbin-route
match:
paths:
- /anything
backends:
- serviceName: httpbin
servicePort: 443
Configure Consumer and Credentials
- Gateway API
- APISIX CRD
To create a consumer and configure the authentication credentials directly on the consumer:
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
namespace: aic
name: alice
spec:
gatewayRef:
name: apisix
credentials:
- type: key-auth
name: primary-key
config:
key: alice-primary-key
You can also use a Secret resource, where the credential should be base64 encoded:
apiVersion: v1
kind: Secret
metadata:
namespace: aic
name: key-auth-primary
data:
key: YWxpY2UtcHJpbWFyeS1rZXk=
---
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
namespace: aic
name: alice
spec:
gatewayRef:
name: apisix
credentials:
- type: key-auth
name: key-auth-primary
secretRef:
name: key-auth-primary
To create a consumer and configure the authentication credentials directly on the consumer:
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
namespace: aic
name: alice
spec:
ingressClassName: apisix
authParameter:
keyAuth:
value:
key: alice-primary-key
You can also use a Secret resource, where the credential should be base64 encoded:
apiVersion: v1
kind: Secret
metadata:
namespace: aic
name: key-auth-primary
data:
key: YWxpY2UtcHJpbWFyeS1rZXk=
---
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
namespace: aic
name: alice
spec:
ingressClassName: apisix
authParameter:
keyAuth:
secretRef:
name: key-auth-primary
Configure Plugin on Consumer
Authentication Plugins
To configure authentication plugins on a consumer, such as the key-auth plugin:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
namespace: aic
name: alice
spec:
gatewayRef:
name: apisix
credentials:
- type: key-auth
name: alice-key
config:
key: alice-key
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
namespace: aic
name: alice
spec:
ingressClassName: apisix
authParameter:
keyAuth:
value:
key: alice-key
Other Plugins
To configure non-authentication plugins on a consumer, such as the limit-count plugin:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: Consumer
metadata:
namespace: aic
name: alice
spec:
gatewayRef:
name: apisix
credentials:
- type: key-auth
name: alice-key
config:
key: alice-key
plugins:
- name: limit-count
config:
count: 3
time_window: 60
key: remote_addr
key_type: var
policy: local
rejected_code: 429
rejected_msg: Too many requests
show_limit_quota_header: true
allow_degradation: false
ApisixConsumer currently does not support configuring non-authentication type of plugins on consumers.
Configure Route Priority and Matching Conditions
To configure route priority and request matching conditions on a targeted route:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: HTTPRoutePolicy
metadata:
namespace: aic
name: http-route-policy
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: httpbin
priority: 10
vars:
- - http_x_test_name
- ==
- new_name
- - arg_test
- ==
- test_name
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: httpbin
spec:
ingressClassName: apisix
http:
- name: httpbin
match:
paths:
- /*
exprs:
- subject:
scope: Header
name: X-Test-Name
op: Equal
value: new_name
- subject:
scope: Query
name: test
op: Equal
value: test_name
priority: 10
backends:
- serviceName: httpbin
servicePort: 80
Configure Plugin on Route
To configure plugins on a route:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: PluginConfig
metadata:
namespace: aic
name: auth-plugin-config
spec:
plugins:
- name: key-auth
config:
_meta:
disable: false
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: get-ip
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
filters:
- type: ExtensionRef
extensionRef:
group: apisix.apache.org
kind: PluginConfig
name: auth-plugin-config
backendRefs:
- name: httpbin
port: 80
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: get-ip
spec:
ingressClassName: apisix
http:
- name: get-ip
match:
paths:
- /ip
plugins:
- name: limit-count
enable: true
config:
count: 2
time_window: 10
rejected_code: 429
backends:
- serviceName: httpbin
servicePort: 80
Configure Global Plugin
To configure a global plugin:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: aic
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
# add your control plane connection configuration here
# ....
plugins:
- name: clickhouse-logger
config:
endpoint_addr: http://clickhouse-clickhouse-installation.apisix.svc.cluster.local:8123
user: quickstart-user
password: quickstart-pass
logtable: test
database: quickstart_db
apiVersion: apisix.apache.org/v2
kind: ApisixGlobalRule
metadata:
namespace: aic
name: apisix-global-rule-logging
spec:
ingressClassName: apisix
plugins:
- name: clickhouse-logger
enable: true
config:
endpoint_addr: http://clickhouse-clickhouse-installation.apisix.svc.cluster.local:8123
user: quickstart-user
password: quickstart-pass
logtable: test
database: quickstart_db
Configure Plugin Metadata
Plugin metadata is used to configure the shared metadata fields for all plugin instances with the same plugin name. It is useful when a plugin is enabled across multiple objects and requires a universal update to its metadata fields.
To configure plugin metadata:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: aic
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
# add your control plane connection configuration here
# ....
pluginMetadata:
opentelemetry: {
"trace_id_source": "x-request-id",
"resource": {
"service.name": "APISIX"
},
"collector": {
"address": "simplest-collector:4318",
"request_timeout": 3,
"request_headers": {
"Authorization": "token"
}
},
"batch_span_processor": {
"drop_on_queue_full": false,
"max_queue_size": 1024,
"batch_timeout": 2,
"inactive_timeout": 1,
"max_export_batch_size": 16
},
"set_ngx_var": true
}
Not currently supported.
Configure Plugin Config
PluginConfig allows you to extract and reuse common plugin configurations, reducing repetitive plugin definitions across routes and making API management more efficient.
To create a plugin config and reference it in a route:
- Gateway API
- APISIX CRD
apiVersion: apisix.apache.org/v1alpha1
kind: PluginConfig
metadata:
namespace: aic
name: example-plugin-config
spec:
plugins:
- name: response-rewrite
enable: true
config:
headers:
X-Plugin-Config: "example-response-rewrite"
X-Plugin-Test: "enabled"
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: httpbin
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
filters:
- type: ExtensionRef
extensionRef:
group: apisix.apache.org
kind: PluginConfig
name: example-plugin-config
backendRefs:
- name: httpbin
port: 80
apiVersion: apisix.apache.org/v2
kind: ApisixPluginConfig
metadata:
namespace: aic
name: example-plugin-config
spec:
ingressClassName: apisix
plugins:
- name: response-rewrite
enable: true
config:
headers:
X-Plugin-Config: "example-response-rewrite"
X-Plugin-Test: "enabled"
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: httpbin
spec:
ingressClassName: apisix
http:
- name: get-ip
match:
paths:
- /ip
backends:
- serviceName: httpbin
servicePort: 80
plugin_config_name: example-plugin-config
Configure Gateway Access Information
These configurations allow Ingress Controller users to access the gateway.
- Gateway API
- Ingress
- APISIX CRD
To configure the statusAddress:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: aic
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
# add your control plane connection configuration here
# ....
statusAddress:
- 10.24.87.13
If you are using Ingress resources, you can configure either statusAddress or publishService.
To configure the statusAddress:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: aic
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
# add your control plane connection configuration here
# ....
statusAddress:
- 10.24.87.13
To configure the publishService:
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
namespace: aic
name: apisix-config
spec:
provider:
type: ControlPlane
controlPlane:
# add your control plane connection configuration here
# ....
publishService: apisix-gateway
When using publishService, make sure your gateway Service is of LoadBalancer type so that the address can be populated. The controller will use the endpoint of this Service to update the status information of the Ingress resource. The format can be either namespace/svc-name or simply svc-name if the default namespace is correctly set.
Not supported.