9274 lines
532 KiB
YAML
9274 lines
532 KiB
YAML
# This file is generated from the individual YAML files by generate-deployment.sh. Do not
|
||
# edit this file directly but instead edit the source files and re-render.
|
||
#
|
||
# Generated from:
|
||
# examples/contour/00-common.yaml
|
||
# examples/contour/01-contour-config.yaml
|
||
# examples/contour/01-crds.yaml
|
||
# examples/contour/02-job-certgen.yaml
|
||
# examples/contour/02-rbac.yaml
|
||
# examples/contour/02-role-contour.yaml
|
||
# examples/contour/02-service-contour.yaml
|
||
# examples/contour/02-service-envoy.yaml
|
||
# examples/contour/03-contour.yaml
|
||
# examples/contour/03-envoy.yaml
|
||
|
||
---
|
||
apiVersion: v1
|
||
kind: Namespace
|
||
metadata:
|
||
name: projectcontour
|
||
---
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: contour
|
||
namespace: projectcontour
|
||
---
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: envoy
|
||
namespace: projectcontour
|
||
|
||
---
|
||
apiVersion: v1
|
||
kind: ConfigMap
|
||
metadata:
|
||
name: contour
|
||
namespace: projectcontour
|
||
data:
|
||
contour.yaml: |
|
||
#
|
||
# server:
|
||
# determine which XDS Server implementation to utilize in Contour.
|
||
# xds-server-type: contour
|
||
#
|
||
# Specify the Gateway API configuration.
|
||
# gateway:
|
||
# controllerName: projectcontour.io/gateway-controller
|
||
#
|
||
# should contour expect to be running inside a k8s cluster
|
||
# incluster: true
|
||
#
|
||
# path to kubeconfig (if not running inside a k8s cluster)
|
||
# kubeconfig: /path/to/.kube/config
|
||
#
|
||
# Disable RFC-compliant behavior to strip "Content-Length" header if
|
||
# "Tranfer-Encoding: chunked" is also set.
|
||
# disableAllowChunkedLength: false
|
||
#
|
||
# Disable Envoy's non-standard merge_slashes path transformation option
|
||
# that strips duplicate slashes from request URLs.
|
||
# disableMergeSlashes: false
|
||
#
|
||
# Disable HTTPProxy permitInsecure field
|
||
disablePermitInsecure: false
|
||
tls:
|
||
# minimum TLS version that Contour will negotiate
|
||
# minimum-protocol-version: "1.2"
|
||
# TLS ciphers to be supported by Envoy TLS listeners when negotiating
|
||
# TLS 1.2.
|
||
# cipher-suites:
|
||
# - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
|
||
# - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
|
||
# - 'ECDHE-ECDSA-AES256-GCM-SHA384'
|
||
# - 'ECDHE-RSA-AES256-GCM-SHA384'
|
||
# Defines the Kubernetes name/namespace matching a secret to use
|
||
# as the fallback certificate when requests which don't match the
|
||
# SNI defined for a vhost.
|
||
fallback-certificate:
|
||
# name: fallback-secret-name
|
||
# namespace: projectcontour
|
||
envoy-client-certificate:
|
||
# name: envoy-client-cert-secret-name
|
||
# namespace: projectcontour
|
||
####
|
||
# ExternalName Services are disabled by default due to CVE-2021-XXXXX
|
||
# You can re-enable them by setting this setting to `true`.
|
||
# This is not recommended without understanding the security implications.
|
||
# Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details.
|
||
# enableExternalNameService: false
|
||
##
|
||
# Address to be placed in status.loadbalancer field of Ingress objects.
|
||
# May be either a literal IP address or a host name.
|
||
# The value will be placed directly into the relevant field inside the status.loadBalancer struct.
|
||
# ingress-status-address: local.projectcontour.io
|
||
### Logging options
|
||
# Default setting
|
||
accesslog-format: envoy
|
||
# The default access log format is defined by Envoy but it can be customized by setting following variable.
|
||
# accesslog-format-string: "...\n"
|
||
# To enable JSON logging in Envoy
|
||
# accesslog-format: json
|
||
# accesslog-level: info
|
||
# The default fields that will be logged are specified below.
|
||
# To customise this list, just add or remove entries.
|
||
# The canonical list is available at
|
||
# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
|
||
# json-fields:
|
||
# - "@timestamp"
|
||
# - "authority"
|
||
# - "bytes_received"
|
||
# - "bytes_sent"
|
||
# - "downstream_local_address"
|
||
# - "downstream_remote_address"
|
||
# - "duration"
|
||
# - "method"
|
||
# - "path"
|
||
# - "protocol"
|
||
# - "request_id"
|
||
# - "requested_server_name"
|
||
# - "response_code"
|
||
# - "response_flags"
|
||
# - "uber_trace_id"
|
||
# - "upstream_cluster"
|
||
# - "upstream_host"
|
||
# - "upstream_local_address"
|
||
# - "upstream_service_time"
|
||
# - "user_agent"
|
||
# - "x_forwarded_for"
|
||
# - "grpc_status"
|
||
# - "grpc_status_number"
|
||
#
|
||
# default-http-versions:
|
||
# - "HTTP/2"
|
||
# - "HTTP/1.1"
|
||
#
|
||
# The following shows the default proxy timeout settings.
|
||
# timeouts:
|
||
# request-timeout: infinity
|
||
# connection-idle-timeout: 60s
|
||
# stream-idle-timeout: 5m
|
||
# max-connection-duration: infinity
|
||
# delayed-close-timeout: 1s
|
||
# connection-shutdown-grace-period: 5s
|
||
# connect-timeout: 2s
|
||
#
|
||
# Envoy cluster settings.
|
||
# cluster:
|
||
# configure the cluster dns lookup family
|
||
# valid options are: auto (default), v4, v6
|
||
# dns-lookup-family: auto
|
||
#
|
||
# Envoy network settings.
|
||
# network:
|
||
# Configure the number of additional ingress proxy hops from the
|
||
# right side of the x-forwarded-for HTTP header to trust.
|
||
# num-trusted-hops: 0
|
||
# Configure the port used to access the Envoy Admin interface.
|
||
# admin-port: 9001
|
||
#
|
||
# Configure an optional global rate limit service.
|
||
# rateLimitService:
|
||
# Identifies the extension service defining the rate limit service,
|
||
# formatted as <namespace>/<name>.
|
||
# extensionService: projectcontour/ratelimit
|
||
# Defines the rate limit domain to pass to the rate limit service.
|
||
# Acts as a container for a set of rate limit definitions within
|
||
# the RLS.
|
||
# domain: contour
|
||
# Defines whether to allow requests to proceed when the rate limit
|
||
# service fails to respond with a valid rate limit decision within
|
||
# the timeout defined on the extension service.
|
||
# failOpen: false
|
||
# Defines whether to include the X-RateLimit headers X-RateLimit-Limit,
|
||
# X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF
|
||
# Internet-Draft linked below), on responses to clients when the Rate
|
||
# Limit Service is consulted for a request.
|
||
# ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
|
||
# enableXRateLimitHeaders: false
|
||
# Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
|
||
# instead of the default UNAVAILABLE
|
||
# enableResourceExhaustedCode: false
|
||
#
|
||
# Global Policy settings.
|
||
# policy:
|
||
# # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself)
|
||
# request-headers:
|
||
# set:
|
||
# # example: the hostname of the Envoy instance that proxied the request
|
||
# X-Envoy-Hostname: %HOSTNAME%
|
||
# # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for
|
||
# l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT%
|
||
# # default headers to set on all responses (unless set/removed on the HTTPProxy object itself)
|
||
# response-headers:
|
||
# set:
|
||
# # example: Envoy flags that provide additional details about the response or connection
|
||
# X-Envoy-Response-Flags: %RESPONSE_FLAGS%
|
||
#
|
||
# metrics:
|
||
# contour:
|
||
# address: 0.0.0.0
|
||
# port: 8000
|
||
# server-certificate-path: /path/to/server-cert.pem
|
||
# server-key-path: /path/to/server-private-key.pem
|
||
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
|
||
# envoy:
|
||
# address: 0.0.0.0
|
||
# port: 8002
|
||
# server-certificate-path: /path/to/server-cert.pem
|
||
# server-key-path: /path/to/server-private-key.pem
|
||
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
|
||
#
|
||
# listener:
|
||
# connection-balancer: exact
|
||
# socket-options:
|
||
# tos: 64
|
||
# traffic-class: 64
|
||
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
controller-gen.kubebuilder.io/version: v0.14.0
|
||
name: contourconfigurations.projectcontour.io
|
||
spec:
|
||
preserveUnknownFields: false
|
||
group: projectcontour.io
|
||
names:
|
||
kind: ContourConfiguration
|
||
listKind: ContourConfigurationList
|
||
plural: contourconfigurations
|
||
shortNames:
|
||
- contourconfig
|
||
singular: contourconfiguration
|
||
scope: Namespaced
|
||
versions:
|
||
- name: v1alpha1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: ContourConfiguration is the schema for a Contour instance.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
APIVersion defines the versioned schema of this representation of an object.
|
||
Servers should convert recognized schemas to the latest internal value, and
|
||
may reject unrecognized values.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||
type: string
|
||
kind:
|
||
description: |-
|
||
Kind is a string value representing the REST resource this object represents.
|
||
Servers may infer this from the endpoint the client submits requests to.
|
||
Cannot be updated.
|
||
In CamelCase.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: |-
|
||
ContourConfigurationSpec represents a configuration of a Contour controller.
|
||
It contains most of all the options that can be customized, the
|
||
other remaining options being command line flags.
|
||
properties:
|
||
debug:
|
||
description: |-
|
||
Debug contains parameters to enable debug logging
|
||
and debug interfaces inside Contour.
|
||
properties:
|
||
address:
|
||
description: |-
|
||
Defines the Contour debug address interface.
|
||
Contour's default is "127.0.0.1".
|
||
type: string
|
||
port:
|
||
description: |-
|
||
Defines the Contour debug address port.
|
||
Contour's default is 6060.
|
||
type: integer
|
||
type: object
|
||
enableExternalNameService:
|
||
description: |-
|
||
EnableExternalNameService allows processing of ExternalNameServices
|
||
Contour's default is false for security reasons.
|
||
type: boolean
|
||
envoy:
|
||
description: |-
|
||
Envoy contains parameters for Envoy as well
|
||
as how to optionally configure a managed Envoy fleet.
|
||
properties:
|
||
clientCertificate:
|
||
description: |-
|
||
ClientCertificate defines the namespace/name of the Kubernetes
|
||
secret containing the client certificate and private key
|
||
to be used when establishing TLS connection to upstream
|
||
cluster.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
cluster:
|
||
description: |-
|
||
Cluster holds various configurable Envoy cluster values that can
|
||
be set in the config file.
|
||
properties:
|
||
circuitBreakers:
|
||
description: |-
|
||
GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
|
||
If defined, this will be used as the default for all services.
|
||
properties:
|
||
maxConnections:
|
||
description: The maximum number of connections that a
|
||
single Envoy instance allows to the Kubernetes Service;
|
||
defaults to 1024.
|
||
format: int32
|
||
type: integer
|
||
maxPendingRequests:
|
||
description: The maximum number of pending requests that
|
||
a single Envoy instance allows to the Kubernetes Service;
|
||
defaults to 1024.
|
||
format: int32
|
||
type: integer
|
||
maxRequests:
|
||
description: The maximum parallel requests a single Envoy
|
||
instance allows to the Kubernetes Service; defaults
|
||
to 1024
|
||
format: int32
|
||
type: integer
|
||
maxRetries:
|
||
description: The maximum number of parallel retries a
|
||
single Envoy instance allows to the Kubernetes Service;
|
||
defaults to 3.
|
||
format: int32
|
||
type: integer
|
||
type: object
|
||
dnsLookupFamily:
|
||
description: |-
|
||
DNSLookupFamily defines how external names are looked up
|
||
When configured as V4, the DNS resolver will only perform a lookup
|
||
for addresses in the IPv4 family. If V6 is configured, the DNS resolver
|
||
will only perform a lookup for addresses in the IPv6 family.
|
||
If AUTO is configured, the DNS resolver will first perform a lookup
|
||
for addresses in the IPv6 family and fallback to a lookup for addresses
|
||
in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
|
||
both IPv4 and IPv6 families, and return all resolved addresses.
|
||
When this is used, Happy Eyeballs will be enabled for upstream connections.
|
||
Refer to Happy Eyeballs Support for more information.
|
||
Note: This only applies to externalName clusters.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
|
||
for more information.
|
||
Values: `auto` (default), `v4`, `v6`, `all`.
|
||
Other values will produce an error.
|
||
type: string
|
||
maxRequestsPerConnection:
|
||
description: |-
|
||
Defines the maximum requests for upstream connections. If not specified, there is no limit.
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
per-connection-buffer-limit-bytes:
|
||
description: |-
|
||
Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
|
||
If unspecified, an implementation defined default is applied (1MiB).
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
upstreamTLS:
|
||
description: UpstreamTLS contains the TLS policy parameters
|
||
for upstream connections
|
||
properties:
|
||
cipherSuites:
|
||
description: |-
|
||
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
|
||
listeners when negotiating TLS 1.2. Ciphers are validated against the
|
||
set that Envoy supports by default. This parameter should only be used
|
||
by advanced users. Note that these will be ignored when TLS 1.3 is in
|
||
use.
|
||
This field is optional; when it is undefined, a Contour-managed ciphersuite list
|
||
will be used, which may be updated to keep it secure.
|
||
Contour's default list is:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
Ciphers provided are validated against the following list:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES128-GCM-SHA256"
|
||
- "ECDHE-RSA-AES128-GCM-SHA256"
|
||
- "ECDHE-ECDSA-AES128-SHA"
|
||
- "ECDHE-RSA-AES128-SHA"
|
||
- "AES128-GCM-SHA256"
|
||
- "AES128-SHA"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
- "ECDHE-ECDSA-AES256-SHA"
|
||
- "ECDHE-RSA-AES256-SHA"
|
||
- "AES256-GCM-SHA384"
|
||
- "AES256-SHA"
|
||
Contour recommends leaving this undefined unless you are sure you must.
|
||
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
|
||
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
|
||
items:
|
||
type: string
|
||
type: array
|
||
maximumProtocolVersion:
|
||
description: |-
|
||
MaximumProtocolVersion is the maximum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2`, `1.3`(default).
|
||
Other values will produce an error.
|
||
type: string
|
||
minimumProtocolVersion:
|
||
description: |-
|
||
MinimumProtocolVersion is the minimum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2` (default), `1.3`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
defaultHTTPVersions:
|
||
description: |-
|
||
DefaultHTTPVersions defines the default set of HTTPS
|
||
versions the proxy should accept. HTTP versions are
|
||
strings of the form "HTTP/xx". Supported versions are
|
||
"HTTP/1.1" and "HTTP/2".
|
||
Values: `HTTP/1.1`, `HTTP/2` (default: both).
|
||
Other values will produce an error.
|
||
items:
|
||
description: HTTPVersionType is the name of a supported HTTP
|
||
version.
|
||
type: string
|
||
type: array
|
||
health:
|
||
description: |-
|
||
Health defines the endpoint Envoy uses to serve health checks.
|
||
Contour's default is { address: "0.0.0.0", port: 8002 }.
|
||
properties:
|
||
address:
|
||
description: Defines the health address interface.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the health port.
|
||
type: integer
|
||
type: object
|
||
http:
|
||
description: |-
|
||
Defines the HTTP Listener for Envoy.
|
||
Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
|
||
properties:
|
||
accessLog:
|
||
description: AccessLog defines where Envoy logs are outputted
|
||
for this listener.
|
||
type: string
|
||
address:
|
||
description: Defines an Envoy Listener Address.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines an Envoy listener Port.
|
||
type: integer
|
||
type: object
|
||
https:
|
||
description: |-
|
||
Defines the HTTPS Listener for Envoy.
|
||
Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
|
||
properties:
|
||
accessLog:
|
||
description: AccessLog defines where Envoy logs are outputted
|
||
for this listener.
|
||
type: string
|
||
address:
|
||
description: Defines an Envoy Listener Address.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines an Envoy listener Port.
|
||
type: integer
|
||
type: object
|
||
listener:
|
||
description: Listener hold various configurable Envoy listener
|
||
values.
|
||
properties:
|
||
connectionBalancer:
|
||
description: |-
|
||
ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
|
||
for more information.
|
||
Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
|
||
Other values will produce an error.
|
||
type: string
|
||
disableAllowChunkedLength:
|
||
description: |-
|
||
DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
|
||
strip the "Content-Length" header if "Transfer-Encoding: chunked" is
|
||
also set. This is an emergency off-switch to revert back to Envoy's
|
||
default behavior in case of failures. Please file an issue if failures
|
||
are encountered.
|
||
See: https://github.com/projectcontour/contour/issues/3221
|
||
Contour's default is false.
|
||
type: boolean
|
||
disableMergeSlashes:
|
||
description: |-
|
||
DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
|
||
which strips duplicate slashes from request URL paths.
|
||
Contour's default is false.
|
||
type: boolean
|
||
httpMaxConcurrentStreams:
|
||
description: |-
|
||
Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
|
||
SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
|
||
for a peer on a single HTTP/2 connection. It is recommended to not set this lower
|
||
than 100 but this field can be used to bound resource usage by HTTP/2 connections
|
||
and mitigate attacks like CVE-2023-44487. The default value when this is not set is
|
||
unlimited.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
maxConnectionsPerListener:
|
||
description: |-
|
||
Defines the limit on number of active connections to a listener. The limit is applied
|
||
per listener. The default value when this is not set is unlimited.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
maxRequestsPerConnection:
|
||
description: |-
|
||
Defines the maximum requests for downstream connections. If not specified, there is no limit.
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
maxRequestsPerIOCycle:
|
||
description: |-
|
||
Defines the limit on number of HTTP requests that Envoy will process from a single
|
||
connection in a single I/O cycle. Requests over this limit are processed in subsequent
|
||
I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
|
||
detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
|
||
value when this is not set is no limit.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
per-connection-buffer-limit-bytes:
|
||
description: |-
|
||
Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
|
||
If unspecified, an implementation defined default is applied (1MiB).
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
serverHeaderTransformation:
|
||
description: |-
|
||
Defines the action to be applied to the Server header on the response path.
|
||
When configured as overwrite, overwrites any Server header with "envoy".
|
||
When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
|
||
When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
|
||
Values: `overwrite` (default), `append_if_absent`, `pass_through`
|
||
Other values will produce an error.
|
||
Contour's default is overwrite.
|
||
type: string
|
||
socketOptions:
|
||
description: |-
|
||
SocketOptions defines configurable socket options for the listeners.
|
||
Single set of options are applied to all listeners.
|
||
properties:
|
||
tos:
|
||
description: |-
|
||
Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
|
||
Single value is applied to all listeners.
|
||
If listeners are bound to IPv6-only addresses, setting this option will cause an error.
|
||
format: int32
|
||
maximum: 255
|
||
minimum: 0
|
||
type: integer
|
||
trafficClass:
|
||
description: |-
|
||
Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
|
||
Single value is applied to all listeners.
|
||
If listeners are bound to IPv4-only addresses, setting this option will cause an error.
|
||
format: int32
|
||
maximum: 255
|
||
minimum: 0
|
||
type: integer
|
||
type: object
|
||
tls:
|
||
description: TLS holds various configurable Envoy TLS listener
|
||
values.
|
||
properties:
|
||
cipherSuites:
|
||
description: |-
|
||
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
|
||
listeners when negotiating TLS 1.2. Ciphers are validated against the
|
||
set that Envoy supports by default. This parameter should only be used
|
||
by advanced users. Note that these will be ignored when TLS 1.3 is in
|
||
use.
|
||
This field is optional; when it is undefined, a Contour-managed ciphersuite list
|
||
will be used, which may be updated to keep it secure.
|
||
Contour's default list is:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
Ciphers provided are validated against the following list:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES128-GCM-SHA256"
|
||
- "ECDHE-RSA-AES128-GCM-SHA256"
|
||
- "ECDHE-ECDSA-AES128-SHA"
|
||
- "ECDHE-RSA-AES128-SHA"
|
||
- "AES128-GCM-SHA256"
|
||
- "AES128-SHA"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
- "ECDHE-ECDSA-AES256-SHA"
|
||
- "ECDHE-RSA-AES256-SHA"
|
||
- "AES256-GCM-SHA384"
|
||
- "AES256-SHA"
|
||
Contour recommends leaving this undefined unless you are sure you must.
|
||
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
|
||
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
|
||
items:
|
||
type: string
|
||
type: array
|
||
maximumProtocolVersion:
|
||
description: |-
|
||
MaximumProtocolVersion is the maximum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2`, `1.3`(default).
|
||
Other values will produce an error.
|
||
type: string
|
||
minimumProtocolVersion:
|
||
description: |-
|
||
MinimumProtocolVersion is the minimum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2` (default), `1.3`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
useProxyProtocol:
|
||
description: |-
|
||
Use PROXY protocol for all listeners.
|
||
Contour's default is false.
|
||
type: boolean
|
||
type: object
|
||
logging:
|
||
description: Logging defines how Envoy's logs can be configured.
|
||
properties:
|
||
accessLogFormat:
|
||
description: |-
|
||
AccessLogFormat sets the global access log format.
|
||
Values: `envoy` (default), `json`.
|
||
Other values will produce an error.
|
||
type: string
|
||
accessLogFormatString:
|
||
description: |-
|
||
AccessLogFormatString sets the access log format when format is set to `envoy`.
|
||
When empty, Envoy's default format is used.
|
||
type: string
|
||
accessLogJSONFields:
|
||
description: |-
|
||
AccessLogJSONFields sets the fields that JSON logging will
|
||
output when AccessLogFormat is json.
|
||
items:
|
||
type: string
|
||
type: array
|
||
accessLogLevel:
|
||
description: |-
|
||
AccessLogLevel sets the verbosity level of the access log.
|
||
Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
metrics:
|
||
description: |-
|
||
Metrics defines the endpoint Envoy uses to serve metrics.
|
||
Contour's default is { address: "0.0.0.0", port: 8002 }.
|
||
properties:
|
||
address:
|
||
description: Defines the metrics address interface.
|
||
maxLength: 253
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the metrics port.
|
||
type: integer
|
||
tls:
|
||
description: |-
|
||
TLS holds TLS file config details.
|
||
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
|
||
properties:
|
||
caFile:
|
||
description: CA filename.
|
||
type: string
|
||
certFile:
|
||
description: Client certificate filename.
|
||
type: string
|
||
keyFile:
|
||
description: Client key filename.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
network:
|
||
description: Network holds various configurable Envoy network
|
||
values.
|
||
properties:
|
||
adminPort:
|
||
description: |-
|
||
Configure the port used to access the Envoy Admin interface.
|
||
If configured to port "0" then the admin interface is disabled.
|
||
Contour's default is 9001.
|
||
type: integer
|
||
numTrustedHops:
|
||
description: |-
|
||
XffNumTrustedHops defines the number of additional ingress proxy hops from the
|
||
right side of the x-forwarded-for HTTP header to trust when determining the origin
|
||
client’s IP address.
|
||
See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
|
||
for more information.
|
||
Contour's default is 0.
|
||
format: int32
|
||
type: integer
|
||
type: object
|
||
service:
|
||
description: |-
|
||
Service holds Envoy service parameters for setting Ingress status.
|
||
Contour's default is { namespace: "projectcontour", name: "envoy" }.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
timeouts:
|
||
description: |-
|
||
Timeouts holds various configurable timeouts that can
|
||
be set in the config file.
|
||
properties:
|
||
connectTimeout:
|
||
description: |-
|
||
ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
|
||
If not set, a default value of 2 seconds will be used.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
|
||
for more information.
|
||
type: string
|
||
connectionIdleTimeout:
|
||
description: |-
|
||
ConnectionIdleTimeout defines how long the proxy should wait while there are
|
||
no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
|
||
an HTTP connection. Set to "infinity" to disable the timeout entirely.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
|
||
for more information.
|
||
type: string
|
||
connectionShutdownGracePeriod:
|
||
description: |-
|
||
ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
|
||
initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
|
||
During this grace period, the proxy will continue to respond to new streams. After the final
|
||
GOAWAY frame has been sent, the proxy will refuse new streams.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
|
||
for more information.
|
||
type: string
|
||
delayedCloseTimeout:
|
||
description: |-
|
||
DelayedCloseTimeout defines how long envoy will wait, once connection
|
||
close processing has been initiated, for the downstream peer to close
|
||
the connection before Envoy closes the socket associated with the connection.
|
||
Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
|
||
in Envoy. Leaving it unset will result in the Envoy default value being used.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
|
||
for more information.
|
||
type: string
|
||
maxConnectionDuration:
|
||
description: |-
|
||
MaxConnectionDuration defines the maximum period of time after an HTTP connection
|
||
has been established from the client to the proxy before it is closed by the proxy,
|
||
regardless of whether there has been activity or not. Omit or set to "infinity" for
|
||
no max duration.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
|
||
for more information.
|
||
type: string
|
||
requestTimeout:
|
||
description: |-
|
||
RequestTimeout sets the client request timeout globally for Contour. Note that
|
||
this is a timeout for the entire request, not an idle timeout. Omit or set to
|
||
"infinity" to disable the timeout entirely.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
|
||
for more information.
|
||
type: string
|
||
streamIdleTimeout:
|
||
description: |-
|
||
StreamIdleTimeout defines how long the proxy should wait while there is no
|
||
request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
|
||
terminating the HTTP request or stream. Set to "infinity" to disable the
|
||
timeout entirely.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
|
||
for more information.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
featureFlags:
|
||
description: |-
|
||
FeatureFlags defines toggle to enable new contour features.
|
||
Available toggles are:
|
||
useEndpointSlices - configures contour to fetch endpoint data
|
||
from k8s endpoint slices. defaults to false and reading endpoint
|
||
data from the k8s endpoints.
|
||
items:
|
||
type: string
|
||
type: array
|
||
gateway:
|
||
description: |-
|
||
Gateway contains parameters for the gateway-api Gateway that Contour
|
||
is configured to serve traffic.
|
||
properties:
|
||
controllerName:
|
||
description: |-
|
||
ControllerName is used to determine whether Contour should reconcile a
|
||
GatewayClass. The string takes the form of "projectcontour.io/<namespace>/contour".
|
||
If unset, the gatewayclass controller will not be started.
|
||
Exactly one of ControllerName or GatewayRef must be set.
|
||
Deprecated: users should use GatewayRef, or the Gateway provisioner,
|
||
in place of this field. This field will be removed in a future release.
|
||
type: string
|
||
gatewayRef:
|
||
description: |-
|
||
GatewayRef defines a specific Gateway that this Contour
|
||
instance corresponds to. If set, Contour will reconcile
|
||
only this gateway, and will not reconcile any gateway
|
||
classes.
|
||
Exactly one of ControllerName or GatewayRef must be set.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
type: object
|
||
globalExtAuth:
|
||
description: |-
|
||
GlobalExternalAuthorization allows envoys external authorization filter
|
||
to be enabled for all virtual hosts.
|
||
properties:
|
||
authPolicy:
|
||
description: |-
|
||
AuthPolicy sets a default authorization policy for client requests.
|
||
This policy will be used unless overridden by individual routes.
|
||
properties:
|
||
context:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
Context is a set of key/value pairs that are sent to the
|
||
authentication server in the check request. If a context
|
||
is provided at an enclosing scope, the entries are merged
|
||
such that the inner scope overrides matching keys from the
|
||
outer scope.
|
||
type: object
|
||
disabled:
|
||
description: |-
|
||
When true, this field disables client request authentication
|
||
for the scope of the policy.
|
||
type: boolean
|
||
type: object
|
||
extensionRef:
|
||
description: ExtensionServiceRef specifies the extension resource
|
||
that will authorize client requests.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
API version of the referent.
|
||
If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
|
||
minLength: 1
|
||
type: string
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
minLength: 1
|
||
type: string
|
||
namespace:
|
||
description: |-
|
||
Namespace of the referent.
|
||
If this field is not specifies, the namespace of the resource that targets the referent will be used.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
failOpen:
|
||
description: |-
|
||
If FailOpen is true, the client request is forwarded to the upstream service
|
||
even if the authorization server fails to respond. This field should not be
|
||
set in most cases. It is intended for use only while migrating applications
|
||
from internal authorization to Contour external authorization.
|
||
type: boolean
|
||
responseTimeout:
|
||
description: |-
|
||
ResponseTimeout configures maximum time to wait for a check response from the authorization server.
|
||
Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
||
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
||
The string "infinity" is also a valid input and specifies no timeout.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
withRequestBody:
|
||
description: WithRequestBody specifies configuration for sending
|
||
the client request's body to authorization server.
|
||
properties:
|
||
allowPartialMessage:
|
||
description: If AllowPartialMessage is true, then Envoy will
|
||
buffer the body until MaxRequestBytes are reached.
|
||
type: boolean
|
||
maxRequestBytes:
|
||
default: 1024
|
||
description: MaxRequestBytes sets the maximum size of message
|
||
body ExtAuthz filter will hold in-memory.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
packAsBytes:
|
||
description: If PackAsBytes is true, the body sent to Authorization
|
||
Server is in raw bytes.
|
||
type: boolean
|
||
type: object
|
||
type: object
|
||
health:
|
||
description: |-
|
||
Health defines the endpoints Contour uses to serve health checks.
|
||
Contour's default is { address: "0.0.0.0", port: 8000 }.
|
||
properties:
|
||
address:
|
||
description: Defines the health address interface.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the health port.
|
||
type: integer
|
||
type: object
|
||
httpproxy:
|
||
description: HTTPProxy defines parameters on HTTPProxy.
|
||
properties:
|
||
disablePermitInsecure:
|
||
description: |-
|
||
DisablePermitInsecure disables the use of the
|
||
permitInsecure field in HTTPProxy.
|
||
Contour's default is false.
|
||
type: boolean
|
||
fallbackCertificate:
|
||
description: |-
|
||
FallbackCertificate defines the namespace/name of the Kubernetes secret to
|
||
use as fallback when a non-SNI request is received.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
rootNamespaces:
|
||
description: Restrict Contour to searching these namespaces for
|
||
root ingress routes.
|
||
items:
|
||
type: string
|
||
type: array
|
||
type: object
|
||
ingress:
|
||
description: Ingress contains parameters for ingress options.
|
||
properties:
|
||
classNames:
|
||
description: Ingress Class Names Contour should use.
|
||
items:
|
||
type: string
|
||
type: array
|
||
statusAddress:
|
||
description: Address to set in Ingress object status.
|
||
type: string
|
||
type: object
|
||
metrics:
|
||
description: |-
|
||
Metrics defines the endpoint Contour uses to serve metrics.
|
||
Contour's default is { address: "0.0.0.0", port: 8000 }.
|
||
properties:
|
||
address:
|
||
description: Defines the metrics address interface.
|
||
maxLength: 253
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the metrics port.
|
||
type: integer
|
||
tls:
|
||
description: |-
|
||
TLS holds TLS file config details.
|
||
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
|
||
properties:
|
||
caFile:
|
||
description: CA filename.
|
||
type: string
|
||
certFile:
|
||
description: Client certificate filename.
|
||
type: string
|
||
keyFile:
|
||
description: Client key filename.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
policy:
|
||
description: Policy specifies default policy applied if not overridden
|
||
by the user
|
||
properties:
|
||
applyToIngress:
|
||
description: |-
|
||
ApplyToIngress determines if the Policies will apply to ingress objects
|
||
Contour's default is false.
|
||
type: boolean
|
||
requestHeaders:
|
||
description: RequestHeadersPolicy defines the request headers
|
||
set/removed on all routes
|
||
properties:
|
||
remove:
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
additionalProperties:
|
||
type: string
|
||
type: object
|
||
type: object
|
||
responseHeaders:
|
||
description: ResponseHeadersPolicy defines the response headers
|
||
set/removed on all routes
|
||
properties:
|
||
remove:
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
additionalProperties:
|
||
type: string
|
||
type: object
|
||
type: object
|
||
type: object
|
||
rateLimitService:
|
||
description: |-
|
||
RateLimitService optionally holds properties of the Rate Limit Service
|
||
to be used for global rate limiting.
|
||
properties:
|
||
defaultGlobalRateLimitPolicy:
|
||
description: |-
|
||
DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
|
||
HTTPProxy can overwrite this configuration.
|
||
properties:
|
||
descriptors:
|
||
description: |-
|
||
Descriptors defines the list of descriptors that will
|
||
be generated and sent to the rate limit service. Each
|
||
descriptor contains 1+ key-value pair entries.
|
||
items:
|
||
description: RateLimitDescriptor defines a list of key-value
|
||
pair generators.
|
||
properties:
|
||
entries:
|
||
description: Entries is the list of key-value pair generators.
|
||
items:
|
||
description: |-
|
||
RateLimitDescriptorEntry is a key-value pair generator. Exactly
|
||
one field on this struct must be non-nil.
|
||
properties:
|
||
genericKey:
|
||
description: GenericKey defines a descriptor entry
|
||
with a static key and value.
|
||
properties:
|
||
key:
|
||
description: |-
|
||
Key defines the key of the descriptor entry. If not set, the
|
||
key is set to "generic_key".
|
||
type: string
|
||
value:
|
||
description: Value defines the value of the
|
||
descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
remoteAddress:
|
||
description: |-
|
||
RemoteAddress defines a descriptor entry with a key of "remote_address"
|
||
and a value equal to the client's IP address (from x-forwarded-for).
|
||
type: object
|
||
requestHeader:
|
||
description: |-
|
||
RequestHeader defines a descriptor entry that's populated only if
|
||
a given header is present on the request. The descriptor key is static,
|
||
and the descriptor value is equal to the value of the header.
|
||
properties:
|
||
descriptorKey:
|
||
description: DescriptorKey defines the key
|
||
to use on the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
headerName:
|
||
description: HeaderName defines the name of
|
||
the header to look for on the request.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
requestHeaderValueMatch:
|
||
description: |-
|
||
RequestHeaderValueMatch defines a descriptor entry that's populated
|
||
if the request's headers match a set of 1+ match criteria. The
|
||
descriptor key is "header_match", and the descriptor value is static.
|
||
properties:
|
||
expectMatch:
|
||
default: true
|
||
description: |-
|
||
ExpectMatch defines whether the request must positively match the match
|
||
criteria in order to generate a descriptor entry (i.e. true), or not
|
||
match the match criteria in order to generate a descriptor entry (i.e. false).
|
||
The default is true.
|
||
type: boolean
|
||
headers:
|
||
description: |-
|
||
Headers is a list of 1+ match criteria to apply against the request
|
||
to determine whether to populate the descriptor entry or not.
|
||
items:
|
||
description: |-
|
||
HeaderMatchCondition specifies how to conditionally match against HTTP
|
||
headers. The Name field is required, only one of Present, NotPresent,
|
||
Contains, NotContains, Exact, NotExact and Regex can be set.
|
||
For negative matching rules only (e.g. NotContains or NotExact) you can set
|
||
TreatMissingAsEmpty.
|
||
IgnoreCase has no effect for Regex.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the header value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a string
|
||
that the header value must be equal
|
||
to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the header to match against. Name is required.
|
||
Header names are case insensitive.
|
||
type: string
|
||
notcontains:
|
||
description: |-
|
||
NotContains specifies a substring that must not be present
|
||
in the header value.
|
||
type: string
|
||
notexact:
|
||
description: |-
|
||
NoExact specifies a string that the header value must not be
|
||
equal to. The condition is true if the header has any other value.
|
||
type: string
|
||
notpresent:
|
||
description: |-
|
||
NotPresent specifies that condition is true when the named header
|
||
is not present. Note that setting NotPresent to false does not
|
||
make the condition true if the named header is present.
|
||
type: boolean
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named header
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named header
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the header
|
||
value.
|
||
type: string
|
||
treatMissingAsEmpty:
|
||
description: |-
|
||
TreatMissingAsEmpty specifies if the header match rule specified header
|
||
does not exist, this header value will be treated as empty. Defaults to false.
|
||
Unlike the underlying Envoy implementation this is **only** supported for
|
||
negative matches (e.g. NotContains, NotExact).
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
value:
|
||
description: Value defines the value of the
|
||
descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
disabled:
|
||
description: |-
|
||
Disabled configures the HTTPProxy to not use
|
||
the default global rate limit policy defined by the Contour configuration.
|
||
type: boolean
|
||
type: object
|
||
domain:
|
||
description: Domain is passed to the Rate Limit Service.
|
||
type: string
|
||
enableResourceExhaustedCode:
|
||
description: |-
|
||
EnableResourceExhaustedCode enables translating error code 429 to
|
||
grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
|
||
type: boolean
|
||
enableXRateLimitHeaders:
|
||
description: |-
|
||
EnableXRateLimitHeaders defines whether to include the X-RateLimit
|
||
headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
|
||
(as defined by the IETF Internet-Draft linked below), on responses
|
||
to clients when the Rate Limit Service is consulted for a request.
|
||
ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
|
||
type: boolean
|
||
extensionService:
|
||
description: ExtensionService identifies the extension service
|
||
defining the RLS.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
failOpen:
|
||
description: |-
|
||
FailOpen defines whether to allow requests to proceed when the
|
||
Rate Limit Service fails to respond with a valid rate limit
|
||
decision within the timeout defined on the extension service.
|
||
type: boolean
|
||
required:
|
||
- extensionService
|
||
type: object
|
||
tracing:
|
||
description: Tracing defines properties for exporting trace data to
|
||
OpenTelemetry.
|
||
properties:
|
||
customTags:
|
||
description: CustomTags defines a list of custom tags with unique
|
||
tag name.
|
||
items:
|
||
description: |-
|
||
CustomTag defines custom tags with unique tag name
|
||
to create tags for the active span.
|
||
properties:
|
||
literal:
|
||
description: |-
|
||
Literal is a static custom tag value.
|
||
Precisely one of Literal, RequestHeaderName must be set.
|
||
type: string
|
||
requestHeaderName:
|
||
description: |-
|
||
RequestHeaderName indicates which request header
|
||
the label value is obtained from.
|
||
Precisely one of Literal, RequestHeaderName must be set.
|
||
type: string
|
||
tagName:
|
||
description: TagName is the unique name of the custom tag.
|
||
type: string
|
||
required:
|
||
- tagName
|
||
type: object
|
||
type: array
|
||
extensionService:
|
||
description: ExtensionService identifies the extension service
|
||
defining the otel-collector.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
includePodDetail:
|
||
description: |-
|
||
IncludePodDetail defines a flag.
|
||
If it is true, contour will add the pod name and namespace to the span of the trace.
|
||
the default is true.
|
||
Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
|
||
type: boolean
|
||
maxPathTagLength:
|
||
description: |-
|
||
MaxPathTagLength defines maximum length of the request path
|
||
to extract and include in the HttpUrl tag.
|
||
contour's default is 256.
|
||
format: int32
|
||
type: integer
|
||
overallSampling:
|
||
description: |-
|
||
OverallSampling defines the sampling rate of trace data.
|
||
contour's default is 100.
|
||
type: string
|
||
serviceName:
|
||
description: |-
|
||
ServiceName defines the name for the service.
|
||
contour's default is contour.
|
||
type: string
|
||
required:
|
||
- extensionService
|
||
type: object
|
||
xdsServer:
|
||
description: XDSServer contains parameters for the xDS server.
|
||
properties:
|
||
address:
|
||
description: |-
|
||
Defines the xDS gRPC API address which Contour will serve.
|
||
Contour's default is "0.0.0.0".
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: |-
|
||
Defines the xDS gRPC API port which Contour will serve.
|
||
Contour's default is 8001.
|
||
type: integer
|
||
tls:
|
||
description: |-
|
||
TLS holds TLS file config details.
|
||
Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
|
||
properties:
|
||
caFile:
|
||
description: CA filename.
|
||
type: string
|
||
certFile:
|
||
description: Client certificate filename.
|
||
type: string
|
||
insecure:
|
||
description: Allow serving the xDS gRPC API without TLS.
|
||
type: boolean
|
||
keyFile:
|
||
description: Client key filename.
|
||
type: string
|
||
type: object
|
||
type:
|
||
description: |-
|
||
Defines the XDSServer to use for `contour serve`.
|
||
Values: `contour` (default), `envoy`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
status:
|
||
description: ContourConfigurationStatus defines the observed state of
|
||
a ContourConfiguration resource.
|
||
properties:
|
||
conditions:
|
||
description: |-
|
||
Conditions contains the current status of the Contour resource.
|
||
Contour will update a single condition, `Valid`, that is in normal-true polarity.
|
||
Contour will not modify any other Conditions set in this block,
|
||
in case some other controller wants to add a Condition.
|
||
items:
|
||
description: |-
|
||
DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
|
||
fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
|
||
of the condition.
|
||
`errors` holds information about sub-conditions which are fatal to that condition and render its state False.
|
||
`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
|
||
Remember that Conditions have a type, a status, and a reason.
|
||
The type is the type of the condition, the most important one in this CRD set is `Valid`.
|
||
`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
|
||
In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
|
||
`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
|
||
slice in this case.
|
||
`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
|
||
The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
|
||
slice if `status` is `false`.
|
||
For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
|
||
When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
|
||
When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
|
||
In either case, there may be entries in the `warnings` slice.
|
||
Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
|
||
(if there is one and only one entry in total across both the `errors` and `warnings` slices), or
|
||
`MultipleReasons` if there is more than one entry.
|
||
properties:
|
||
errors:
|
||
description: |-
|
||
Errors contains a slice of relevant error subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
|
||
An empty slice here indicates no errors.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
lastTransitionTime:
|
||
description: |-
|
||
lastTransitionTime is the last time the condition transitioned from one status to another.
|
||
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: |-
|
||
message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
observedGeneration:
|
||
description: |-
|
||
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
||
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
||
with respect to the current state of the instance.
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
reason:
|
||
description: |-
|
||
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: status of the condition, one of True, False, Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
type of condition in CamelCase or in foo.example.com/CamelCase.
|
||
---
|
||
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
|
||
useful (see .node.status.conditions), the ability to deconflict is important.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
warnings:
|
||
description: |-
|
||
Warnings contains a slice of relevant warning subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
|
||
An empty slice here indicates no warnings.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
required:
|
||
- lastTransitionTime
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-map-keys:
|
||
- type
|
||
x-kubernetes-list-type: map
|
||
type: object
|
||
required:
|
||
- spec
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
subresources:
|
||
status: {}
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
controller-gen.kubebuilder.io/version: v0.14.0
|
||
name: contourdeployments.projectcontour.io
|
||
spec:
|
||
preserveUnknownFields: false
|
||
group: projectcontour.io
|
||
names:
|
||
kind: ContourDeployment
|
||
listKind: ContourDeploymentList
|
||
plural: contourdeployments
|
||
shortNames:
|
||
- contourdeploy
|
||
singular: contourdeployment
|
||
scope: Namespaced
|
||
versions:
|
||
- name: v1alpha1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: ContourDeployment is the schema for a Contour Deployment.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
APIVersion defines the versioned schema of this representation of an object.
|
||
Servers should convert recognized schemas to the latest internal value, and
|
||
may reject unrecognized values.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||
type: string
|
||
kind:
|
||
description: |-
|
||
Kind is a string value representing the REST resource this object represents.
|
||
Servers may infer this from the endpoint the client submits requests to.
|
||
Cannot be updated.
|
||
In CamelCase.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: |-
|
||
ContourDeploymentSpec specifies options for how a Contour
|
||
instance should be provisioned.
|
||
properties:
|
||
contour:
|
||
description: |-
|
||
Contour specifies deployment-time settings for the Contour
|
||
part of the installation, i.e. the xDS server/control plane
|
||
and associated resources, including things like replica count
|
||
for the Deployment, and node placement constraints for the pods.
|
||
properties:
|
||
deployment:
|
||
description: Deployment describes the settings for running contour
|
||
as a `Deployment`.
|
||
properties:
|
||
replicas:
|
||
description: Replicas is the desired number of replicas.
|
||
format: int32
|
||
minimum: 0
|
||
type: integer
|
||
strategy:
|
||
description: Strategy describes the deployment strategy to
|
||
use to replace existing pods with new pods.
|
||
properties:
|
||
rollingUpdate:
|
||
description: |-
|
||
Rolling update config params. Present only if DeploymentStrategyType =
|
||
RollingUpdate.
|
||
---
|
||
TODO: Update this to follow our convention for oneOf, whatever we decide it
|
||
to be.
|
||
properties:
|
||
maxSurge:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: |-
|
||
The maximum number of pods that can be scheduled above the desired number of
|
||
pods.
|
||
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
|
||
This can not be 0 if MaxUnavailable is 0.
|
||
Absolute number is calculated from percentage by rounding up.
|
||
Defaults to 25%.
|
||
Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
|
||
the rolling update starts, such that the total number of old and new pods do not exceed
|
||
130% of desired pods. Once old pods have been killed,
|
||
new ReplicaSet can be scaled up further, ensuring that total number of pods running
|
||
at any time during the update is at most 130% of desired pods.
|
||
x-kubernetes-int-or-string: true
|
||
maxUnavailable:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: |-
|
||
The maximum number of pods that can be unavailable during the update.
|
||
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
|
||
Absolute number is calculated from percentage by rounding down.
|
||
This can not be 0 if MaxSurge is 0.
|
||
Defaults to 25%.
|
||
Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
|
||
immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
|
||
can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
|
||
that the total number of pods available at all times during the update is at
|
||
least 70% of desired pods.
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
type:
|
||
description: Type of deployment. Can be "Recreate" or
|
||
"RollingUpdate". Default is RollingUpdate.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
disabledFeatures:
|
||
description: |-
|
||
DisabledFeatures defines an array of resources that will be ignored by
|
||
contour reconciler.
|
||
items:
|
||
enum:
|
||
- grpcroutes
|
||
- tlsroutes
|
||
- extensionservices
|
||
- backendtlspolicies
|
||
type: string
|
||
maxItems: 42
|
||
minItems: 1
|
||
type: array
|
||
kubernetesLogLevel:
|
||
description: |-
|
||
KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset,
|
||
defaults to 0.
|
||
maximum: 9
|
||
minimum: 0
|
||
type: integer
|
||
logLevel:
|
||
description: |-
|
||
LogLevel sets the log level for Contour
|
||
Allowed values are "info", "debug".
|
||
type: string
|
||
nodePlacement:
|
||
description: NodePlacement describes node scheduling configuration
|
||
of Contour pods.
|
||
properties:
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
NodeSelector is the simplest recommended form of node selection constraint
|
||
and specifies a map of key-value pairs. For the pod to be eligible
|
||
to run on a node, the node must have each of the indicated key-value pairs
|
||
as labels (it can have additional labels as well).
|
||
If unset, the pod(s) will be scheduled to any available node.
|
||
type: object
|
||
tolerations:
|
||
description: |-
|
||
Tolerations work with taints to ensure that pods are not scheduled
|
||
onto inappropriate nodes. One or more taints are applied to a node; this
|
||
marks that the node should not accept any pods that do not tolerate the
|
||
taints.
|
||
The default is an empty list.
|
||
See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
||
for additional details.
|
||
items:
|
||
description: |-
|
||
The pod this Toleration is attached to tolerates any taint that matches
|
||
the triple <key,value,effect> using the matching operator <operator>.
|
||
properties:
|
||
effect:
|
||
description: |-
|
||
Effect indicates the taint effect to match. Empty means match all taint effects.
|
||
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
||
type: string
|
||
key:
|
||
description: |-
|
||
Key is the taint key that the toleration applies to. Empty means match all taint keys.
|
||
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: |-
|
||
Operator represents a key's relationship to the value.
|
||
Valid operators are Exists and Equal. Defaults to Equal.
|
||
Exists is equivalent to wildcard for value, so that a pod can
|
||
tolerate all taints of a particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: |-
|
||
TolerationSeconds represents the period of time the toleration (which must be
|
||
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
|
||
it is not set, which means tolerate the taint forever (do not evict). Zero and
|
||
negative values will be treated as 0 (evict immediately) by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: |-
|
||
Value is the taint value the toleration matches to.
|
||
If the operator is Exists, the value should be empty, otherwise just a regular string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAnnotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
PodAnnotations defines annotations to add to the Contour pods.
|
||
the annotations for Prometheus will be appended or overwritten with predefined value.
|
||
type: object
|
||
replicas:
|
||
description: |-
|
||
Deprecated: Use `DeploymentSettings.Replicas` instead.
|
||
Replicas is the desired number of Contour replicas. If if unset,
|
||
defaults to 2.
|
||
if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
|
||
format: int32
|
||
minimum: 0
|
||
type: integer
|
||
resources:
|
||
description: |-
|
||
Compute Resources required by contour container.
|
||
Cannot be updated.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
properties:
|
||
claims:
|
||
description: |-
|
||
Claims lists the names of resources, defined in spec.resourceClaims,
|
||
that are used by this container.
|
||
This is an alpha field and requires enabling the
|
||
DynamicResourceAllocation feature gate.
|
||
This field is immutable. It can only be set for containers.
|
||
items:
|
||
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name must match the name of one entry in pod.spec.resourceClaims of
|
||
the Pod where this field is used. It makes that resource available
|
||
inside a container.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-map-keys:
|
||
- name
|
||
x-kubernetes-list-type: map
|
||
limits:
|
||
additionalProperties:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
description: |-
|
||
Limits describes the maximum amount of compute resources allowed.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
type: object
|
||
requests:
|
||
additionalProperties:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
description: |-
|
||
Requests describes the minimum amount of compute resources required.
|
||
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
|
||
otherwise to an implementation-defined value. Requests cannot exceed Limits.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
type: object
|
||
type: object
|
||
watchNamespaces:
|
||
description: |-
|
||
WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance
|
||
to only watch this subset of namespaces.
|
||
items:
|
||
description: |-
|
||
Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.
|
||
This validation is based off of the corresponding Kubernetes validation:
|
||
https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187
|
||
This is used for Namespace name validation here:
|
||
https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63
|
||
Valid values include:
|
||
* "example"
|
||
Invalid values include:
|
||
* "example.com" - "." is an invalid character
|
||
maxLength: 63
|
||
minLength: 1
|
||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
||
type: string
|
||
maxItems: 42
|
||
minItems: 1
|
||
type: array
|
||
type: object
|
||
envoy:
|
||
description: |-
|
||
Envoy specifies deployment-time settings for the Envoy
|
||
part of the installation, i.e. the xDS client/data plane
|
||
and associated resources, including things like the workload
|
||
type to use (DaemonSet or Deployment), node placement constraints
|
||
for the pods, and various options for the Envoy service.
|
||
properties:
|
||
baseID:
|
||
description: |-
|
||
The base ID to use when allocating shared memory regions.
|
||
if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID
|
||
so that the shared memory regions do not conflict.
|
||
defaults to 0.
|
||
format: int32
|
||
minimum: 0
|
||
type: integer
|
||
daemonSet:
|
||
description: |-
|
||
DaemonSet describes the settings for running envoy as a `DaemonSet`.
|
||
if `WorkloadType` is `Deployment`,it's must be nil
|
||
properties:
|
||
updateStrategy:
|
||
description: Strategy describes the deployment strategy to
|
||
use to replace existing DaemonSet pods with new pods.
|
||
properties:
|
||
rollingUpdate:
|
||
description: |-
|
||
Rolling update config params. Present only if type = "RollingUpdate".
|
||
---
|
||
TODO: Update this to follow our convention for oneOf, whatever we decide it
|
||
to be. Same as Deployment `strategy.rollingUpdate`.
|
||
See https://github.com/kubernetes/kubernetes/issues/35345
|
||
properties:
|
||
maxSurge:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: |-
|
||
The maximum number of nodes with an existing available DaemonSet pod that
|
||
can have an updated DaemonSet pod during during an update.
|
||
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
|
||
This can not be 0 if MaxUnavailable is 0.
|
||
Absolute number is calculated from percentage by rounding up to a minimum of 1.
|
||
Default value is 0.
|
||
Example: when this is set to 30%, at most 30% of the total number of nodes
|
||
that should be running the daemon pod (i.e. status.desiredNumberScheduled)
|
||
can have their a new pod created before the old pod is marked as deleted.
|
||
The update starts by launching new pods on 30% of nodes. Once an updated
|
||
pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
|
||
on that node is marked deleted. If the old pod becomes unavailable for any
|
||
reason (Ready transitions to false, is evicted, or is drained) an updated
|
||
pod is immediatedly created on that node without considering surge limits.
|
||
Allowing surge implies the possibility that the resources consumed by the
|
||
daemonset on any given node can double if the readiness check fails, and
|
||
so resource intensive daemonsets should take into account that they may
|
||
cause evictions during disruption.
|
||
x-kubernetes-int-or-string: true
|
||
maxUnavailable:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: |-
|
||
The maximum number of DaemonSet pods that can be unavailable during the
|
||
update. Value can be an absolute number (ex: 5) or a percentage of total
|
||
number of DaemonSet pods at the start of the update (ex: 10%). Absolute
|
||
number is calculated from percentage by rounding up.
|
||
This cannot be 0 if MaxSurge is 0
|
||
Default value is 1.
|
||
Example: when this is set to 30%, at most 30% of the total number of nodes
|
||
that should be running the daemon pod (i.e. status.desiredNumberScheduled)
|
||
can have their pods stopped for an update at any given time. The update
|
||
starts by stopping at most 30% of those DaemonSet pods and then brings
|
||
up new DaemonSet pods in their place. Once the new pods are available,
|
||
it then proceeds onto other DaemonSet pods, thus ensuring that at least
|
||
70% of original number of DaemonSet pods are available at all times during
|
||
the update.
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
type:
|
||
description: Type of daemon set update. Can be "RollingUpdate"
|
||
or "OnDelete". Default is RollingUpdate.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
deployment:
|
||
description: |-
|
||
Deployment describes the settings for running envoy as a `Deployment`.
|
||
if `WorkloadType` is `DaemonSet`,it's must be nil
|
||
properties:
|
||
replicas:
|
||
description: Replicas is the desired number of replicas.
|
||
format: int32
|
||
minimum: 0
|
||
type: integer
|
||
strategy:
|
||
description: Strategy describes the deployment strategy to
|
||
use to replace existing pods with new pods.
|
||
properties:
|
||
rollingUpdate:
|
||
description: |-
|
||
Rolling update config params. Present only if DeploymentStrategyType =
|
||
RollingUpdate.
|
||
---
|
||
TODO: Update this to follow our convention for oneOf, whatever we decide it
|
||
to be.
|
||
properties:
|
||
maxSurge:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: |-
|
||
The maximum number of pods that can be scheduled above the desired number of
|
||
pods.
|
||
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
|
||
This can not be 0 if MaxUnavailable is 0.
|
||
Absolute number is calculated from percentage by rounding up.
|
||
Defaults to 25%.
|
||
Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
|
||
the rolling update starts, such that the total number of old and new pods do not exceed
|
||
130% of desired pods. Once old pods have been killed,
|
||
new ReplicaSet can be scaled up further, ensuring that total number of pods running
|
||
at any time during the update is at most 130% of desired pods.
|
||
x-kubernetes-int-or-string: true
|
||
maxUnavailable:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: |-
|
||
The maximum number of pods that can be unavailable during the update.
|
||
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
|
||
Absolute number is calculated from percentage by rounding down.
|
||
This can not be 0 if MaxSurge is 0.
|
||
Defaults to 25%.
|
||
Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
|
||
immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
|
||
can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
|
||
that the total number of pods available at all times during the update is at
|
||
least 70% of desired pods.
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
type:
|
||
description: Type of deployment. Can be "Recreate" or
|
||
"RollingUpdate". Default is RollingUpdate.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
extraVolumeMounts:
|
||
description: ExtraVolumeMounts holds the extra volume mounts to
|
||
add (normally used with extraVolumes).
|
||
items:
|
||
description: VolumeMount describes a mounting of a Volume within
|
||
a container.
|
||
properties:
|
||
mountPath:
|
||
description: |-
|
||
Path within the container at which the volume should be mounted. Must
|
||
not contain ':'.
|
||
type: string
|
||
mountPropagation:
|
||
description: |-
|
||
mountPropagation determines how mounts are propagated from the host
|
||
to container and the other way around.
|
||
When not set, MountPropagationNone is used.
|
||
This field is beta in 1.10.
|
||
type: string
|
||
name:
|
||
description: This must match the Name of a Volume.
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
Mounted read-only if true, read-write otherwise (false or unspecified).
|
||
Defaults to false.
|
||
type: boolean
|
||
subPath:
|
||
description: |-
|
||
Path within the volume from which the container's volume should be mounted.
|
||
Defaults to "" (volume's root).
|
||
type: string
|
||
subPathExpr:
|
||
description: |-
|
||
Expanded path within the volume from which the container's volume should be mounted.
|
||
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
|
||
Defaults to "" (volume's root).
|
||
SubPathExpr and SubPath are mutually exclusive.
|
||
type: string
|
||
required:
|
||
- mountPath
|
||
- name
|
||
type: object
|
||
type: array
|
||
extraVolumes:
|
||
description: ExtraVolumes holds the extra volumes to add.
|
||
items:
|
||
description: Volume represents a named volume in a pod that
|
||
may be accessed by any container in the pod.
|
||
properties:
|
||
awsElasticBlockStore:
|
||
description: |-
|
||
awsElasticBlockStore represents an AWS Disk resource that is attached to a
|
||
kubelet's host machine and then exposed to the pod.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type of the volume that you want to mount.
|
||
Tip: Ensure that the filesystem type is supported by the host operating system.
|
||
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
|
||
TODO: how do we prevent errors in the filesystem from compromising the machine
|
||
type: string
|
||
partition:
|
||
description: |-
|
||
partition is the partition in the volume that you want to mount.
|
||
If omitted, the default is to mount by volume name.
|
||
Examples: For volume /dev/sda1, you specify the partition as "1".
|
||
Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
|
||
format: int32
|
||
type: integer
|
||
readOnly:
|
||
description: |-
|
||
readOnly value true will force the readOnly setting in VolumeMounts.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
|
||
type: boolean
|
||
volumeID:
|
||
description: |-
|
||
volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
|
||
type: string
|
||
required:
|
||
- volumeID
|
||
type: object
|
||
azureDisk:
|
||
description: azureDisk represents an Azure Data Disk mount
|
||
on the host and bind mount to the pod.
|
||
properties:
|
||
cachingMode:
|
||
description: 'cachingMode is the Host Caching mode:
|
||
None, Read Only, Read Write.'
|
||
type: string
|
||
diskName:
|
||
description: diskName is the Name of the data disk in
|
||
the blob storage
|
||
type: string
|
||
diskURI:
|
||
description: diskURI is the URI of data disk in the
|
||
blob storage
|
||
type: string
|
||
fsType:
|
||
description: |-
|
||
fsType is Filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
type: string
|
||
kind:
|
||
description: 'kind expected values are Shared: multiple
|
||
blob disks per storage account Dedicated: single
|
||
blob disk per storage account Managed: azure managed
|
||
data disk (only in managed availability set). defaults
|
||
to shared'
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly Defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
type: boolean
|
||
required:
|
||
- diskName
|
||
- diskURI
|
||
type: object
|
||
azureFile:
|
||
description: azureFile represents an Azure File Service
|
||
mount on the host and bind mount to the pod.
|
||
properties:
|
||
readOnly:
|
||
description: |-
|
||
readOnly defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
type: boolean
|
||
secretName:
|
||
description: secretName is the name of secret that
|
||
contains Azure Storage Account Name and Key
|
||
type: string
|
||
shareName:
|
||
description: shareName is the azure share Name
|
||
type: string
|
||
required:
|
||
- secretName
|
||
- shareName
|
||
type: object
|
||
cephfs:
|
||
description: cephFS represents a Ceph FS mount on the host
|
||
that shares a pod's lifetime
|
||
properties:
|
||
monitors:
|
||
description: |-
|
||
monitors is Required: Monitors is a collection of Ceph monitors
|
||
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
|
||
items:
|
||
type: string
|
||
type: array
|
||
path:
|
||
description: 'path is Optional: Used as the mounted
|
||
root, rather than the full Ceph tree, default is /'
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
|
||
type: boolean
|
||
secretFile:
|
||
description: |-
|
||
secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
|
||
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
|
||
type: string
|
||
secretRef:
|
||
description: |-
|
||
secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
|
||
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
user:
|
||
description: |-
|
||
user is optional: User is the rados user name, default is admin
|
||
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
|
||
type: string
|
||
required:
|
||
- monitors
|
||
type: object
|
||
cinder:
|
||
description: |-
|
||
cinder represents a cinder volume attached and mounted on kubelets host machine.
|
||
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
|
||
type: boolean
|
||
secretRef:
|
||
description: |-
|
||
secretRef is optional: points to a secret object containing parameters used to connect
|
||
to OpenStack.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
volumeID:
|
||
description: |-
|
||
volumeID used to identify the volume in cinder.
|
||
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
|
||
type: string
|
||
required:
|
||
- volumeID
|
||
type: object
|
||
configMap:
|
||
description: configMap represents a configMap that should
|
||
populate this volume
|
||
properties:
|
||
defaultMode:
|
||
description: |-
|
||
defaultMode is optional: mode bits used to set permissions on created files by default.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
Defaults to 0644.
|
||
Directories within the path are not affected by this setting.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
items:
|
||
description: |-
|
||
items if unspecified, each key-value pair in the Data field of the referenced
|
||
ConfigMap will be projected into the volume as a file whose name is the
|
||
key and content is the value. If specified, the listed keys will be
|
||
projected into the specified paths, and unlisted keys will not be
|
||
present. If a key is specified which is not present in the ConfigMap,
|
||
the volume setup will error unless it is marked optional. Paths must be
|
||
relative and may not contain the '..' path or start with '..'.
|
||
items:
|
||
description: Maps a string key to a path within a
|
||
volume.
|
||
properties:
|
||
key:
|
||
description: key is the key to project.
|
||
type: string
|
||
mode:
|
||
description: |-
|
||
mode is Optional: mode bits used to set permissions on this file.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
If not specified, the volume defaultMode will be used.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
path:
|
||
description: |-
|
||
path is the relative path of the file to map the key to.
|
||
May not be an absolute path.
|
||
May not contain the path element '..'.
|
||
May not start with the string '..'.
|
||
type: string
|
||
required:
|
||
- key
|
||
- path
|
||
type: object
|
||
type: array
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
optional:
|
||
description: optional specify whether the ConfigMap
|
||
or its keys must be defined
|
||
type: boolean
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
csi:
|
||
description: csi (Container Storage Interface) represents
|
||
ephemeral storage that is handled by certain external
|
||
CSI drivers (Beta feature).
|
||
properties:
|
||
driver:
|
||
description: |-
|
||
driver is the name of the CSI driver that handles this volume.
|
||
Consult with your admin for the correct name as registered in the cluster.
|
||
type: string
|
||
fsType:
|
||
description: |-
|
||
fsType to mount. Ex. "ext4", "xfs", "ntfs".
|
||
If not provided, the empty value is passed to the associated CSI driver
|
||
which will determine the default filesystem to apply.
|
||
type: string
|
||
nodePublishSecretRef:
|
||
description: |-
|
||
nodePublishSecretRef is a reference to the secret object containing
|
||
sensitive information to pass to the CSI driver to complete the CSI
|
||
NodePublishVolume and NodeUnpublishVolume calls.
|
||
This field is optional, and may be empty if no secret is required. If the
|
||
secret object contains more than one secret, all secret references are passed.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
readOnly:
|
||
description: |-
|
||
readOnly specifies a read-only configuration for the volume.
|
||
Defaults to false (read/write).
|
||
type: boolean
|
||
volumeAttributes:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
volumeAttributes stores driver-specific properties that are passed to the CSI
|
||
driver. Consult your driver's documentation for supported values.
|
||
type: object
|
||
required:
|
||
- driver
|
||
type: object
|
||
downwardAPI:
|
||
description: downwardAPI represents downward API about the
|
||
pod that should populate this volume
|
||
properties:
|
||
defaultMode:
|
||
description: |-
|
||
Optional: mode bits to use on created files by default. Must be a
|
||
Optional: mode bits used to set permissions on created files by default.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
Defaults to 0644.
|
||
Directories within the path are not affected by this setting.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
items:
|
||
description: Items is a list of downward API volume
|
||
file
|
||
items:
|
||
description: DownwardAPIVolumeFile represents information
|
||
to create the file containing the pod field
|
||
properties:
|
||
fieldRef:
|
||
description: 'Required: Selects a field of the
|
||
pod: only annotations, labels, name and namespace
|
||
are supported.'
|
||
properties:
|
||
apiVersion:
|
||
description: Version of the schema the FieldPath
|
||
is written in terms of, defaults to "v1".
|
||
type: string
|
||
fieldPath:
|
||
description: Path of the field to select in
|
||
the specified API version.
|
||
type: string
|
||
required:
|
||
- fieldPath
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
mode:
|
||
description: |-
|
||
Optional: mode bits used to set permissions on this file, must be an octal value
|
||
between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
If not specified, the volume defaultMode will be used.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
path:
|
||
description: 'Required: Path is the relative
|
||
path name of the file to be created. Must not
|
||
be absolute or contain the ''..'' path. Must
|
||
be utf-8 encoded. The first item of the relative
|
||
path must not start with ''..'''
|
||
type: string
|
||
resourceFieldRef:
|
||
description: |-
|
||
Selects a resource of the container: only resources limits and requests
|
||
(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
|
||
properties:
|
||
containerName:
|
||
description: 'Container name: required for
|
||
volumes, optional for env vars'
|
||
type: string
|
||
divisor:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: Specifies the output format of
|
||
the exposed resources, defaults to "1"
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
resource:
|
||
description: 'Required: resource to select'
|
||
type: string
|
||
required:
|
||
- resource
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
required:
|
||
- path
|
||
type: object
|
||
type: array
|
||
type: object
|
||
emptyDir:
|
||
description: |-
|
||
emptyDir represents a temporary directory that shares a pod's lifetime.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
|
||
properties:
|
||
medium:
|
||
description: |-
|
||
medium represents what type of storage medium should back this directory.
|
||
The default is "" which means to use the node's default medium.
|
||
Must be an empty string (default) or Memory.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
|
||
type: string
|
||
sizeLimit:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: |-
|
||
sizeLimit is the total amount of local storage required for this EmptyDir volume.
|
||
The size limit is also applicable for memory medium.
|
||
The maximum usage on memory medium EmptyDir would be the minimum value between
|
||
the SizeLimit specified here and the sum of memory limits of all containers in a pod.
|
||
The default is nil which means that the limit is undefined.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
ephemeral:
|
||
description: |-
|
||
ephemeral represents a volume that is handled by a cluster storage driver.
|
||
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
|
||
and deleted when the pod is removed.
|
||
Use this if:
|
||
a) the volume is only needed while the pod runs,
|
||
b) features of normal volumes like restoring from snapshot or capacity
|
||
tracking are needed,
|
||
c) the storage driver is specified through a storage class, and
|
||
d) the storage driver supports dynamic volume provisioning through
|
||
a PersistentVolumeClaim (see EphemeralVolumeSource for more
|
||
information on the connection between this volume type
|
||
and PersistentVolumeClaim).
|
||
Use PersistentVolumeClaim or one of the vendor-specific
|
||
APIs for volumes that persist for longer than the lifecycle
|
||
of an individual pod.
|
||
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
|
||
be used that way - see the documentation of the driver for
|
||
more information.
|
||
A pod can use both types of ephemeral volumes and
|
||
persistent volumes at the same time.
|
||
properties:
|
||
volumeClaimTemplate:
|
||
description: |-
|
||
Will be used to create a stand-alone PVC to provision the volume.
|
||
The pod in which this EphemeralVolumeSource is embedded will be the
|
||
owner of the PVC, i.e. the PVC will be deleted together with the
|
||
pod. The name of the PVC will be `<pod name>-<volume name>` where
|
||
`<volume name>` is the name from the `PodSpec.Volumes` array
|
||
entry. Pod validation will reject the pod if the concatenated name
|
||
is not valid for a PVC (for example, too long).
|
||
An existing PVC with that name that is not owned by the pod
|
||
will *not* be used for the pod to avoid using an unrelated
|
||
volume by mistake. Starting the pod is then blocked until
|
||
the unrelated PVC is removed. If such a pre-created PVC is
|
||
meant to be used by the pod, the PVC has to updated with an
|
||
owner reference to the pod once the pod exists. Normally
|
||
this should not be necessary, but it may be useful when
|
||
manually reconstructing a broken cluster.
|
||
This field is read-only and no changes will be made by Kubernetes
|
||
to the PVC after it has been created.
|
||
Required, must not be nil.
|
||
properties:
|
||
metadata:
|
||
description: |-
|
||
May contain labels and annotations that will be copied into the PVC
|
||
when creating it. No other fields are allowed and will be rejected during
|
||
validation.
|
||
type: object
|
||
spec:
|
||
description: |-
|
||
The specification for the PersistentVolumeClaim. The entire content is
|
||
copied unchanged into the PVC that gets created from this
|
||
template. The same fields as in a PersistentVolumeClaim
|
||
are also valid here.
|
||
properties:
|
||
accessModes:
|
||
description: |-
|
||
accessModes contains the desired access modes the volume should have.
|
||
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
|
||
items:
|
||
type: string
|
||
type: array
|
||
dataSource:
|
||
description: |-
|
||
dataSource field can be used to specify either:
|
||
* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
|
||
* An existing PVC (PersistentVolumeClaim)
|
||
If the provisioner or an external controller can support the specified data source,
|
||
it will create a new volume based on the contents of the specified data source.
|
||
When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
|
||
and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
|
||
If the namespace is specified, then dataSourceRef will not be copied to dataSource.
|
||
properties:
|
||
apiGroup:
|
||
description: |-
|
||
APIGroup is the group for the resource being referenced.
|
||
If APIGroup is not specified, the specified Kind must be in the core API group.
|
||
For any other third-party types, APIGroup is required.
|
||
type: string
|
||
kind:
|
||
description: Kind is the type of resource
|
||
being referenced
|
||
type: string
|
||
name:
|
||
description: Name is the name of resource
|
||
being referenced
|
||
type: string
|
||
required:
|
||
- kind
|
||
- name
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
dataSourceRef:
|
||
description: |-
|
||
dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
|
||
volume is desired. This may be any object from a non-empty API group (non
|
||
core object) or a PersistentVolumeClaim object.
|
||
When this field is specified, volume binding will only succeed if the type of
|
||
the specified object matches some installed volume populator or dynamic
|
||
provisioner.
|
||
This field will replace the functionality of the dataSource field and as such
|
||
if both fields are non-empty, they must have the same value. For backwards
|
||
compatibility, when namespace isn't specified in dataSourceRef,
|
||
both fields (dataSource and dataSourceRef) will be set to the same
|
||
value automatically if one of them is empty and the other is non-empty.
|
||
When namespace is specified in dataSourceRef,
|
||
dataSource isn't set to the same value and must be empty.
|
||
There are three important differences between dataSource and dataSourceRef:
|
||
* While dataSource only allows two specific types of objects, dataSourceRef
|
||
allows any non-core object, as well as PersistentVolumeClaim objects.
|
||
* While dataSource ignores disallowed values (dropping them), dataSourceRef
|
||
preserves all values, and generates an error if a disallowed value is
|
||
specified.
|
||
* While dataSource only allows local objects, dataSourceRef allows objects
|
||
in any namespaces.
|
||
(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
|
||
(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
|
||
properties:
|
||
apiGroup:
|
||
description: |-
|
||
APIGroup is the group for the resource being referenced.
|
||
If APIGroup is not specified, the specified Kind must be in the core API group.
|
||
For any other third-party types, APIGroup is required.
|
||
type: string
|
||
kind:
|
||
description: Kind is the type of resource
|
||
being referenced
|
||
type: string
|
||
name:
|
||
description: Name is the name of resource
|
||
being referenced
|
||
type: string
|
||
namespace:
|
||
description: |-
|
||
Namespace is the namespace of resource being referenced
|
||
Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
|
||
(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
|
||
type: string
|
||
required:
|
||
- kind
|
||
- name
|
||
type: object
|
||
resources:
|
||
description: |-
|
||
resources represents the minimum resources the volume should have.
|
||
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
|
||
that are lower than previous value but must still be higher than capacity recorded in the
|
||
status field of the claim.
|
||
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
|
||
properties:
|
||
limits:
|
||
additionalProperties:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
description: |-
|
||
Limits describes the maximum amount of compute resources allowed.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
type: object
|
||
requests:
|
||
additionalProperties:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
description: |-
|
||
Requests describes the minimum amount of compute resources required.
|
||
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
|
||
otherwise to an implementation-defined value. Requests cannot exceed Limits.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: selector is a label query over
|
||
volumes to consider for binding.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions is a list
|
||
of label selector requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: |-
|
||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the label key
|
||
that the selector applies to.
|
||
type: string
|
||
operator:
|
||
description: |-
|
||
operator represents a key's relationship to a set of values.
|
||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: |-
|
||
values is an array of string values. If the operator is In or NotIn,
|
||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||
the values array must be empty. This array is replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||
type: object
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
storageClassName:
|
||
description: |-
|
||
storageClassName is the name of the StorageClass required by the claim.
|
||
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
|
||
type: string
|
||
volumeAttributesClassName:
|
||
description: |-
|
||
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
|
||
If specified, the CSI driver will create or update the volume with the attributes defined
|
||
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
|
||
it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
|
||
will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
|
||
If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
|
||
will be set by the persistentvolume controller if it exists.
|
||
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
|
||
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
|
||
exists.
|
||
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
|
||
(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
|
||
type: string
|
||
volumeMode:
|
||
description: |-
|
||
volumeMode defines what type of volume is required by the claim.
|
||
Value of Filesystem is implied when not included in claim spec.
|
||
type: string
|
||
volumeName:
|
||
description: volumeName is the binding reference
|
||
to the PersistentVolume backing this claim.
|
||
type: string
|
||
type: object
|
||
required:
|
||
- spec
|
||
type: object
|
||
type: object
|
||
fc:
|
||
description: fc represents a Fibre Channel resource that
|
||
is attached to a kubelet's host machine and then exposed
|
||
to the pod.
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
TODO: how do we prevent errors in the filesystem from compromising the machine
|
||
type: string
|
||
lun:
|
||
description: 'lun is Optional: FC target lun number'
|
||
format: int32
|
||
type: integer
|
||
readOnly:
|
||
description: |-
|
||
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
type: boolean
|
||
targetWWNs:
|
||
description: 'targetWWNs is Optional: FC target worldwide
|
||
names (WWNs)'
|
||
items:
|
||
type: string
|
||
type: array
|
||
wwids:
|
||
description: |-
|
||
wwids Optional: FC volume world wide identifiers (wwids)
|
||
Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
|
||
items:
|
||
type: string
|
||
type: array
|
||
type: object
|
||
flexVolume:
|
||
description: |-
|
||
flexVolume represents a generic volume resource that is
|
||
provisioned/attached using an exec based plugin.
|
||
properties:
|
||
driver:
|
||
description: driver is the name of the driver to use
|
||
for this volume.
|
||
type: string
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
|
||
type: string
|
||
options:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'options is Optional: this field holds
|
||
extra command options if any.'
|
||
type: object
|
||
readOnly:
|
||
description: |-
|
||
readOnly is Optional: defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
type: boolean
|
||
secretRef:
|
||
description: |-
|
||
secretRef is Optional: secretRef is reference to the secret object containing
|
||
sensitive information to pass to the plugin scripts. This may be
|
||
empty if no secret object is specified. If the secret object
|
||
contains more than one secret, all secrets are passed to the plugin
|
||
scripts.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
required:
|
||
- driver
|
||
type: object
|
||
flocker:
|
||
description: flocker represents a Flocker volume attached
|
||
to a kubelet's host machine. This depends on the Flocker
|
||
control service being running
|
||
properties:
|
||
datasetName:
|
||
description: |-
|
||
datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
|
||
should be considered as deprecated
|
||
type: string
|
||
datasetUUID:
|
||
description: datasetUUID is the UUID of the dataset.
|
||
This is unique identifier of a Flocker dataset
|
||
type: string
|
||
type: object
|
||
gcePersistentDisk:
|
||
description: |-
|
||
gcePersistentDisk represents a GCE Disk resource that is attached to a
|
||
kubelet's host machine and then exposed to the pod.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is filesystem type of the volume that you want to mount.
|
||
Tip: Ensure that the filesystem type is supported by the host operating system.
|
||
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
|
||
TODO: how do we prevent errors in the filesystem from compromising the machine
|
||
type: string
|
||
partition:
|
||
description: |-
|
||
partition is the partition in the volume that you want to mount.
|
||
If omitted, the default is to mount by volume name.
|
||
Examples: For volume /dev/sda1, you specify the partition as "1".
|
||
Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
|
||
format: int32
|
||
type: integer
|
||
pdName:
|
||
description: |-
|
||
pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly here will force the ReadOnly setting in VolumeMounts.
|
||
Defaults to false.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
|
||
type: boolean
|
||
required:
|
||
- pdName
|
||
type: object
|
||
gitRepo:
|
||
description: |-
|
||
gitRepo represents a git repository at a particular revision.
|
||
DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
|
||
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
|
||
into the Pod's container.
|
||
properties:
|
||
directory:
|
||
description: |-
|
||
directory is the target directory name.
|
||
Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
|
||
git repository. Otherwise, if specified, the volume will contain the git repository in
|
||
the subdirectory with the given name.
|
||
type: string
|
||
repository:
|
||
description: repository is the URL
|
||
type: string
|
||
revision:
|
||
description: revision is the commit hash for the specified
|
||
revision.
|
||
type: string
|
||
required:
|
||
- repository
|
||
type: object
|
||
glusterfs:
|
||
description: |-
|
||
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
|
||
More info: https://examples.k8s.io/volumes/glusterfs/README.md
|
||
properties:
|
||
endpoints:
|
||
description: |-
|
||
endpoints is the endpoint name that details Glusterfs topology.
|
||
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
|
||
type: string
|
||
path:
|
||
description: |-
|
||
path is the Glusterfs volume path.
|
||
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
|
||
Defaults to false.
|
||
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
|
||
type: boolean
|
||
required:
|
||
- endpoints
|
||
- path
|
||
type: object
|
||
hostPath:
|
||
description: |-
|
||
hostPath represents a pre-existing file or directory on the host
|
||
machine that is directly exposed to the container. This is generally
|
||
used for system agents or other privileged things that are allowed
|
||
to see the host machine. Most containers will NOT need this.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
|
||
---
|
||
TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
|
||
mount host directories as read/write.
|
||
properties:
|
||
path:
|
||
description: |-
|
||
path of the directory on the host.
|
||
If the path is a symlink, it will follow the link to the real path.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
|
||
type: string
|
||
type:
|
||
description: |-
|
||
type for HostPath Volume
|
||
Defaults to ""
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
|
||
type: string
|
||
required:
|
||
- path
|
||
type: object
|
||
iscsi:
|
||
description: |-
|
||
iscsi represents an ISCSI Disk resource that is attached to a
|
||
kubelet's host machine and then exposed to the pod.
|
||
More info: https://examples.k8s.io/volumes/iscsi/README.md
|
||
properties:
|
||
chapAuthDiscovery:
|
||
description: chapAuthDiscovery defines whether support
|
||
iSCSI Discovery CHAP authentication
|
||
type: boolean
|
||
chapAuthSession:
|
||
description: chapAuthSession defines whether support
|
||
iSCSI Session CHAP authentication
|
||
type: boolean
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type of the volume that you want to mount.
|
||
Tip: Ensure that the filesystem type is supported by the host operating system.
|
||
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
|
||
TODO: how do we prevent errors in the filesystem from compromising the machine
|
||
type: string
|
||
initiatorName:
|
||
description: |-
|
||
initiatorName is the custom iSCSI Initiator Name.
|
||
If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
|
||
<target portal>:<volume name> will be created for the connection.
|
||
type: string
|
||
iqn:
|
||
description: iqn is the target iSCSI Qualified Name.
|
||
type: string
|
||
iscsiInterface:
|
||
description: |-
|
||
iscsiInterface is the interface Name that uses an iSCSI transport.
|
||
Defaults to 'default' (tcp).
|
||
type: string
|
||
lun:
|
||
description: lun represents iSCSI Target Lun number.
|
||
format: int32
|
||
type: integer
|
||
portals:
|
||
description: |-
|
||
portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
|
||
is other than default (typically TCP ports 860 and 3260).
|
||
items:
|
||
type: string
|
||
type: array
|
||
readOnly:
|
||
description: |-
|
||
readOnly here will force the ReadOnly setting in VolumeMounts.
|
||
Defaults to false.
|
||
type: boolean
|
||
secretRef:
|
||
description: secretRef is the CHAP Secret for iSCSI
|
||
target and initiator authentication
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
targetPortal:
|
||
description: |-
|
||
targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
|
||
is other than default (typically TCP ports 860 and 3260).
|
||
type: string
|
||
required:
|
||
- iqn
|
||
- lun
|
||
- targetPortal
|
||
type: object
|
||
name:
|
||
description: |-
|
||
name of the volume.
|
||
Must be a DNS_LABEL and unique within the pod.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
type: string
|
||
nfs:
|
||
description: |-
|
||
nfs represents an NFS mount on the host that shares a pod's lifetime
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
|
||
properties:
|
||
path:
|
||
description: |-
|
||
path that is exported by the NFS server.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly here will force the NFS export to be mounted with read-only permissions.
|
||
Defaults to false.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
|
||
type: boolean
|
||
server:
|
||
description: |-
|
||
server is the hostname or IP address of the NFS server.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
|
||
type: string
|
||
required:
|
||
- path
|
||
- server
|
||
type: object
|
||
persistentVolumeClaim:
|
||
description: |-
|
||
persistentVolumeClaimVolumeSource represents a reference to a
|
||
PersistentVolumeClaim in the same namespace.
|
||
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
|
||
properties:
|
||
claimName:
|
||
description: |-
|
||
claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
|
||
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly Will force the ReadOnly setting in VolumeMounts.
|
||
Default false.
|
||
type: boolean
|
||
required:
|
||
- claimName
|
||
type: object
|
||
photonPersistentDisk:
|
||
description: photonPersistentDisk represents a PhotonController
|
||
persistent disk attached and mounted on kubelets host
|
||
machine
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
type: string
|
||
pdID:
|
||
description: pdID is the ID that identifies Photon Controller
|
||
persistent disk
|
||
type: string
|
||
required:
|
||
- pdID
|
||
type: object
|
||
portworxVolume:
|
||
description: portworxVolume represents a portworx volume
|
||
attached and mounted on kubelets host machine
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fSType represents the filesystem type to mount
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
type: boolean
|
||
volumeID:
|
||
description: volumeID uniquely identifies a Portworx
|
||
volume
|
||
type: string
|
||
required:
|
||
- volumeID
|
||
type: object
|
||
projected:
|
||
description: projected items for all in one resources secrets,
|
||
configmaps, and downward API
|
||
properties:
|
||
defaultMode:
|
||
description: |-
|
||
defaultMode are the mode bits used to set permissions on created files by default.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
Directories within the path are not affected by this setting.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
sources:
|
||
description: sources is the list of volume projections
|
||
items:
|
||
description: Projection that may be projected along
|
||
with other supported volume types
|
||
properties:
|
||
clusterTrustBundle:
|
||
description: |-
|
||
ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
|
||
of ClusterTrustBundle objects in an auto-updating file.
|
||
Alpha, gated by the ClusterTrustBundleProjection feature gate.
|
||
ClusterTrustBundle objects can either be selected by name, or by the
|
||
combination of signer name and a label selector.
|
||
Kubelet performs aggressive normalization of the PEM contents written
|
||
into the pod filesystem. Esoteric PEM features such as inter-block
|
||
comments and block headers are stripped. Certificates are deduplicated.
|
||
The ordering of certificates within the file is arbitrary, and Kubelet
|
||
may change the order over time.
|
||
properties:
|
||
labelSelector:
|
||
description: |-
|
||
Select all ClusterTrustBundles that match this label selector. Only has
|
||
effect if signerName is set. Mutually-exclusive with name. If unset,
|
||
interpreted as "match nothing". If set but empty, interpreted as "match
|
||
everything".
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions is a list
|
||
of label selector requirements. The
|
||
requirements are ANDed.
|
||
items:
|
||
description: |-
|
||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the label key
|
||
that the selector applies to.
|
||
type: string
|
||
operator:
|
||
description: |-
|
||
operator represents a key's relationship to a set of values.
|
||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: |-
|
||
values is an array of string values. If the operator is In or NotIn,
|
||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||
the values array must be empty. This array is replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||
type: object
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
name:
|
||
description: |-
|
||
Select a single ClusterTrustBundle by object name. Mutually-exclusive
|
||
with signerName and labelSelector.
|
||
type: string
|
||
optional:
|
||
description: |-
|
||
If true, don't block pod startup if the referenced ClusterTrustBundle(s)
|
||
aren't available. If using name, then the named ClusterTrustBundle is
|
||
allowed not to exist. If using signerName, then the combination of
|
||
signerName and labelSelector is allowed to match zero
|
||
ClusterTrustBundles.
|
||
type: boolean
|
||
path:
|
||
description: Relative path from the volume
|
||
root to write the bundle.
|
||
type: string
|
||
signerName:
|
||
description: |-
|
||
Select all ClusterTrustBundles that match this signer name.
|
||
Mutually-exclusive with name. The contents of all selected
|
||
ClusterTrustBundles will be unified and deduplicated.
|
||
type: string
|
||
required:
|
||
- path
|
||
type: object
|
||
configMap:
|
||
description: configMap information about the configMap
|
||
data to project
|
||
properties:
|
||
items:
|
||
description: |-
|
||
items if unspecified, each key-value pair in the Data field of the referenced
|
||
ConfigMap will be projected into the volume as a file whose name is the
|
||
key and content is the value. If specified, the listed keys will be
|
||
projected into the specified paths, and unlisted keys will not be
|
||
present. If a key is specified which is not present in the ConfigMap,
|
||
the volume setup will error unless it is marked optional. Paths must be
|
||
relative and may not contain the '..' path or start with '..'.
|
||
items:
|
||
description: Maps a string key to a path
|
||
within a volume.
|
||
properties:
|
||
key:
|
||
description: key is the key to project.
|
||
type: string
|
||
mode:
|
||
description: |-
|
||
mode is Optional: mode bits used to set permissions on this file.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
If not specified, the volume defaultMode will be used.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
path:
|
||
description: |-
|
||
path is the relative path of the file to map the key to.
|
||
May not be an absolute path.
|
||
May not contain the path element '..'.
|
||
May not start with the string '..'.
|
||
type: string
|
||
required:
|
||
- key
|
||
- path
|
||
type: object
|
||
type: array
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
optional:
|
||
description: optional specify whether the
|
||
ConfigMap or its keys must be defined
|
||
type: boolean
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
downwardAPI:
|
||
description: downwardAPI information about the
|
||
downwardAPI data to project
|
||
properties:
|
||
items:
|
||
description: Items is a list of DownwardAPIVolume
|
||
file
|
||
items:
|
||
description: DownwardAPIVolumeFile represents
|
||
information to create the file containing
|
||
the pod field
|
||
properties:
|
||
fieldRef:
|
||
description: 'Required: Selects a field
|
||
of the pod: only annotations, labels,
|
||
name and namespace are supported.'
|
||
properties:
|
||
apiVersion:
|
||
description: Version of the schema
|
||
the FieldPath is written in terms
|
||
of, defaults to "v1".
|
||
type: string
|
||
fieldPath:
|
||
description: Path of the field to
|
||
select in the specified API version.
|
||
type: string
|
||
required:
|
||
- fieldPath
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
mode:
|
||
description: |-
|
||
Optional: mode bits used to set permissions on this file, must be an octal value
|
||
between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
If not specified, the volume defaultMode will be used.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
path:
|
||
description: 'Required: Path is the
|
||
relative path name of the file to
|
||
be created. Must not be absolute or
|
||
contain the ''..'' path. Must be utf-8
|
||
encoded. The first item of the relative
|
||
path must not start with ''..'''
|
||
type: string
|
||
resourceFieldRef:
|
||
description: |-
|
||
Selects a resource of the container: only resources limits and requests
|
||
(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
|
||
properties:
|
||
containerName:
|
||
description: 'Container name: required
|
||
for volumes, optional for env
|
||
vars'
|
||
type: string
|
||
divisor:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: Specifies the output
|
||
format of the exposed resources,
|
||
defaults to "1"
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
resource:
|
||
description: 'Required: resource
|
||
to select'
|
||
type: string
|
||
required:
|
||
- resource
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
required:
|
||
- path
|
||
type: object
|
||
type: array
|
||
type: object
|
||
secret:
|
||
description: secret information about the secret
|
||
data to project
|
||
properties:
|
||
items:
|
||
description: |-
|
||
items if unspecified, each key-value pair in the Data field of the referenced
|
||
Secret will be projected into the volume as a file whose name is the
|
||
key and content is the value. If specified, the listed keys will be
|
||
projected into the specified paths, and unlisted keys will not be
|
||
present. If a key is specified which is not present in the Secret,
|
||
the volume setup will error unless it is marked optional. Paths must be
|
||
relative and may not contain the '..' path or start with '..'.
|
||
items:
|
||
description: Maps a string key to a path
|
||
within a volume.
|
||
properties:
|
||
key:
|
||
description: key is the key to project.
|
||
type: string
|
||
mode:
|
||
description: |-
|
||
mode is Optional: mode bits used to set permissions on this file.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
If not specified, the volume defaultMode will be used.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
path:
|
||
description: |-
|
||
path is the relative path of the file to map the key to.
|
||
May not be an absolute path.
|
||
May not contain the path element '..'.
|
||
May not start with the string '..'.
|
||
type: string
|
||
required:
|
||
- key
|
||
- path
|
||
type: object
|
||
type: array
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
optional:
|
||
description: optional field specify whether
|
||
the Secret or its key must be defined
|
||
type: boolean
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
serviceAccountToken:
|
||
description: serviceAccountToken is information
|
||
about the serviceAccountToken data to project
|
||
properties:
|
||
audience:
|
||
description: |-
|
||
audience is the intended audience of the token. A recipient of a token
|
||
must identify itself with an identifier specified in the audience of the
|
||
token, and otherwise should reject the token. The audience defaults to the
|
||
identifier of the apiserver.
|
||
type: string
|
||
expirationSeconds:
|
||
description: |-
|
||
expirationSeconds is the requested duration of validity of the service
|
||
account token. As the token approaches expiration, the kubelet volume
|
||
plugin will proactively rotate the service account token. The kubelet will
|
||
start trying to rotate the token if the token is older than 80 percent of
|
||
its time to live or if the token is older than 24 hours.Defaults to 1 hour
|
||
and must be at least 10 minutes.
|
||
format: int64
|
||
type: integer
|
||
path:
|
||
description: |-
|
||
path is the path relative to the mount point of the file to project the
|
||
token into.
|
||
type: string
|
||
required:
|
||
- path
|
||
type: object
|
||
type: object
|
||
type: array
|
||
type: object
|
||
quobyte:
|
||
description: quobyte represents a Quobyte mount on the host
|
||
that shares a pod's lifetime
|
||
properties:
|
||
group:
|
||
description: |-
|
||
group to map volume access to
|
||
Default is no group
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly here will force the Quobyte volume to be mounted with read-only permissions.
|
||
Defaults to false.
|
||
type: boolean
|
||
registry:
|
||
description: |-
|
||
registry represents a single or multiple Quobyte Registry services
|
||
specified as a string as host:port pair (multiple entries are separated with commas)
|
||
which acts as the central registry for volumes
|
||
type: string
|
||
tenant:
|
||
description: |-
|
||
tenant owning the given Quobyte volume in the Backend
|
||
Used with dynamically provisioned Quobyte volumes, value is set by the plugin
|
||
type: string
|
||
user:
|
||
description: |-
|
||
user to map volume access to
|
||
Defaults to serivceaccount user
|
||
type: string
|
||
volume:
|
||
description: volume is a string that references an already
|
||
created Quobyte volume by name.
|
||
type: string
|
||
required:
|
||
- registry
|
||
- volume
|
||
type: object
|
||
rbd:
|
||
description: |-
|
||
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type of the volume that you want to mount.
|
||
Tip: Ensure that the filesystem type is supported by the host operating system.
|
||
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
|
||
TODO: how do we prevent errors in the filesystem from compromising the machine
|
||
type: string
|
||
image:
|
||
description: |-
|
||
image is the rados image name.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
|
||
type: string
|
||
keyring:
|
||
description: |-
|
||
keyring is the path to key ring for RBDUser.
|
||
Default is /etc/ceph/keyring.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
|
||
type: string
|
||
monitors:
|
||
description: |-
|
||
monitors is a collection of Ceph monitors.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
|
||
items:
|
||
type: string
|
||
type: array
|
||
pool:
|
||
description: |-
|
||
pool is the rados pool name.
|
||
Default is rbd.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly here will force the ReadOnly setting in VolumeMounts.
|
||
Defaults to false.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
|
||
type: boolean
|
||
secretRef:
|
||
description: |-
|
||
secretRef is name of the authentication secret for RBDUser. If provided
|
||
overrides keyring.
|
||
Default is nil.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
user:
|
||
description: |-
|
||
user is the rados user name.
|
||
Default is admin.
|
||
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
|
||
type: string
|
||
required:
|
||
- image
|
||
- monitors
|
||
type: object
|
||
scaleIO:
|
||
description: scaleIO represents a ScaleIO persistent volume
|
||
attached and mounted on Kubernetes nodes.
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs", "ntfs".
|
||
Default is "xfs".
|
||
type: string
|
||
gateway:
|
||
description: gateway is the host address of the ScaleIO
|
||
API Gateway.
|
||
type: string
|
||
protectionDomain:
|
||
description: protectionDomain is the name of the ScaleIO
|
||
Protection Domain for the configured storage.
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly Defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
type: boolean
|
||
secretRef:
|
||
description: |-
|
||
secretRef references to the secret for ScaleIO user and other
|
||
sensitive information. If this is not provided, Login operation will fail.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
sslEnabled:
|
||
description: sslEnabled Flag enable/disable SSL communication
|
||
with Gateway, default false
|
||
type: boolean
|
||
storageMode:
|
||
description: |-
|
||
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
|
||
Default is ThinProvisioned.
|
||
type: string
|
||
storagePool:
|
||
description: storagePool is the ScaleIO Storage Pool
|
||
associated with the protection domain.
|
||
type: string
|
||
system:
|
||
description: system is the name of the storage system
|
||
as configured in ScaleIO.
|
||
type: string
|
||
volumeName:
|
||
description: |-
|
||
volumeName is the name of a volume already created in the ScaleIO system
|
||
that is associated with this volume source.
|
||
type: string
|
||
required:
|
||
- gateway
|
||
- secretRef
|
||
- system
|
||
type: object
|
||
secret:
|
||
description: |-
|
||
secret represents a secret that should populate this volume.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
|
||
properties:
|
||
defaultMode:
|
||
description: |-
|
||
defaultMode is Optional: mode bits used to set permissions on created files by default.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values
|
||
for mode bits. Defaults to 0644.
|
||
Directories within the path are not affected by this setting.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
items:
|
||
description: |-
|
||
items If unspecified, each key-value pair in the Data field of the referenced
|
||
Secret will be projected into the volume as a file whose name is the
|
||
key and content is the value. If specified, the listed keys will be
|
||
projected into the specified paths, and unlisted keys will not be
|
||
present. If a key is specified which is not present in the Secret,
|
||
the volume setup will error unless it is marked optional. Paths must be
|
||
relative and may not contain the '..' path or start with '..'.
|
||
items:
|
||
description: Maps a string key to a path within a
|
||
volume.
|
||
properties:
|
||
key:
|
||
description: key is the key to project.
|
||
type: string
|
||
mode:
|
||
description: |-
|
||
mode is Optional: mode bits used to set permissions on this file.
|
||
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
|
||
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
|
||
If not specified, the volume defaultMode will be used.
|
||
This might be in conflict with other options that affect the file
|
||
mode, like fsGroup, and the result can be other mode bits set.
|
||
format: int32
|
||
type: integer
|
||
path:
|
||
description: |-
|
||
path is the relative path of the file to map the key to.
|
||
May not be an absolute path.
|
||
May not contain the path element '..'.
|
||
May not start with the string '..'.
|
||
type: string
|
||
required:
|
||
- key
|
||
- path
|
||
type: object
|
||
type: array
|
||
optional:
|
||
description: optional field specify whether the Secret
|
||
or its keys must be defined
|
||
type: boolean
|
||
secretName:
|
||
description: |-
|
||
secretName is the name of the secret in the pod's namespace to use.
|
||
More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
|
||
type: string
|
||
type: object
|
||
storageos:
|
||
description: storageOS represents a StorageOS volume attached
|
||
and mounted on Kubernetes nodes.
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is the filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
type: string
|
||
readOnly:
|
||
description: |-
|
||
readOnly defaults to false (read/write). ReadOnly here will force
|
||
the ReadOnly setting in VolumeMounts.
|
||
type: boolean
|
||
secretRef:
|
||
description: |-
|
||
secretRef specifies the secret to use for obtaining the StorageOS API
|
||
credentials. If not specified, default values will be attempted.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
TODO: Add other useful fields. apiVersion, kind, uid?
|
||
type: string
|
||
type: object
|
||
x-kubernetes-map-type: atomic
|
||
volumeName:
|
||
description: |-
|
||
volumeName is the human-readable name of the StorageOS volume. Volume
|
||
names are only unique within a namespace.
|
||
type: string
|
||
volumeNamespace:
|
||
description: |-
|
||
volumeNamespace specifies the scope of the volume within StorageOS. If no
|
||
namespace is specified then the Pod's namespace will be used. This allows the
|
||
Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
|
||
Set VolumeName to any name to override the default behaviour.
|
||
Set to "default" if you are not using namespaces within StorageOS.
|
||
Namespaces that do not pre-exist within StorageOS will be created.
|
||
type: string
|
||
type: object
|
||
vsphereVolume:
|
||
description: vsphereVolume represents a vSphere volume attached
|
||
and mounted on kubelets host machine
|
||
properties:
|
||
fsType:
|
||
description: |-
|
||
fsType is filesystem type to mount.
|
||
Must be a filesystem type supported by the host operating system.
|
||
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
|
||
type: string
|
||
storagePolicyID:
|
||
description: storagePolicyID is the storage Policy Based
|
||
Management (SPBM) profile ID associated with the StoragePolicyName.
|
||
type: string
|
||
storagePolicyName:
|
||
description: storagePolicyName is the storage Policy
|
||
Based Management (SPBM) profile name.
|
||
type: string
|
||
volumePath:
|
||
description: volumePath is the path that identifies
|
||
vSphere volume vmdk
|
||
type: string
|
||
required:
|
||
- volumePath
|
||
type: object
|
||
required:
|
||
- name
|
||
type: object
|
||
type: array
|
||
logLevel:
|
||
description: |-
|
||
LogLevel sets the log level for Envoy.
|
||
Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off".
|
||
type: string
|
||
networkPublishing:
|
||
description: NetworkPublishing defines how to expose Envoy to
|
||
a network.
|
||
properties:
|
||
externalTrafficPolicy:
|
||
description: |-
|
||
ExternalTrafficPolicy describes how nodes distribute service traffic they
|
||
receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs,
|
||
and LoadBalancer IPs).
|
||
If unset, defaults to "Local".
|
||
type: string
|
||
ipFamilyPolicy:
|
||
description: |-
|
||
IPFamilyPolicy represents the dual-stack-ness requested or required by
|
||
this Service. If there is no value provided, then this field will be set
|
||
to SingleStack. Services can be "SingleStack" (a single IP family),
|
||
"PreferDualStack" (two IP families on dual-stack configured clusters or
|
||
a single IP family on single-stack clusters), or "RequireDualStack"
|
||
(two IP families on dual-stack configured clusters, otherwise fail).
|
||
type: string
|
||
serviceAnnotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
ServiceAnnotations is the annotations to add to
|
||
the provisioned Envoy service.
|
||
type: object
|
||
type:
|
||
description: |-
|
||
NetworkPublishingType is the type of publishing strategy to use. Valid values are:
|
||
* LoadBalancerService
|
||
In this configuration, network endpoints for Envoy use container networking.
|
||
A Kubernetes LoadBalancer Service is created to publish Envoy network
|
||
endpoints.
|
||
See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
|
||
* NodePortService
|
||
Publishes Envoy network endpoints using a Kubernetes NodePort Service.
|
||
In this configuration, Envoy network endpoints use container networking. A Kubernetes
|
||
NodePort Service is created to publish the network endpoints.
|
||
See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
|
||
NOTE:
|
||
When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate
|
||
the Service's node port values, there's no way to auto-allocate them.
|
||
See: https://github.com/projectcontour/contour/issues/4499
|
||
* ClusterIPService
|
||
Publishes Envoy network endpoints using a Kubernetes ClusterIP Service.
|
||
In this configuration, Envoy network endpoints use container networking. A Kubernetes
|
||
ClusterIP Service is created to publish the network endpoints.
|
||
See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
|
||
If unset, defaults to LoadBalancerService.
|
||
type: string
|
||
type: object
|
||
nodePlacement:
|
||
description: NodePlacement describes node scheduling configuration
|
||
of Envoy pods.
|
||
properties:
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
NodeSelector is the simplest recommended form of node selection constraint
|
||
and specifies a map of key-value pairs. For the pod to be eligible
|
||
to run on a node, the node must have each of the indicated key-value pairs
|
||
as labels (it can have additional labels as well).
|
||
If unset, the pod(s) will be scheduled to any available node.
|
||
type: object
|
||
tolerations:
|
||
description: |-
|
||
Tolerations work with taints to ensure that pods are not scheduled
|
||
onto inappropriate nodes. One or more taints are applied to a node; this
|
||
marks that the node should not accept any pods that do not tolerate the
|
||
taints.
|
||
The default is an empty list.
|
||
See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
||
for additional details.
|
||
items:
|
||
description: |-
|
||
The pod this Toleration is attached to tolerates any taint that matches
|
||
the triple <key,value,effect> using the matching operator <operator>.
|
||
properties:
|
||
effect:
|
||
description: |-
|
||
Effect indicates the taint effect to match. Empty means match all taint effects.
|
||
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
||
type: string
|
||
key:
|
||
description: |-
|
||
Key is the taint key that the toleration applies to. Empty means match all taint keys.
|
||
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: |-
|
||
Operator represents a key's relationship to the value.
|
||
Valid operators are Exists and Equal. Defaults to Equal.
|
||
Exists is equivalent to wildcard for value, so that a pod can
|
||
tolerate all taints of a particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: |-
|
||
TolerationSeconds represents the period of time the toleration (which must be
|
||
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
|
||
it is not set, which means tolerate the taint forever (do not evict). Zero and
|
||
negative values will be treated as 0 (evict immediately) by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: |-
|
||
Value is the taint value the toleration matches to.
|
||
If the operator is Exists, the value should be empty, otherwise just a regular string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
overloadMaxHeapSize:
|
||
description: |-
|
||
OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager.
|
||
When the value is greater than 0, the overload manager is enabled,
|
||
and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation,
|
||
When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests.
|
||
More info: https://projectcontour.io/docs/main/config/overload-manager/
|
||
format: int64
|
||
type: integer
|
||
podAnnotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
PodAnnotations defines annotations to add to the Envoy pods.
|
||
the annotations for Prometheus will be appended or overwritten with predefined value.
|
||
type: object
|
||
replicas:
|
||
description: |-
|
||
Deprecated: Use `DeploymentSettings.Replicas` instead.
|
||
Replicas is the desired number of Envoy replicas. If WorkloadType
|
||
is not "Deployment", this field is ignored. Otherwise, if unset,
|
||
defaults to 2.
|
||
if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
|
||
format: int32
|
||
minimum: 0
|
||
type: integer
|
||
resources:
|
||
description: |-
|
||
Compute Resources required by envoy container.
|
||
Cannot be updated.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
properties:
|
||
claims:
|
||
description: |-
|
||
Claims lists the names of resources, defined in spec.resourceClaims,
|
||
that are used by this container.
|
||
This is an alpha field and requires enabling the
|
||
DynamicResourceAllocation feature gate.
|
||
This field is immutable. It can only be set for containers.
|
||
items:
|
||
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name must match the name of one entry in pod.spec.resourceClaims of
|
||
the Pod where this field is used. It makes that resource available
|
||
inside a container.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-map-keys:
|
||
- name
|
||
x-kubernetes-list-type: map
|
||
limits:
|
||
additionalProperties:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
description: |-
|
||
Limits describes the maximum amount of compute resources allowed.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
type: object
|
||
requests:
|
||
additionalProperties:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||
x-kubernetes-int-or-string: true
|
||
description: |-
|
||
Requests describes the minimum amount of compute resources required.
|
||
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
|
||
otherwise to an implementation-defined value. Requests cannot exceed Limits.
|
||
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||
type: object
|
||
type: object
|
||
workloadType:
|
||
description: |-
|
||
WorkloadType is the type of workload to install Envoy
|
||
as. Choices are DaemonSet and Deployment. If unset, defaults
|
||
to DaemonSet.
|
||
type: string
|
||
type: object
|
||
resourceLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
ResourceLabels is a set of labels to add to the provisioned Contour resources.
|
||
Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be
|
||
removed in a future release.
|
||
type: object
|
||
runtimeSettings:
|
||
description: |-
|
||
RuntimeSettings is a ContourConfiguration spec to be used when
|
||
provisioning a Contour instance that will influence aspects of
|
||
the Contour instance's runtime behavior.
|
||
properties:
|
||
debug:
|
||
description: |-
|
||
Debug contains parameters to enable debug logging
|
||
and debug interfaces inside Contour.
|
||
properties:
|
||
address:
|
||
description: |-
|
||
Defines the Contour debug address interface.
|
||
Contour's default is "127.0.0.1".
|
||
type: string
|
||
port:
|
||
description: |-
|
||
Defines the Contour debug address port.
|
||
Contour's default is 6060.
|
||
type: integer
|
||
type: object
|
||
enableExternalNameService:
|
||
description: |-
|
||
EnableExternalNameService allows processing of ExternalNameServices
|
||
Contour's default is false for security reasons.
|
||
type: boolean
|
||
envoy:
|
||
description: |-
|
||
Envoy contains parameters for Envoy as well
|
||
as how to optionally configure a managed Envoy fleet.
|
||
properties:
|
||
clientCertificate:
|
||
description: |-
|
||
ClientCertificate defines the namespace/name of the Kubernetes
|
||
secret containing the client certificate and private key
|
||
to be used when establishing TLS connection to upstream
|
||
cluster.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
cluster:
|
||
description: |-
|
||
Cluster holds various configurable Envoy cluster values that can
|
||
be set in the config file.
|
||
properties:
|
||
circuitBreakers:
|
||
description: |-
|
||
GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
|
||
If defined, this will be used as the default for all services.
|
||
properties:
|
||
maxConnections:
|
||
description: The maximum number of connections that
|
||
a single Envoy instance allows to the Kubernetes
|
||
Service; defaults to 1024.
|
||
format: int32
|
||
type: integer
|
||
maxPendingRequests:
|
||
description: The maximum number of pending requests
|
||
that a single Envoy instance allows to the Kubernetes
|
||
Service; defaults to 1024.
|
||
format: int32
|
||
type: integer
|
||
maxRequests:
|
||
description: The maximum parallel requests a single
|
||
Envoy instance allows to the Kubernetes Service;
|
||
defaults to 1024
|
||
format: int32
|
||
type: integer
|
||
maxRetries:
|
||
description: The maximum number of parallel retries
|
||
a single Envoy instance allows to the Kubernetes
|
||
Service; defaults to 3.
|
||
format: int32
|
||
type: integer
|
||
type: object
|
||
dnsLookupFamily:
|
||
description: |-
|
||
DNSLookupFamily defines how external names are looked up
|
||
When configured as V4, the DNS resolver will only perform a lookup
|
||
for addresses in the IPv4 family. If V6 is configured, the DNS resolver
|
||
will only perform a lookup for addresses in the IPv6 family.
|
||
If AUTO is configured, the DNS resolver will first perform a lookup
|
||
for addresses in the IPv6 family and fallback to a lookup for addresses
|
||
in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
|
||
both IPv4 and IPv6 families, and return all resolved addresses.
|
||
When this is used, Happy Eyeballs will be enabled for upstream connections.
|
||
Refer to Happy Eyeballs Support for more information.
|
||
Note: This only applies to externalName clusters.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
|
||
for more information.
|
||
Values: `auto` (default), `v4`, `v6`, `all`.
|
||
Other values will produce an error.
|
||
type: string
|
||
maxRequestsPerConnection:
|
||
description: |-
|
||
Defines the maximum requests for upstream connections. If not specified, there is no limit.
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
per-connection-buffer-limit-bytes:
|
||
description: |-
|
||
Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
|
||
If unspecified, an implementation defined default is applied (1MiB).
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
upstreamTLS:
|
||
description: UpstreamTLS contains the TLS policy parameters
|
||
for upstream connections
|
||
properties:
|
||
cipherSuites:
|
||
description: |-
|
||
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
|
||
listeners when negotiating TLS 1.2. Ciphers are validated against the
|
||
set that Envoy supports by default. This parameter should only be used
|
||
by advanced users. Note that these will be ignored when TLS 1.3 is in
|
||
use.
|
||
This field is optional; when it is undefined, a Contour-managed ciphersuite list
|
||
will be used, which may be updated to keep it secure.
|
||
Contour's default list is:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
Ciphers provided are validated against the following list:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES128-GCM-SHA256"
|
||
- "ECDHE-RSA-AES128-GCM-SHA256"
|
||
- "ECDHE-ECDSA-AES128-SHA"
|
||
- "ECDHE-RSA-AES128-SHA"
|
||
- "AES128-GCM-SHA256"
|
||
- "AES128-SHA"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
- "ECDHE-ECDSA-AES256-SHA"
|
||
- "ECDHE-RSA-AES256-SHA"
|
||
- "AES256-GCM-SHA384"
|
||
- "AES256-SHA"
|
||
Contour recommends leaving this undefined unless you are sure you must.
|
||
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
|
||
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
|
||
items:
|
||
type: string
|
||
type: array
|
||
maximumProtocolVersion:
|
||
description: |-
|
||
MaximumProtocolVersion is the maximum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2`, `1.3`(default).
|
||
Other values will produce an error.
|
||
type: string
|
||
minimumProtocolVersion:
|
||
description: |-
|
||
MinimumProtocolVersion is the minimum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2` (default), `1.3`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
defaultHTTPVersions:
|
||
description: |-
|
||
DefaultHTTPVersions defines the default set of HTTPS
|
||
versions the proxy should accept. HTTP versions are
|
||
strings of the form "HTTP/xx". Supported versions are
|
||
"HTTP/1.1" and "HTTP/2".
|
||
Values: `HTTP/1.1`, `HTTP/2` (default: both).
|
||
Other values will produce an error.
|
||
items:
|
||
description: HTTPVersionType is the name of a supported
|
||
HTTP version.
|
||
type: string
|
||
type: array
|
||
health:
|
||
description: |-
|
||
Health defines the endpoint Envoy uses to serve health checks.
|
||
Contour's default is { address: "0.0.0.0", port: 8002 }.
|
||
properties:
|
||
address:
|
||
description: Defines the health address interface.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the health port.
|
||
type: integer
|
||
type: object
|
||
http:
|
||
description: |-
|
||
Defines the HTTP Listener for Envoy.
|
||
Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
|
||
properties:
|
||
accessLog:
|
||
description: AccessLog defines where Envoy logs are outputted
|
||
for this listener.
|
||
type: string
|
||
address:
|
||
description: Defines an Envoy Listener Address.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines an Envoy listener Port.
|
||
type: integer
|
||
type: object
|
||
https:
|
||
description: |-
|
||
Defines the HTTPS Listener for Envoy.
|
||
Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
|
||
properties:
|
||
accessLog:
|
||
description: AccessLog defines where Envoy logs are outputted
|
||
for this listener.
|
||
type: string
|
||
address:
|
||
description: Defines an Envoy Listener Address.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines an Envoy listener Port.
|
||
type: integer
|
||
type: object
|
||
listener:
|
||
description: Listener hold various configurable Envoy listener
|
||
values.
|
||
properties:
|
||
connectionBalancer:
|
||
description: |-
|
||
ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
|
||
for more information.
|
||
Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
|
||
Other values will produce an error.
|
||
type: string
|
||
disableAllowChunkedLength:
|
||
description: |-
|
||
DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
|
||
strip the "Content-Length" header if "Transfer-Encoding: chunked" is
|
||
also set. This is an emergency off-switch to revert back to Envoy's
|
||
default behavior in case of failures. Please file an issue if failures
|
||
are encountered.
|
||
See: https://github.com/projectcontour/contour/issues/3221
|
||
Contour's default is false.
|
||
type: boolean
|
||
disableMergeSlashes:
|
||
description: |-
|
||
DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
|
||
which strips duplicate slashes from request URL paths.
|
||
Contour's default is false.
|
||
type: boolean
|
||
httpMaxConcurrentStreams:
|
||
description: |-
|
||
Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
|
||
SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
|
||
for a peer on a single HTTP/2 connection. It is recommended to not set this lower
|
||
than 100 but this field can be used to bound resource usage by HTTP/2 connections
|
||
and mitigate attacks like CVE-2023-44487. The default value when this is not set is
|
||
unlimited.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
maxConnectionsPerListener:
|
||
description: |-
|
||
Defines the limit on number of active connections to a listener. The limit is applied
|
||
per listener. The default value when this is not set is unlimited.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
maxRequestsPerConnection:
|
||
description: |-
|
||
Defines the maximum requests for downstream connections. If not specified, there is no limit.
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
maxRequestsPerIOCycle:
|
||
description: |-
|
||
Defines the limit on number of HTTP requests that Envoy will process from a single
|
||
connection in a single I/O cycle. Requests over this limit are processed in subsequent
|
||
I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
|
||
detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
|
||
value when this is not set is no limit.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
per-connection-buffer-limit-bytes:
|
||
description: |-
|
||
Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
|
||
If unspecified, an implementation defined default is applied (1MiB).
|
||
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
|
||
for more information.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
serverHeaderTransformation:
|
||
description: |-
|
||
Defines the action to be applied to the Server header on the response path.
|
||
When configured as overwrite, overwrites any Server header with "envoy".
|
||
When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
|
||
When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
|
||
Values: `overwrite` (default), `append_if_absent`, `pass_through`
|
||
Other values will produce an error.
|
||
Contour's default is overwrite.
|
||
type: string
|
||
socketOptions:
|
||
description: |-
|
||
SocketOptions defines configurable socket options for the listeners.
|
||
Single set of options are applied to all listeners.
|
||
properties:
|
||
tos:
|
||
description: |-
|
||
Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
|
||
Single value is applied to all listeners.
|
||
If listeners are bound to IPv6-only addresses, setting this option will cause an error.
|
||
format: int32
|
||
maximum: 255
|
||
minimum: 0
|
||
type: integer
|
||
trafficClass:
|
||
description: |-
|
||
Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
|
||
Single value is applied to all listeners.
|
||
If listeners are bound to IPv4-only addresses, setting this option will cause an error.
|
||
format: int32
|
||
maximum: 255
|
||
minimum: 0
|
||
type: integer
|
||
type: object
|
||
tls:
|
||
description: TLS holds various configurable Envoy TLS
|
||
listener values.
|
||
properties:
|
||
cipherSuites:
|
||
description: |-
|
||
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
|
||
listeners when negotiating TLS 1.2. Ciphers are validated against the
|
||
set that Envoy supports by default. This parameter should only be used
|
||
by advanced users. Note that these will be ignored when TLS 1.3 is in
|
||
use.
|
||
This field is optional; when it is undefined, a Contour-managed ciphersuite list
|
||
will be used, which may be updated to keep it secure.
|
||
Contour's default list is:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
Ciphers provided are validated against the following list:
|
||
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
|
||
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
|
||
- "ECDHE-ECDSA-AES128-GCM-SHA256"
|
||
- "ECDHE-RSA-AES128-GCM-SHA256"
|
||
- "ECDHE-ECDSA-AES128-SHA"
|
||
- "ECDHE-RSA-AES128-SHA"
|
||
- "AES128-GCM-SHA256"
|
||
- "AES128-SHA"
|
||
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||
- "ECDHE-ECDSA-AES256-SHA"
|
||
- "ECDHE-RSA-AES256-SHA"
|
||
- "AES256-GCM-SHA384"
|
||
- "AES256-SHA"
|
||
Contour recommends leaving this undefined unless you are sure you must.
|
||
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
|
||
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
|
||
items:
|
||
type: string
|
||
type: array
|
||
maximumProtocolVersion:
|
||
description: |-
|
||
MaximumProtocolVersion is the maximum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2`, `1.3`(default).
|
||
Other values will produce an error.
|
||
type: string
|
||
minimumProtocolVersion:
|
||
description: |-
|
||
MinimumProtocolVersion is the minimum TLS version this vhost should
|
||
negotiate.
|
||
Values: `1.2` (default), `1.3`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
useProxyProtocol:
|
||
description: |-
|
||
Use PROXY protocol for all listeners.
|
||
Contour's default is false.
|
||
type: boolean
|
||
type: object
|
||
logging:
|
||
description: Logging defines how Envoy's logs can be configured.
|
||
properties:
|
||
accessLogFormat:
|
||
description: |-
|
||
AccessLogFormat sets the global access log format.
|
||
Values: `envoy` (default), `json`.
|
||
Other values will produce an error.
|
||
type: string
|
||
accessLogFormatString:
|
||
description: |-
|
||
AccessLogFormatString sets the access log format when format is set to `envoy`.
|
||
When empty, Envoy's default format is used.
|
||
type: string
|
||
accessLogJSONFields:
|
||
description: |-
|
||
AccessLogJSONFields sets the fields that JSON logging will
|
||
output when AccessLogFormat is json.
|
||
items:
|
||
type: string
|
||
type: array
|
||
accessLogLevel:
|
||
description: |-
|
||
AccessLogLevel sets the verbosity level of the access log.
|
||
Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
metrics:
|
||
description: |-
|
||
Metrics defines the endpoint Envoy uses to serve metrics.
|
||
Contour's default is { address: "0.0.0.0", port: 8002 }.
|
||
properties:
|
||
address:
|
||
description: Defines the metrics address interface.
|
||
maxLength: 253
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the metrics port.
|
||
type: integer
|
||
tls:
|
||
description: |-
|
||
TLS holds TLS file config details.
|
||
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
|
||
properties:
|
||
caFile:
|
||
description: CA filename.
|
||
type: string
|
||
certFile:
|
||
description: Client certificate filename.
|
||
type: string
|
||
keyFile:
|
||
description: Client key filename.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
network:
|
||
description: Network holds various configurable Envoy network
|
||
values.
|
||
properties:
|
||
adminPort:
|
||
description: |-
|
||
Configure the port used to access the Envoy Admin interface.
|
||
If configured to port "0" then the admin interface is disabled.
|
||
Contour's default is 9001.
|
||
type: integer
|
||
numTrustedHops:
|
||
description: |-
|
||
XffNumTrustedHops defines the number of additional ingress proxy hops from the
|
||
right side of the x-forwarded-for HTTP header to trust when determining the origin
|
||
client’s IP address.
|
||
See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
|
||
for more information.
|
||
Contour's default is 0.
|
||
format: int32
|
||
type: integer
|
||
type: object
|
||
service:
|
||
description: |-
|
||
Service holds Envoy service parameters for setting Ingress status.
|
||
Contour's default is { namespace: "projectcontour", name: "envoy" }.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
timeouts:
|
||
description: |-
|
||
Timeouts holds various configurable timeouts that can
|
||
be set in the config file.
|
||
properties:
|
||
connectTimeout:
|
||
description: |-
|
||
ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
|
||
If not set, a default value of 2 seconds will be used.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
|
||
for more information.
|
||
type: string
|
||
connectionIdleTimeout:
|
||
description: |-
|
||
ConnectionIdleTimeout defines how long the proxy should wait while there are
|
||
no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
|
||
an HTTP connection. Set to "infinity" to disable the timeout entirely.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
|
||
for more information.
|
||
type: string
|
||
connectionShutdownGracePeriod:
|
||
description: |-
|
||
ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
|
||
initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
|
||
During this grace period, the proxy will continue to respond to new streams. After the final
|
||
GOAWAY frame has been sent, the proxy will refuse new streams.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
|
||
for more information.
|
||
type: string
|
||
delayedCloseTimeout:
|
||
description: |-
|
||
DelayedCloseTimeout defines how long envoy will wait, once connection
|
||
close processing has been initiated, for the downstream peer to close
|
||
the connection before Envoy closes the socket associated with the connection.
|
||
Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
|
||
in Envoy. Leaving it unset will result in the Envoy default value being used.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
|
||
for more information.
|
||
type: string
|
||
maxConnectionDuration:
|
||
description: |-
|
||
MaxConnectionDuration defines the maximum period of time after an HTTP connection
|
||
has been established from the client to the proxy before it is closed by the proxy,
|
||
regardless of whether there has been activity or not. Omit or set to "infinity" for
|
||
no max duration.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
|
||
for more information.
|
||
type: string
|
||
requestTimeout:
|
||
description: |-
|
||
RequestTimeout sets the client request timeout globally for Contour. Note that
|
||
this is a timeout for the entire request, not an idle timeout. Omit or set to
|
||
"infinity" to disable the timeout entirely.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
|
||
for more information.
|
||
type: string
|
||
streamIdleTimeout:
|
||
description: |-
|
||
StreamIdleTimeout defines how long the proxy should wait while there is no
|
||
request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
|
||
terminating the HTTP request or stream. Set to "infinity" to disable the
|
||
timeout entirely.
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
|
||
for more information.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
featureFlags:
|
||
description: |-
|
||
FeatureFlags defines toggle to enable new contour features.
|
||
Available toggles are:
|
||
useEndpointSlices - configures contour to fetch endpoint data
|
||
from k8s endpoint slices. defaults to false and reading endpoint
|
||
data from the k8s endpoints.
|
||
items:
|
||
type: string
|
||
type: array
|
||
gateway:
|
||
description: |-
|
||
Gateway contains parameters for the gateway-api Gateway that Contour
|
||
is configured to serve traffic.
|
||
properties:
|
||
controllerName:
|
||
description: |-
|
||
ControllerName is used to determine whether Contour should reconcile a
|
||
GatewayClass. The string takes the form of "projectcontour.io/<namespace>/contour".
|
||
If unset, the gatewayclass controller will not be started.
|
||
Exactly one of ControllerName or GatewayRef must be set.
|
||
Deprecated: users should use GatewayRef, or the Gateway provisioner,
|
||
in place of this field. This field will be removed in a future release.
|
||
type: string
|
||
gatewayRef:
|
||
description: |-
|
||
GatewayRef defines a specific Gateway that this Contour
|
||
instance corresponds to. If set, Contour will reconcile
|
||
only this gateway, and will not reconcile any gateway
|
||
classes.
|
||
Exactly one of ControllerName or GatewayRef must be set.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
type: object
|
||
globalExtAuth:
|
||
description: |-
|
||
GlobalExternalAuthorization allows envoys external authorization filter
|
||
to be enabled for all virtual hosts.
|
||
properties:
|
||
authPolicy:
|
||
description: |-
|
||
AuthPolicy sets a default authorization policy for client requests.
|
||
This policy will be used unless overridden by individual routes.
|
||
properties:
|
||
context:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
Context is a set of key/value pairs that are sent to the
|
||
authentication server in the check request. If a context
|
||
is provided at an enclosing scope, the entries are merged
|
||
such that the inner scope overrides matching keys from the
|
||
outer scope.
|
||
type: object
|
||
disabled:
|
||
description: |-
|
||
When true, this field disables client request authentication
|
||
for the scope of the policy.
|
||
type: boolean
|
||
type: object
|
||
extensionRef:
|
||
description: ExtensionServiceRef specifies the extension resource
|
||
that will authorize client requests.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
API version of the referent.
|
||
If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
|
||
minLength: 1
|
||
type: string
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
minLength: 1
|
||
type: string
|
||
namespace:
|
||
description: |-
|
||
Namespace of the referent.
|
||
If this field is not specifies, the namespace of the resource that targets the referent will be used.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
failOpen:
|
||
description: |-
|
||
If FailOpen is true, the client request is forwarded to the upstream service
|
||
even if the authorization server fails to respond. This field should not be
|
||
set in most cases. It is intended for use only while migrating applications
|
||
from internal authorization to Contour external authorization.
|
||
type: boolean
|
||
responseTimeout:
|
||
description: |-
|
||
ResponseTimeout configures maximum time to wait for a check response from the authorization server.
|
||
Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
||
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
||
The string "infinity" is also a valid input and specifies no timeout.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
withRequestBody:
|
||
description: WithRequestBody specifies configuration for sending
|
||
the client request's body to authorization server.
|
||
properties:
|
||
allowPartialMessage:
|
||
description: If AllowPartialMessage is true, then Envoy
|
||
will buffer the body until MaxRequestBytes are reached.
|
||
type: boolean
|
||
maxRequestBytes:
|
||
default: 1024
|
||
description: MaxRequestBytes sets the maximum size of
|
||
message body ExtAuthz filter will hold in-memory.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
packAsBytes:
|
||
description: If PackAsBytes is true, the body sent to
|
||
Authorization Server is in raw bytes.
|
||
type: boolean
|
||
type: object
|
||
type: object
|
||
health:
|
||
description: |-
|
||
Health defines the endpoints Contour uses to serve health checks.
|
||
Contour's default is { address: "0.0.0.0", port: 8000 }.
|
||
properties:
|
||
address:
|
||
description: Defines the health address interface.
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the health port.
|
||
type: integer
|
||
type: object
|
||
httpproxy:
|
||
description: HTTPProxy defines parameters on HTTPProxy.
|
||
properties:
|
||
disablePermitInsecure:
|
||
description: |-
|
||
DisablePermitInsecure disables the use of the
|
||
permitInsecure field in HTTPProxy.
|
||
Contour's default is false.
|
||
type: boolean
|
||
fallbackCertificate:
|
||
description: |-
|
||
FallbackCertificate defines the namespace/name of the Kubernetes secret to
|
||
use as fallback when a non-SNI request is received.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
rootNamespaces:
|
||
description: Restrict Contour to searching these namespaces
|
||
for root ingress routes.
|
||
items:
|
||
type: string
|
||
type: array
|
||
type: object
|
||
ingress:
|
||
description: Ingress contains parameters for ingress options.
|
||
properties:
|
||
classNames:
|
||
description: Ingress Class Names Contour should use.
|
||
items:
|
||
type: string
|
||
type: array
|
||
statusAddress:
|
||
description: Address to set in Ingress object status.
|
||
type: string
|
||
type: object
|
||
metrics:
|
||
description: |-
|
||
Metrics defines the endpoint Contour uses to serve metrics.
|
||
Contour's default is { address: "0.0.0.0", port: 8000 }.
|
||
properties:
|
||
address:
|
||
description: Defines the metrics address interface.
|
||
maxLength: 253
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: Defines the metrics port.
|
||
type: integer
|
||
tls:
|
||
description: |-
|
||
TLS holds TLS file config details.
|
||
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
|
||
properties:
|
||
caFile:
|
||
description: CA filename.
|
||
type: string
|
||
certFile:
|
||
description: Client certificate filename.
|
||
type: string
|
||
keyFile:
|
||
description: Client key filename.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
policy:
|
||
description: Policy specifies default policy applied if not overridden
|
||
by the user
|
||
properties:
|
||
applyToIngress:
|
||
description: |-
|
||
ApplyToIngress determines if the Policies will apply to ingress objects
|
||
Contour's default is false.
|
||
type: boolean
|
||
requestHeaders:
|
||
description: RequestHeadersPolicy defines the request headers
|
||
set/removed on all routes
|
||
properties:
|
||
remove:
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
additionalProperties:
|
||
type: string
|
||
type: object
|
||
type: object
|
||
responseHeaders:
|
||
description: ResponseHeadersPolicy defines the response headers
|
||
set/removed on all routes
|
||
properties:
|
||
remove:
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
additionalProperties:
|
||
type: string
|
||
type: object
|
||
type: object
|
||
type: object
|
||
rateLimitService:
|
||
description: |-
|
||
RateLimitService optionally holds properties of the Rate Limit Service
|
||
to be used for global rate limiting.
|
||
properties:
|
||
defaultGlobalRateLimitPolicy:
|
||
description: |-
|
||
DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
|
||
HTTPProxy can overwrite this configuration.
|
||
properties:
|
||
descriptors:
|
||
description: |-
|
||
Descriptors defines the list of descriptors that will
|
||
be generated and sent to the rate limit service. Each
|
||
descriptor contains 1+ key-value pair entries.
|
||
items:
|
||
description: RateLimitDescriptor defines a list of key-value
|
||
pair generators.
|
||
properties:
|
||
entries:
|
||
description: Entries is the list of key-value pair
|
||
generators.
|
||
items:
|
||
description: |-
|
||
RateLimitDescriptorEntry is a key-value pair generator. Exactly
|
||
one field on this struct must be non-nil.
|
||
properties:
|
||
genericKey:
|
||
description: GenericKey defines a descriptor
|
||
entry with a static key and value.
|
||
properties:
|
||
key:
|
||
description: |-
|
||
Key defines the key of the descriptor entry. If not set, the
|
||
key is set to "generic_key".
|
||
type: string
|
||
value:
|
||
description: Value defines the value of
|
||
the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
remoteAddress:
|
||
description: |-
|
||
RemoteAddress defines a descriptor entry with a key of "remote_address"
|
||
and a value equal to the client's IP address (from x-forwarded-for).
|
||
type: object
|
||
requestHeader:
|
||
description: |-
|
||
RequestHeader defines a descriptor entry that's populated only if
|
||
a given header is present on the request. The descriptor key is static,
|
||
and the descriptor value is equal to the value of the header.
|
||
properties:
|
||
descriptorKey:
|
||
description: DescriptorKey defines the
|
||
key to use on the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
headerName:
|
||
description: HeaderName defines the name
|
||
of the header to look for on the request.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
requestHeaderValueMatch:
|
||
description: |-
|
||
RequestHeaderValueMatch defines a descriptor entry that's populated
|
||
if the request's headers match a set of 1+ match criteria. The
|
||
descriptor key is "header_match", and the descriptor value is static.
|
||
properties:
|
||
expectMatch:
|
||
default: true
|
||
description: |-
|
||
ExpectMatch defines whether the request must positively match the match
|
||
criteria in order to generate a descriptor entry (i.e. true), or not
|
||
match the match criteria in order to generate a descriptor entry (i.e. false).
|
||
The default is true.
|
||
type: boolean
|
||
headers:
|
||
description: |-
|
||
Headers is a list of 1+ match criteria to apply against the request
|
||
to determine whether to populate the descriptor entry or not.
|
||
items:
|
||
description: |-
|
||
HeaderMatchCondition specifies how to conditionally match against HTTP
|
||
headers. The Name field is required, only one of Present, NotPresent,
|
||
Contains, NotContains, Exact, NotExact and Regex can be set.
|
||
For negative matching rules only (e.g. NotContains or NotExact) you can set
|
||
TreatMissingAsEmpty.
|
||
IgnoreCase has no effect for Regex.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the header value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a string
|
||
that the header value must be
|
||
equal to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the header to match against. Name is required.
|
||
Header names are case insensitive.
|
||
type: string
|
||
notcontains:
|
||
description: |-
|
||
NotContains specifies a substring that must not be present
|
||
in the header value.
|
||
type: string
|
||
notexact:
|
||
description: |-
|
||
NoExact specifies a string that the header value must not be
|
||
equal to. The condition is true if the header has any other value.
|
||
type: string
|
||
notpresent:
|
||
description: |-
|
||
NotPresent specifies that condition is true when the named header
|
||
is not present. Note that setting NotPresent to false does not
|
||
make the condition true if the named header is present.
|
||
type: boolean
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named header
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named header
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the header
|
||
value.
|
||
type: string
|
||
treatMissingAsEmpty:
|
||
description: |-
|
||
TreatMissingAsEmpty specifies if the header match rule specified header
|
||
does not exist, this header value will be treated as empty. Defaults to false.
|
||
Unlike the underlying Envoy implementation this is **only** supported for
|
||
negative matches (e.g. NotContains, NotExact).
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
value:
|
||
description: Value defines the value of
|
||
the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
disabled:
|
||
description: |-
|
||
Disabled configures the HTTPProxy to not use
|
||
the default global rate limit policy defined by the Contour configuration.
|
||
type: boolean
|
||
type: object
|
||
domain:
|
||
description: Domain is passed to the Rate Limit Service.
|
||
type: string
|
||
enableResourceExhaustedCode:
|
||
description: |-
|
||
EnableResourceExhaustedCode enables translating error code 429 to
|
||
grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
|
||
type: boolean
|
||
enableXRateLimitHeaders:
|
||
description: |-
|
||
EnableXRateLimitHeaders defines whether to include the X-RateLimit
|
||
headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
|
||
(as defined by the IETF Internet-Draft linked below), on responses
|
||
to clients when the Rate Limit Service is consulted for a request.
|
||
ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
|
||
type: boolean
|
||
extensionService:
|
||
description: ExtensionService identifies the extension service
|
||
defining the RLS.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
failOpen:
|
||
description: |-
|
||
FailOpen defines whether to allow requests to proceed when the
|
||
Rate Limit Service fails to respond with a valid rate limit
|
||
decision within the timeout defined on the extension service.
|
||
type: boolean
|
||
required:
|
||
- extensionService
|
||
type: object
|
||
tracing:
|
||
description: Tracing defines properties for exporting trace data
|
||
to OpenTelemetry.
|
||
properties:
|
||
customTags:
|
||
description: CustomTags defines a list of custom tags with
|
||
unique tag name.
|
||
items:
|
||
description: |-
|
||
CustomTag defines custom tags with unique tag name
|
||
to create tags for the active span.
|
||
properties:
|
||
literal:
|
||
description: |-
|
||
Literal is a static custom tag value.
|
||
Precisely one of Literal, RequestHeaderName must be set.
|
||
type: string
|
||
requestHeaderName:
|
||
description: |-
|
||
RequestHeaderName indicates which request header
|
||
the label value is obtained from.
|
||
Precisely one of Literal, RequestHeaderName must be set.
|
||
type: string
|
||
tagName:
|
||
description: TagName is the unique name of the custom
|
||
tag.
|
||
type: string
|
||
required:
|
||
- tagName
|
||
type: object
|
||
type: array
|
||
extensionService:
|
||
description: ExtensionService identifies the extension service
|
||
defining the otel-collector.
|
||
properties:
|
||
name:
|
||
type: string
|
||
namespace:
|
||
type: string
|
||
required:
|
||
- name
|
||
- namespace
|
||
type: object
|
||
includePodDetail:
|
||
description: |-
|
||
IncludePodDetail defines a flag.
|
||
If it is true, contour will add the pod name and namespace to the span of the trace.
|
||
the default is true.
|
||
Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
|
||
type: boolean
|
||
maxPathTagLength:
|
||
description: |-
|
||
MaxPathTagLength defines maximum length of the request path
|
||
to extract and include in the HttpUrl tag.
|
||
contour's default is 256.
|
||
format: int32
|
||
type: integer
|
||
overallSampling:
|
||
description: |-
|
||
OverallSampling defines the sampling rate of trace data.
|
||
contour's default is 100.
|
||
type: string
|
||
serviceName:
|
||
description: |-
|
||
ServiceName defines the name for the service.
|
||
contour's default is contour.
|
||
type: string
|
||
required:
|
||
- extensionService
|
||
type: object
|
||
xdsServer:
|
||
description: XDSServer contains parameters for the xDS server.
|
||
properties:
|
||
address:
|
||
description: |-
|
||
Defines the xDS gRPC API address which Contour will serve.
|
||
Contour's default is "0.0.0.0".
|
||
minLength: 1
|
||
type: string
|
||
port:
|
||
description: |-
|
||
Defines the xDS gRPC API port which Contour will serve.
|
||
Contour's default is 8001.
|
||
type: integer
|
||
tls:
|
||
description: |-
|
||
TLS holds TLS file config details.
|
||
Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
|
||
properties:
|
||
caFile:
|
||
description: CA filename.
|
||
type: string
|
||
certFile:
|
||
description: Client certificate filename.
|
||
type: string
|
||
insecure:
|
||
description: Allow serving the xDS gRPC API without TLS.
|
||
type: boolean
|
||
keyFile:
|
||
description: Client key filename.
|
||
type: string
|
||
type: object
|
||
type:
|
||
description: |-
|
||
Defines the XDSServer to use for `contour serve`.
|
||
Values: `contour` (default), `envoy`.
|
||
Other values will produce an error.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
type: object
|
||
status:
|
||
description: ContourDeploymentStatus defines the observed state of a ContourDeployment
|
||
resource.
|
||
properties:
|
||
conditions:
|
||
description: Conditions describe the current conditions of the ContourDeployment
|
||
resource.
|
||
items:
|
||
description: "Condition contains details for one aspect of the current
|
||
state of this API Resource.\n---\nThis struct is intended for
|
||
direct use as an array at the field path .status.conditions. For
|
||
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
|
||
observations of a foo's current state.\n\t // Known .status.conditions.type
|
||
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
|
||
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
|
||
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
|
||
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
|
||
\ // other fields\n\t}"
|
||
properties:
|
||
lastTransitionTime:
|
||
description: |-
|
||
lastTransitionTime is the last time the condition transitioned from one status to another.
|
||
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: |-
|
||
message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
observedGeneration:
|
||
description: |-
|
||
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
||
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
||
with respect to the current state of the instance.
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
reason:
|
||
description: |-
|
||
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: status of the condition, one of True, False, Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
type of condition in CamelCase or in foo.example.com/CamelCase.
|
||
---
|
||
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
|
||
useful (see .node.status.conditions), the ability to deconflict is important.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- lastTransitionTime
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-map-keys:
|
||
- type
|
||
x-kubernetes-list-type: map
|
||
type: object
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
subresources:
|
||
status: {}
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
controller-gen.kubebuilder.io/version: v0.14.0
|
||
name: extensionservices.projectcontour.io
|
||
spec:
|
||
preserveUnknownFields: false
|
||
group: projectcontour.io
|
||
names:
|
||
kind: ExtensionService
|
||
listKind: ExtensionServiceList
|
||
plural: extensionservices
|
||
shortNames:
|
||
- extensionservice
|
||
- extensionservices
|
||
singular: extensionservice
|
||
scope: Namespaced
|
||
versions:
|
||
- name: v1alpha1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: |-
|
||
ExtensionService is the schema for the Contour extension services API.
|
||
An ExtensionService resource binds a network service to the Contour
|
||
API so that Contour API features can be implemented by collaborating
|
||
components.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
APIVersion defines the versioned schema of this representation of an object.
|
||
Servers should convert recognized schemas to the latest internal value, and
|
||
may reject unrecognized values.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||
type: string
|
||
kind:
|
||
description: |-
|
||
Kind is a string value representing the REST resource this object represents.
|
||
Servers may infer this from the endpoint the client submits requests to.
|
||
Cannot be updated.
|
||
In CamelCase.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: ExtensionServiceSpec defines the desired state of an ExtensionService
|
||
resource.
|
||
properties:
|
||
loadBalancerPolicy:
|
||
description: |-
|
||
The policy for load balancing GRPC service requests. Note that the
|
||
`Cookie` and `RequestHash` load balancing strategies cannot be used
|
||
here.
|
||
properties:
|
||
requestHashPolicies:
|
||
description: |-
|
||
RequestHashPolicies contains a list of hash policies to apply when the
|
||
`RequestHash` load balancing strategy is chosen. If an element of the
|
||
supplied list of hash policies is invalid, it will be ignored. If the
|
||
list of hash policies is empty after validation, the load balancing
|
||
strategy will fall back to the default `RoundRobin`.
|
||
items:
|
||
description: |-
|
||
RequestHashPolicy contains configuration for an individual hash policy
|
||
on a request attribute.
|
||
properties:
|
||
hashSourceIP:
|
||
description: |-
|
||
HashSourceIP should be set to true when request source IP hash based
|
||
load balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
type: boolean
|
||
headerHashOptions:
|
||
description: |-
|
||
HeaderHashOptions should be set when request header hash based load
|
||
balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
properties:
|
||
headerName:
|
||
description: |-
|
||
HeaderName is the name of the HTTP request header that will be used to
|
||
calculate the hash key. If the header specified is not present on a
|
||
request, no hash will be produced.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
queryParameterHashOptions:
|
||
description: |-
|
||
QueryParameterHashOptions should be set when request query parameter hash based load
|
||
balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
properties:
|
||
parameterName:
|
||
description: |-
|
||
ParameterName is the name of the HTTP request query parameter that will be used to
|
||
calculate the hash key. If the query parameter specified is not present on a
|
||
request, no hash will be produced.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
terminal:
|
||
description: |-
|
||
Terminal is a flag that allows for short-circuiting computing of a hash
|
||
for a given request. If set to true, and the request attribute specified
|
||
in the attribute hash options is present, no further hash policies will
|
||
be used to calculate a hash for the request.
|
||
type: boolean
|
||
type: object
|
||
type: array
|
||
strategy:
|
||
description: |-
|
||
Strategy specifies the policy used to balance requests
|
||
across the pool of backend pods. Valid policy names are
|
||
`Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
|
||
and `RequestHash`. If an unknown strategy name is specified
|
||
or no policy is supplied, the default `RoundRobin` policy
|
||
is used.
|
||
type: string
|
||
type: object
|
||
protocol:
|
||
description: |-
|
||
Protocol may be used to specify (or override) the protocol used to reach this Service.
|
||
Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.
|
||
enum:
|
||
- h2
|
||
- h2c
|
||
type: string
|
||
protocolVersion:
|
||
description: |-
|
||
This field sets the version of the GRPC protocol that Envoy uses to
|
||
send requests to the extension service. Since Contour always uses the
|
||
v3 Envoy API, this is currently fixed at "v3". However, other
|
||
protocol options will be available in future.
|
||
enum:
|
||
- v3
|
||
type: string
|
||
services:
|
||
description: |-
|
||
Services specifies the set of Kubernetes Service resources that
|
||
receive GRPC extension API requests.
|
||
If no weights are specified for any of the entries in
|
||
this array, traffic will be spread evenly across all the
|
||
services.
|
||
Otherwise, traffic is balanced proportionally to the
|
||
Weight field in each entry.
|
||
items:
|
||
description: |-
|
||
ExtensionServiceTarget defines an Kubernetes Service to target with
|
||
extension service traffic.
|
||
properties:
|
||
name:
|
||
description: |-
|
||
Name is the name of Kubernetes service that will accept service
|
||
traffic.
|
||
type: string
|
||
port:
|
||
description: Port (defined as Integer) to proxy traffic to since
|
||
a service can have multiple defined.
|
||
exclusiveMaximum: true
|
||
maximum: 65536
|
||
minimum: 1
|
||
type: integer
|
||
weight:
|
||
description: Weight defines proportion of traffic to balance
|
||
to the Kubernetes Service.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- name
|
||
- port
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
timeoutPolicy:
|
||
description: The timeout policy for requests to the services.
|
||
properties:
|
||
idle:
|
||
description: |-
|
||
Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
|
||
Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
|
||
If not specified, there is no per-route idle timeout, though a connection manager-wide
|
||
stream_idle_timeout default of 5m still applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
idleConnection:
|
||
description: |-
|
||
Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
|
||
If not supplied, Envoy's default value of 1h applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
response:
|
||
description: |-
|
||
Timeout for receiving a response from the server after processing a request from client.
|
||
If not supplied, Envoy's default value of 15s applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
type: object
|
||
validation:
|
||
description: UpstreamValidation defines how to verify the backend
|
||
service's certificate
|
||
properties:
|
||
caSecret:
|
||
description: |-
|
||
Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
|
||
The secret must contain key named ca.crt.
|
||
The name can be optionally prefixed with namespace "namespace/name".
|
||
When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
|
||
Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
|
||
maxLength: 317
|
||
minLength: 1
|
||
type: string
|
||
subjectName:
|
||
description: |-
|
||
Key which is expected to be present in the 'subjectAltName' of the presented certificate.
|
||
Deprecated: migrate to using the plural field subjectNames.
|
||
maxLength: 250
|
||
minLength: 1
|
||
type: string
|
||
subjectNames:
|
||
description: |-
|
||
List of keys, of which at least one is expected to be present in the 'subjectAltName of the
|
||
presented certificate.
|
||
items:
|
||
type: string
|
||
maxItems: 8
|
||
minItems: 1
|
||
type: array
|
||
required:
|
||
- caSecret
|
||
- subjectName
|
||
type: object
|
||
x-kubernetes-validations:
|
||
- message: subjectNames[0] must equal subjectName if set
|
||
rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName
|
||
: true'
|
||
required:
|
||
- services
|
||
type: object
|
||
status:
|
||
description: |-
|
||
ExtensionServiceStatus defines the observed state of an
|
||
ExtensionService resource.
|
||
properties:
|
||
conditions:
|
||
description: |-
|
||
Conditions contains the current status of the ExtensionService resource.
|
||
Contour will update a single condition, `Valid`, that is in normal-true polarity.
|
||
Contour will not modify any other Conditions set in this block,
|
||
in case some other controller wants to add a Condition.
|
||
items:
|
||
description: |-
|
||
DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
|
||
fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
|
||
of the condition.
|
||
`errors` holds information about sub-conditions which are fatal to that condition and render its state False.
|
||
`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
|
||
Remember that Conditions have a type, a status, and a reason.
|
||
The type is the type of the condition, the most important one in this CRD set is `Valid`.
|
||
`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
|
||
In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
|
||
`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
|
||
slice in this case.
|
||
`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
|
||
The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
|
||
slice if `status` is `false`.
|
||
For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
|
||
When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
|
||
When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
|
||
In either case, there may be entries in the `warnings` slice.
|
||
Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
|
||
(if there is one and only one entry in total across both the `errors` and `warnings` slices), or
|
||
`MultipleReasons` if there is more than one entry.
|
||
properties:
|
||
errors:
|
||
description: |-
|
||
Errors contains a slice of relevant error subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
|
||
An empty slice here indicates no errors.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
lastTransitionTime:
|
||
description: |-
|
||
lastTransitionTime is the last time the condition transitioned from one status to another.
|
||
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: |-
|
||
message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
observedGeneration:
|
||
description: |-
|
||
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
||
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
||
with respect to the current state of the instance.
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
reason:
|
||
description: |-
|
||
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: status of the condition, one of True, False, Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
type of condition in CamelCase or in foo.example.com/CamelCase.
|
||
---
|
||
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
|
||
useful (see .node.status.conditions), the ability to deconflict is important.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
warnings:
|
||
description: |-
|
||
Warnings contains a slice of relevant warning subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
|
||
An empty slice here indicates no warnings.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
required:
|
||
- lastTransitionTime
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-map-keys:
|
||
- type
|
||
x-kubernetes-list-type: map
|
||
type: object
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
subresources:
|
||
status: {}
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
controller-gen.kubebuilder.io/version: v0.14.0
|
||
name: httpproxies.projectcontour.io
|
||
spec:
|
||
preserveUnknownFields: false
|
||
group: projectcontour.io
|
||
names:
|
||
kind: HTTPProxy
|
||
listKind: HTTPProxyList
|
||
plural: httpproxies
|
||
shortNames:
|
||
- proxy
|
||
- proxies
|
||
singular: httpproxy
|
||
scope: Namespaced
|
||
versions:
|
||
- additionalPrinterColumns:
|
||
- description: Fully qualified domain name
|
||
jsonPath: .spec.virtualhost.fqdn
|
||
name: FQDN
|
||
type: string
|
||
- description: Secret with TLS credentials
|
||
jsonPath: .spec.virtualhost.tls.secretName
|
||
name: TLS Secret
|
||
type: string
|
||
- description: The current status of the HTTPProxy
|
||
jsonPath: .status.currentStatus
|
||
name: Status
|
||
type: string
|
||
- description: Description of the current status
|
||
jsonPath: .status.description
|
||
name: Status Description
|
||
type: string
|
||
name: v1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: HTTPProxy is an Ingress CRD specification.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
APIVersion defines the versioned schema of this representation of an object.
|
||
Servers should convert recognized schemas to the latest internal value, and
|
||
may reject unrecognized values.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||
type: string
|
||
kind:
|
||
description: |-
|
||
Kind is a string value representing the REST resource this object represents.
|
||
Servers may infer this from the endpoint the client submits requests to.
|
||
Cannot be updated.
|
||
In CamelCase.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: HTTPProxySpec defines the spec of the CRD.
|
||
properties:
|
||
includes:
|
||
description: |-
|
||
Includes allow for specific routing configuration to be included from another HTTPProxy,
|
||
possibly in another namespace.
|
||
items:
|
||
description: Include describes a set of policies that can be applied
|
||
to an HTTPProxy in a namespace.
|
||
properties:
|
||
conditions:
|
||
description: |-
|
||
Conditions are a set of rules that are applied to included HTTPProxies.
|
||
In effect, they are added onto the Conditions of included HTTPProxy Route
|
||
structs.
|
||
When applied, they are merged using AND, with one exception:
|
||
There can be only one Prefix MatchCondition per Conditions slice.
|
||
More than one Prefix, or contradictory Conditions, will make the
|
||
include invalid. Exact and Regex match conditions are not allowed
|
||
on includes.
|
||
items:
|
||
description: |-
|
||
MatchCondition are a general holder for matching rules for HTTPProxies.
|
||
One of Prefix, Exact, Regex, Header or QueryParameter must be provided.
|
||
properties:
|
||
exact:
|
||
description: |-
|
||
Exact defines a exact match for a request.
|
||
This field is not allowed in include match conditions.
|
||
type: string
|
||
header:
|
||
description: Header specifies the header condition to
|
||
match.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the header value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a string that the header
|
||
value must be equal to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the header to match against. Name is required.
|
||
Header names are case insensitive.
|
||
type: string
|
||
notcontains:
|
||
description: |-
|
||
NotContains specifies a substring that must not be present
|
||
in the header value.
|
||
type: string
|
||
notexact:
|
||
description: |-
|
||
NoExact specifies a string that the header value must not be
|
||
equal to. The condition is true if the header has any other value.
|
||
type: string
|
||
notpresent:
|
||
description: |-
|
||
NotPresent specifies that condition is true when the named header
|
||
is not present. Note that setting NotPresent to false does not
|
||
make the condition true if the named header is present.
|
||
type: boolean
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named header
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named header
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the header
|
||
value.
|
||
type: string
|
||
treatMissingAsEmpty:
|
||
description: |-
|
||
TreatMissingAsEmpty specifies if the header match rule specified header
|
||
does not exist, this header value will be treated as empty. Defaults to false.
|
||
Unlike the underlying Envoy implementation this is **only** supported for
|
||
negative matches (e.g. NotContains, NotExact).
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
prefix:
|
||
description: Prefix defines a prefix match for a request.
|
||
type: string
|
||
queryParameter:
|
||
description: QueryParameter specifies the query parameter
|
||
condition to match.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the query parameter value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a string that the query
|
||
parameter value must be equal to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the query parameter to match against. Name is required.
|
||
Query parameter names are case insensitive.
|
||
type: string
|
||
prefix:
|
||
description: Prefix defines a prefix match for the
|
||
query parameter value.
|
||
type: string
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named query parameter
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named query parameter
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the query
|
||
parameter value.
|
||
type: string
|
||
suffix:
|
||
description: Suffix defines a suffix match for a query
|
||
parameter value.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
regex:
|
||
description: |-
|
||
Regex defines a regex match for a request.
|
||
This field is not allowed in include match conditions.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
name:
|
||
description: Name of the HTTPProxy
|
||
type: string
|
||
namespace:
|
||
description: Namespace of the HTTPProxy to include. Defaults
|
||
to the current namespace if not supplied.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
type: array
|
||
ingressClassName:
|
||
description: |-
|
||
IngressClassName optionally specifies the ingress class to use for this
|
||
HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class`
|
||
annotation. For backwards compatibility, when that annotation is set, it
|
||
is given precedence over this field.
|
||
type: string
|
||
routes:
|
||
description: Routes are the ingress routes. If TCPProxy is present,
|
||
Routes is ignored.
|
||
items:
|
||
description: Route contains the set of routes for a virtual host.
|
||
properties:
|
||
authPolicy:
|
||
description: |-
|
||
AuthPolicy updates the authorization policy that was set
|
||
on the root HTTPProxy object for client requests that
|
||
match this route.
|
||
properties:
|
||
context:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
Context is a set of key/value pairs that are sent to the
|
||
authentication server in the check request. If a context
|
||
is provided at an enclosing scope, the entries are merged
|
||
such that the inner scope overrides matching keys from the
|
||
outer scope.
|
||
type: object
|
||
disabled:
|
||
description: |-
|
||
When true, this field disables client request authentication
|
||
for the scope of the policy.
|
||
type: boolean
|
||
type: object
|
||
conditions:
|
||
description: |-
|
||
Conditions are a set of rules that are applied to a Route.
|
||
When applied, they are merged using AND, with one exception:
|
||
There can be only one Prefix, Exact or Regex MatchCondition
|
||
per Conditions slice. More than one of these condition types,
|
||
or contradictory Conditions, will make the route invalid.
|
||
items:
|
||
description: |-
|
||
MatchCondition are a general holder for matching rules for HTTPProxies.
|
||
One of Prefix, Exact, Regex, Header or QueryParameter must be provided.
|
||
properties:
|
||
exact:
|
||
description: |-
|
||
Exact defines a exact match for a request.
|
||
This field is not allowed in include match conditions.
|
||
type: string
|
||
header:
|
||
description: Header specifies the header condition to
|
||
match.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the header value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a string that the header
|
||
value must be equal to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the header to match against. Name is required.
|
||
Header names are case insensitive.
|
||
type: string
|
||
notcontains:
|
||
description: |-
|
||
NotContains specifies a substring that must not be present
|
||
in the header value.
|
||
type: string
|
||
notexact:
|
||
description: |-
|
||
NoExact specifies a string that the header value must not be
|
||
equal to. The condition is true if the header has any other value.
|
||
type: string
|
||
notpresent:
|
||
description: |-
|
||
NotPresent specifies that condition is true when the named header
|
||
is not present. Note that setting NotPresent to false does not
|
||
make the condition true if the named header is present.
|
||
type: boolean
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named header
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named header
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the header
|
||
value.
|
||
type: string
|
||
treatMissingAsEmpty:
|
||
description: |-
|
||
TreatMissingAsEmpty specifies if the header match rule specified header
|
||
does not exist, this header value will be treated as empty. Defaults to false.
|
||
Unlike the underlying Envoy implementation this is **only** supported for
|
||
negative matches (e.g. NotContains, NotExact).
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
prefix:
|
||
description: Prefix defines a prefix match for a request.
|
||
type: string
|
||
queryParameter:
|
||
description: QueryParameter specifies the query parameter
|
||
condition to match.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the query parameter value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a string that the query
|
||
parameter value must be equal to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the query parameter to match against. Name is required.
|
||
Query parameter names are case insensitive.
|
||
type: string
|
||
prefix:
|
||
description: Prefix defines a prefix match for the
|
||
query parameter value.
|
||
type: string
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named query parameter
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named query parameter
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the query
|
||
parameter value.
|
||
type: string
|
||
suffix:
|
||
description: Suffix defines a suffix match for a query
|
||
parameter value.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
regex:
|
||
description: |-
|
||
Regex defines a regex match for a request.
|
||
This field is not allowed in include match conditions.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
cookieRewritePolicies:
|
||
description: |-
|
||
The policies for rewriting Set-Cookie header attributes. Note that
|
||
rewritten cookie names must be unique in this list. Order rewrite
|
||
policies are specified in does not matter.
|
||
items:
|
||
properties:
|
||
domainRewrite:
|
||
description: |-
|
||
DomainRewrite enables rewriting the Set-Cookie Domain element.
|
||
If not set, Domain will not be rewritten.
|
||
properties:
|
||
value:
|
||
description: |-
|
||
Value is the value to rewrite the Domain attribute to.
|
||
For now this is required.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||
type: string
|
||
required:
|
||
- value
|
||
type: object
|
||
name:
|
||
description: Name is the name of the cookie for which
|
||
attributes will be rewritten.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
|
||
type: string
|
||
pathRewrite:
|
||
description: |-
|
||
PathRewrite enables rewriting the Set-Cookie Path element.
|
||
If not set, Path will not be rewritten.
|
||
properties:
|
||
value:
|
||
description: |-
|
||
Value is the value to rewrite the Path attribute to.
|
||
For now this is required.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
|
||
type: string
|
||
required:
|
||
- value
|
||
type: object
|
||
sameSite:
|
||
description: |-
|
||
SameSite enables rewriting the Set-Cookie SameSite element.
|
||
If not set, SameSite attribute will not be rewritten.
|
||
enum:
|
||
- Strict
|
||
- Lax
|
||
- None
|
||
type: string
|
||
secure:
|
||
description: |-
|
||
Secure enables rewriting the Set-Cookie Secure element.
|
||
If not set, Secure attribute will not be rewritten.
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
type: array
|
||
directResponsePolicy:
|
||
description: DirectResponsePolicy returns an arbitrary HTTP
|
||
response directly.
|
||
properties:
|
||
body:
|
||
description: |-
|
||
Body is the content of the response body.
|
||
If this setting is omitted, no body is included in the generated response.
|
||
Note: Body is not recommended to set too long
|
||
otherwise it can have significant resource usage impacts.
|
||
type: string
|
||
statusCode:
|
||
description: StatusCode is the HTTP response status to be
|
||
returned.
|
||
maximum: 599
|
||
minimum: 200
|
||
type: integer
|
||
required:
|
||
- statusCode
|
||
type: object
|
||
enableWebsockets:
|
||
description: Enables websocket support for the route.
|
||
type: boolean
|
||
healthCheckPolicy:
|
||
description: The health check policy for this route.
|
||
properties:
|
||
expectedStatuses:
|
||
description: |-
|
||
The ranges of HTTP response statuses considered healthy. Follow half-open
|
||
semantics, i.e. for each range the start is inclusive and the end is exclusive.
|
||
Must be within the range [100,600). If not specified, only a 200 response status
|
||
is considered healthy.
|
||
items:
|
||
properties:
|
||
end:
|
||
description: The end (exclusive) of a range of HTTP
|
||
status codes.
|
||
format: int64
|
||
maximum: 600
|
||
minimum: 101
|
||
type: integer
|
||
start:
|
||
description: The start (inclusive) of a range of HTTP
|
||
status codes.
|
||
format: int64
|
||
maximum: 599
|
||
minimum: 100
|
||
type: integer
|
||
required:
|
||
- end
|
||
- start
|
||
type: object
|
||
type: array
|
||
healthyThresholdCount:
|
||
description: The number of healthy health checks required
|
||
before a host is marked healthy
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
host:
|
||
description: |-
|
||
The value of the host header in the HTTP health check request.
|
||
If left empty (default value), the name "contour-envoy-healthcheck"
|
||
will be used.
|
||
type: string
|
||
intervalSeconds:
|
||
description: The interval (seconds) between health checks
|
||
format: int64
|
||
type: integer
|
||
path:
|
||
description: HTTP endpoint used to perform health checks
|
||
on upstream service
|
||
type: string
|
||
timeoutSeconds:
|
||
description: The time to wait (seconds) for a health check
|
||
response
|
||
format: int64
|
||
type: integer
|
||
unhealthyThresholdCount:
|
||
description: The number of unhealthy health checks required
|
||
before a host is marked unhealthy
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
required:
|
||
- path
|
||
type: object
|
||
internalRedirectPolicy:
|
||
description: The policy to define when to handle redirects responses
|
||
internally.
|
||
properties:
|
||
allowCrossSchemeRedirect:
|
||
default: Never
|
||
description: |-
|
||
AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme
|
||
than the value of x-forwarded-proto.
|
||
SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream
|
||
scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme
|
||
is HTTP, only HTTP redirect targets are allowed.
|
||
enum:
|
||
- Always
|
||
- Never
|
||
- SafeOnly
|
||
type: string
|
||
denyRepeatedRouteRedirect:
|
||
description: |-
|
||
If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has
|
||
been followed by a previous redirect from the current route.
|
||
type: boolean
|
||
maxInternalRedirects:
|
||
description: |-
|
||
MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal
|
||
redirects that a downstream request has encountered is lower than this value.
|
||
format: int32
|
||
type: integer
|
||
redirectResponseCodes:
|
||
description: |-
|
||
RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect.
|
||
Only 301, 302, 303, 307 and 308 are valid values.
|
||
items:
|
||
description: RedirectResponseCode is a uint32 type alias
|
||
with validation to ensure that the value is valid.
|
||
enum:
|
||
- 301
|
||
- 302
|
||
- 303
|
||
- 307
|
||
- 308
|
||
format: int32
|
||
type: integer
|
||
type: array
|
||
type: object
|
||
ipAllowPolicy:
|
||
description: |-
|
||
IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
|
||
requests should be allowed. All other requests will be denied.
|
||
Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
|
||
The rules defined here override any rules set on the root HTTPProxy.
|
||
items:
|
||
properties:
|
||
cidr:
|
||
description: |-
|
||
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
|
||
a bare IP address (without a mask) to filter on exactly one address.
|
||
type: string
|
||
source:
|
||
description: |-
|
||
Source indicates how to determine the ip address to filter on, and can be
|
||
one of two values:
|
||
- `Remote` filters on the ip address of the client, accounting for PROXY and
|
||
X-Forwarded-For as needed.
|
||
- `Peer` filters on the ip of the network request, ignoring PROXY and
|
||
X-Forwarded-For.
|
||
enum:
|
||
- Peer
|
||
- Remote
|
||
type: string
|
||
required:
|
||
- cidr
|
||
- source
|
||
type: object
|
||
type: array
|
||
ipDenyPolicy:
|
||
description: |-
|
||
IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
|
||
requests should be denied. All other requests will be allowed.
|
||
Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
|
||
The rules defined here override any rules set on the root HTTPProxy.
|
||
items:
|
||
properties:
|
||
cidr:
|
||
description: |-
|
||
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
|
||
a bare IP address (without a mask) to filter on exactly one address.
|
||
type: string
|
||
source:
|
||
description: |-
|
||
Source indicates how to determine the ip address to filter on, and can be
|
||
one of two values:
|
||
- `Remote` filters on the ip address of the client, accounting for PROXY and
|
||
X-Forwarded-For as needed.
|
||
- `Peer` filters on the ip of the network request, ignoring PROXY and
|
||
X-Forwarded-For.
|
||
enum:
|
||
- Peer
|
||
- Remote
|
||
type: string
|
||
required:
|
||
- cidr
|
||
- source
|
||
type: object
|
||
type: array
|
||
jwtVerificationPolicy:
|
||
description: The policy for verifying JWTs for requests to this
|
||
route.
|
||
properties:
|
||
disabled:
|
||
description: |-
|
||
Disabled defines whether to disable all JWT verification for this
|
||
route. This can be used to opt specific routes out of the default
|
||
JWT provider for the HTTPProxy. At most one of this field or the
|
||
"require" field can be specified.
|
||
type: boolean
|
||
require:
|
||
description: |-
|
||
Require names a specific JWT provider (defined in the virtual host)
|
||
to require for the route. If specified, this field overrides the
|
||
default provider if one exists. If this field is not specified,
|
||
the default provider will be required if one exists. At most one of
|
||
this field or the "disabled" field can be specified.
|
||
type: string
|
||
type: object
|
||
loadBalancerPolicy:
|
||
description: The load balancing policy for this route.
|
||
properties:
|
||
requestHashPolicies:
|
||
description: |-
|
||
RequestHashPolicies contains a list of hash policies to apply when the
|
||
`RequestHash` load balancing strategy is chosen. If an element of the
|
||
supplied list of hash policies is invalid, it will be ignored. If the
|
||
list of hash policies is empty after validation, the load balancing
|
||
strategy will fall back to the default `RoundRobin`.
|
||
items:
|
||
description: |-
|
||
RequestHashPolicy contains configuration for an individual hash policy
|
||
on a request attribute.
|
||
properties:
|
||
hashSourceIP:
|
||
description: |-
|
||
HashSourceIP should be set to true when request source IP hash based
|
||
load balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
type: boolean
|
||
headerHashOptions:
|
||
description: |-
|
||
HeaderHashOptions should be set when request header hash based load
|
||
balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
properties:
|
||
headerName:
|
||
description: |-
|
||
HeaderName is the name of the HTTP request header that will be used to
|
||
calculate the hash key. If the header specified is not present on a
|
||
request, no hash will be produced.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
queryParameterHashOptions:
|
||
description: |-
|
||
QueryParameterHashOptions should be set when request query parameter hash based load
|
||
balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
properties:
|
||
parameterName:
|
||
description: |-
|
||
ParameterName is the name of the HTTP request query parameter that will be used to
|
||
calculate the hash key. If the query parameter specified is not present on a
|
||
request, no hash will be produced.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
terminal:
|
||
description: |-
|
||
Terminal is a flag that allows for short-circuiting computing of a hash
|
||
for a given request. If set to true, and the request attribute specified
|
||
in the attribute hash options is present, no further hash policies will
|
||
be used to calculate a hash for the request.
|
||
type: boolean
|
||
type: object
|
||
type: array
|
||
strategy:
|
||
description: |-
|
||
Strategy specifies the policy used to balance requests
|
||
across the pool of backend pods. Valid policy names are
|
||
`Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
|
||
and `RequestHash`. If an unknown strategy name is specified
|
||
or no policy is supplied, the default `RoundRobin` policy
|
||
is used.
|
||
type: string
|
||
type: object
|
||
pathRewritePolicy:
|
||
description: |-
|
||
The policy for rewriting the path of the request URL
|
||
after the request has been routed to a Service.
|
||
properties:
|
||
replacePrefix:
|
||
description: ReplacePrefix describes how the path prefix
|
||
should be replaced.
|
||
items:
|
||
description: ReplacePrefix describes a path prefix replacement.
|
||
properties:
|
||
prefix:
|
||
description: |-
|
||
Prefix specifies the URL path prefix to be replaced.
|
||
If Prefix is specified, it must exactly match the MatchCondition
|
||
prefix that is rendered by the chain of including HTTPProxies
|
||
and only that path prefix will be replaced by Replacement.
|
||
This allows HTTPProxies that are included through multiple
|
||
roots to only replace specific path prefixes, leaving others
|
||
unmodified.
|
||
If Prefix is not specified, all routing prefixes rendered
|
||
by the include chain will be replaced.
|
||
minLength: 1
|
||
type: string
|
||
replacement:
|
||
description: |-
|
||
Replacement is the string that the routing path prefix
|
||
will be replaced with. This must not be empty.
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- replacement
|
||
type: object
|
||
type: array
|
||
type: object
|
||
permitInsecure:
|
||
description: |-
|
||
Allow this path to respond to insecure requests over HTTP which are normally
|
||
not permitted when a `virtualhost.tls` block is present.
|
||
type: boolean
|
||
rateLimitPolicy:
|
||
description: The policy for rate limiting on the route.
|
||
properties:
|
||
global:
|
||
description: |-
|
||
Global defines global rate limiting parameters, i.e. parameters
|
||
defining descriptors that are sent to an external rate limit
|
||
service (RLS) for a rate limit decision on each request.
|
||
properties:
|
||
descriptors:
|
||
description: |-
|
||
Descriptors defines the list of descriptors that will
|
||
be generated and sent to the rate limit service. Each
|
||
descriptor contains 1+ key-value pair entries.
|
||
items:
|
||
description: RateLimitDescriptor defines a list of
|
||
key-value pair generators.
|
||
properties:
|
||
entries:
|
||
description: Entries is the list of key-value
|
||
pair generators.
|
||
items:
|
||
description: |-
|
||
RateLimitDescriptorEntry is a key-value pair generator. Exactly
|
||
one field on this struct must be non-nil.
|
||
properties:
|
||
genericKey:
|
||
description: GenericKey defines a descriptor
|
||
entry with a static key and value.
|
||
properties:
|
||
key:
|
||
description: |-
|
||
Key defines the key of the descriptor entry. If not set, the
|
||
key is set to "generic_key".
|
||
type: string
|
||
value:
|
||
description: Value defines the value
|
||
of the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
remoteAddress:
|
||
description: |-
|
||
RemoteAddress defines a descriptor entry with a key of "remote_address"
|
||
and a value equal to the client's IP address (from x-forwarded-for).
|
||
type: object
|
||
requestHeader:
|
||
description: |-
|
||
RequestHeader defines a descriptor entry that's populated only if
|
||
a given header is present on the request. The descriptor key is static,
|
||
and the descriptor value is equal to the value of the header.
|
||
properties:
|
||
descriptorKey:
|
||
description: DescriptorKey defines the
|
||
key to use on the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
headerName:
|
||
description: HeaderName defines the
|
||
name of the header to look for on
|
||
the request.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
requestHeaderValueMatch:
|
||
description: |-
|
||
RequestHeaderValueMatch defines a descriptor entry that's populated
|
||
if the request's headers match a set of 1+ match criteria. The
|
||
descriptor key is "header_match", and the descriptor value is static.
|
||
properties:
|
||
expectMatch:
|
||
default: true
|
||
description: |-
|
||
ExpectMatch defines whether the request must positively match the match
|
||
criteria in order to generate a descriptor entry (i.e. true), or not
|
||
match the match criteria in order to generate a descriptor entry (i.e. false).
|
||
The default is true.
|
||
type: boolean
|
||
headers:
|
||
description: |-
|
||
Headers is a list of 1+ match criteria to apply against the request
|
||
to determine whether to populate the descriptor entry or not.
|
||
items:
|
||
description: |-
|
||
HeaderMatchCondition specifies how to conditionally match against HTTP
|
||
headers. The Name field is required, only one of Present, NotPresent,
|
||
Contains, NotContains, Exact, NotExact and Regex can be set.
|
||
For negative matching rules only (e.g. NotContains or NotExact) you can set
|
||
TreatMissingAsEmpty.
|
||
IgnoreCase has no effect for Regex.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the header value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a
|
||
string that the header value
|
||
must be equal to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the header to match against. Name is required.
|
||
Header names are case insensitive.
|
||
type: string
|
||
notcontains:
|
||
description: |-
|
||
NotContains specifies a substring that must not be present
|
||
in the header value.
|
||
type: string
|
||
notexact:
|
||
description: |-
|
||
NoExact specifies a string that the header value must not be
|
||
equal to. The condition is true if the header has any other value.
|
||
type: string
|
||
notpresent:
|
||
description: |-
|
||
NotPresent specifies that condition is true when the named header
|
||
is not present. Note that setting NotPresent to false does not
|
||
make the condition true if the named header is present.
|
||
type: boolean
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named header
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named header
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the header
|
||
value.
|
||
type: string
|
||
treatMissingAsEmpty:
|
||
description: |-
|
||
TreatMissingAsEmpty specifies if the header match rule specified header
|
||
does not exist, this header value will be treated as empty. Defaults to false.
|
||
Unlike the underlying Envoy implementation this is **only** supported for
|
||
negative matches (e.g. NotContains, NotExact).
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
value:
|
||
description: Value defines the value
|
||
of the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
disabled:
|
||
description: |-
|
||
Disabled configures the HTTPProxy to not use
|
||
the default global rate limit policy defined by the Contour configuration.
|
||
type: boolean
|
||
type: object
|
||
local:
|
||
description: |-
|
||
Local defines local rate limiting parameters, i.e. parameters
|
||
for rate limiting that occurs within each Envoy pod as requests
|
||
are handled.
|
||
properties:
|
||
burst:
|
||
description: |-
|
||
Burst defines the number of requests above the requests per
|
||
unit that should be allowed within a short period of time.
|
||
format: int32
|
||
type: integer
|
||
requests:
|
||
description: |-
|
||
Requests defines how many requests per unit of time should
|
||
be allowed before rate limiting occurs.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
responseHeadersToAdd:
|
||
description: |-
|
||
ResponseHeadersToAdd is an optional list of response headers to
|
||
set when a request is rate-limited.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a header
|
||
specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
responseStatusCode:
|
||
description: |-
|
||
ResponseStatusCode is the HTTP status code to use for responses
|
||
to rate-limited requests. Codes must be in the 400-599 range
|
||
(inclusive). If not specified, the Envoy default of 429 (Too
|
||
Many Requests) is used.
|
||
format: int32
|
||
maximum: 599
|
||
minimum: 400
|
||
type: integer
|
||
unit:
|
||
description: |-
|
||
Unit defines the period of time within which requests
|
||
over the limit will be rate limited. Valid values are
|
||
"second", "minute" and "hour".
|
||
enum:
|
||
- second
|
||
- minute
|
||
- hour
|
||
type: string
|
||
required:
|
||
- requests
|
||
- unit
|
||
type: object
|
||
type: object
|
||
requestHeadersPolicy:
|
||
description: |-
|
||
The policy for managing request headers during proxying.
|
||
You may dynamically rewrite the Host header to be forwarded
|
||
upstream to the content of a request header using
|
||
the below format "%REQ(X-Header-Name)%". If the value of the header
|
||
is empty, it is ignored.
|
||
*NOTE: Pay attention to the potential security implications of using this option.
|
||
Provided header must come from trusted source.
|
||
**NOTE: The header rewrite is only done while forwarding and has no bearing
|
||
on the routing decision.
|
||
properties:
|
||
remove:
|
||
description: Remove specifies a list of HTTP header names
|
||
to remove.
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
description: |-
|
||
Set specifies a list of HTTP header values that will be set in the HTTP header.
|
||
If the header does not exist it will be added, otherwise it will be overwritten with the new value.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a header
|
||
specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
type: object
|
||
requestRedirectPolicy:
|
||
description: RequestRedirectPolicy defines an HTTP redirection.
|
||
properties:
|
||
hostname:
|
||
description: |-
|
||
Hostname is the precise hostname to be used in the value of the `Location`
|
||
header in the response.
|
||
When empty, the hostname of the request is used.
|
||
No wildcards are allowed.
|
||
maxLength: 253
|
||
minLength: 1
|
||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||
type: string
|
||
path:
|
||
description: |-
|
||
Path allows for redirection to a different path from the
|
||
original on the request. The path must start with a
|
||
leading slash.
|
||
Note: Only one of Path or Prefix can be defined.
|
||
pattern: ^\/.*$
|
||
type: string
|
||
port:
|
||
description: |-
|
||
Port is the port to be used in the value of the `Location`
|
||
header in the response.
|
||
When empty, port (if specified) of the request is used.
|
||
format: int32
|
||
maximum: 65535
|
||
minimum: 1
|
||
type: integer
|
||
prefix:
|
||
description: |-
|
||
Prefix defines the value to swap the matched prefix or path with.
|
||
The prefix must start with a leading slash.
|
||
Note: Only one of Path or Prefix can be defined.
|
||
pattern: ^\/.*$
|
||
type: string
|
||
scheme:
|
||
description: |-
|
||
Scheme is the scheme to be used in the value of the `Location`
|
||
header in the response.
|
||
When empty, the scheme of the request is used.
|
||
enum:
|
||
- http
|
||
- https
|
||
type: string
|
||
statusCode:
|
||
default: 302
|
||
description: StatusCode is the HTTP status code to be used
|
||
in response.
|
||
enum:
|
||
- 301
|
||
- 302
|
||
type: integer
|
||
type: object
|
||
responseHeadersPolicy:
|
||
description: |-
|
||
The policy for managing response headers during proxying.
|
||
Rewriting the 'Host' header is not supported.
|
||
properties:
|
||
remove:
|
||
description: Remove specifies a list of HTTP header names
|
||
to remove.
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
description: |-
|
||
Set specifies a list of HTTP header values that will be set in the HTTP header.
|
||
If the header does not exist it will be added, otherwise it will be overwritten with the new value.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a header
|
||
specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
type: object
|
||
retryPolicy:
|
||
description: The retry policy for this route.
|
||
properties:
|
||
count:
|
||
default: 1
|
||
description: |-
|
||
NumRetries is maximum allowed number of retries.
|
||
If set to -1, then retries are disabled.
|
||
If set to 0 or not supplied, the value is set
|
||
to the Envoy default of 1.
|
||
format: int64
|
||
minimum: -1
|
||
type: integer
|
||
perTryTimeout:
|
||
description: |-
|
||
PerTryTimeout specifies the timeout per retry attempt.
|
||
Ignored if NumRetries is not supplied.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
retriableStatusCodes:
|
||
description: |-
|
||
RetriableStatusCodes specifies the HTTP status codes that should be retried.
|
||
This field is only respected when you include `retriable-status-codes` in the `RetryOn` field.
|
||
items:
|
||
format: int32
|
||
type: integer
|
||
type: array
|
||
retryOn:
|
||
description: |-
|
||
RetryOn specifies the conditions on which to retry a request.
|
||
Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):
|
||
- `5xx`
|
||
- `gateway-error`
|
||
- `reset`
|
||
- `connect-failure`
|
||
- `retriable-4xx`
|
||
- `refused-stream`
|
||
- `retriable-status-codes`
|
||
- `retriable-headers`
|
||
Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):
|
||
- `cancelled`
|
||
- `deadline-exceeded`
|
||
- `internal`
|
||
- `resource-exhausted`
|
||
- `unavailable`
|
||
items:
|
||
description: RetryOn is a string type alias with validation
|
||
to ensure that the value is valid.
|
||
enum:
|
||
- 5xx
|
||
- gateway-error
|
||
- reset
|
||
- connect-failure
|
||
- retriable-4xx
|
||
- refused-stream
|
||
- retriable-status-codes
|
||
- retriable-headers
|
||
- cancelled
|
||
- deadline-exceeded
|
||
- internal
|
||
- resource-exhausted
|
||
- unavailable
|
||
type: string
|
||
type: array
|
||
type: object
|
||
services:
|
||
description: Services are the services to proxy traffic.
|
||
items:
|
||
description: Service defines an Kubernetes Service to proxy
|
||
traffic.
|
||
properties:
|
||
cookieRewritePolicies:
|
||
description: The policies for rewriting Set-Cookie header
|
||
attributes.
|
||
items:
|
||
properties:
|
||
domainRewrite:
|
||
description: |-
|
||
DomainRewrite enables rewriting the Set-Cookie Domain element.
|
||
If not set, Domain will not be rewritten.
|
||
properties:
|
||
value:
|
||
description: |-
|
||
Value is the value to rewrite the Domain attribute to.
|
||
For now this is required.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||
type: string
|
||
required:
|
||
- value
|
||
type: object
|
||
name:
|
||
description: Name is the name of the cookie for
|
||
which attributes will be rewritten.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
|
||
type: string
|
||
pathRewrite:
|
||
description: |-
|
||
PathRewrite enables rewriting the Set-Cookie Path element.
|
||
If not set, Path will not be rewritten.
|
||
properties:
|
||
value:
|
||
description: |-
|
||
Value is the value to rewrite the Path attribute to.
|
||
For now this is required.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
|
||
type: string
|
||
required:
|
||
- value
|
||
type: object
|
||
sameSite:
|
||
description: |-
|
||
SameSite enables rewriting the Set-Cookie SameSite element.
|
||
If not set, SameSite attribute will not be rewritten.
|
||
enum:
|
||
- Strict
|
||
- Lax
|
||
- None
|
||
type: string
|
||
secure:
|
||
description: |-
|
||
Secure enables rewriting the Set-Cookie Secure element.
|
||
If not set, Secure attribute will not be rewritten.
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
type: array
|
||
healthPort:
|
||
description: |-
|
||
HealthPort is the port for this service healthcheck.
|
||
If not specified, Port is used for service healthchecks.
|
||
maximum: 65535
|
||
minimum: 1
|
||
type: integer
|
||
mirror:
|
||
description: |-
|
||
If Mirror is true the Service will receive a read only mirror of the traffic for this route.
|
||
If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight
|
||
field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.
|
||
NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This
|
||
occurs since we cannot distinguish omitted fields from those explicitly set to their default
|
||
values
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of Kubernetes service to proxy traffic.
|
||
Names defined here will be used to look up corresponding endpoints which contain the ips to route.
|
||
type: string
|
||
port:
|
||
description: Port (defined as Integer) to proxy traffic
|
||
to since a service can have multiple defined.
|
||
exclusiveMaximum: true
|
||
maximum: 65536
|
||
minimum: 1
|
||
type: integer
|
||
protocol:
|
||
description: |-
|
||
Protocol may be used to specify (or override) the protocol used to reach this Service.
|
||
Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
|
||
enum:
|
||
- h2
|
||
- h2c
|
||
- tls
|
||
type: string
|
||
requestHeadersPolicy:
|
||
description: The policy for managing request headers during
|
||
proxying.
|
||
properties:
|
||
remove:
|
||
description: Remove specifies a list of HTTP header
|
||
names to remove.
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
description: |-
|
||
Set specifies a list of HTTP header values that will be set in the HTTP header.
|
||
If the header does not exist it will be added, otherwise it will be overwritten with the new value.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a
|
||
header specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
type: object
|
||
responseHeadersPolicy:
|
||
description: |-
|
||
The policy for managing response headers during proxying.
|
||
Rewriting the 'Host' header is not supported.
|
||
properties:
|
||
remove:
|
||
description: Remove specifies a list of HTTP header
|
||
names to remove.
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
description: |-
|
||
Set specifies a list of HTTP header values that will be set in the HTTP header.
|
||
If the header does not exist it will be added, otherwise it will be overwritten with the new value.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a
|
||
header specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
type: object
|
||
slowStartPolicy:
|
||
description: Slow start will gradually increase amount
|
||
of traffic to a newly added endpoint.
|
||
properties:
|
||
aggression:
|
||
default: "1.0"
|
||
description: |-
|
||
The speed of traffic increase over the slow start window.
|
||
Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic.
|
||
When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.
|
||
The value of aggression parameter should be greater than 0.0.
|
||
More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
|
||
pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
|
||
type: string
|
||
minWeightPercent:
|
||
default: 10
|
||
description: |-
|
||
The minimum or starting percentage of traffic to send to new endpoints.
|
||
A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.
|
||
If not specified, the default is 10%.
|
||
format: int32
|
||
maximum: 100
|
||
minimum: 0
|
||
type: integer
|
||
window:
|
||
description: |-
|
||
The duration of slow start window.
|
||
Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
||
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
|
||
type: string
|
||
required:
|
||
- window
|
||
type: object
|
||
validation:
|
||
description: UpstreamValidation defines how to verify
|
||
the backend service's certificate
|
||
properties:
|
||
caSecret:
|
||
description: |-
|
||
Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
|
||
The secret must contain key named ca.crt.
|
||
The name can be optionally prefixed with namespace "namespace/name".
|
||
When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
|
||
Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
|
||
maxLength: 317
|
||
minLength: 1
|
||
type: string
|
||
subjectName:
|
||
description: |-
|
||
Key which is expected to be present in the 'subjectAltName' of the presented certificate.
|
||
Deprecated: migrate to using the plural field subjectNames.
|
||
maxLength: 250
|
||
minLength: 1
|
||
type: string
|
||
subjectNames:
|
||
description: |-
|
||
List of keys, of which at least one is expected to be present in the 'subjectAltName of the
|
||
presented certificate.
|
||
items:
|
||
type: string
|
||
maxItems: 8
|
||
minItems: 1
|
||
type: array
|
||
required:
|
||
- caSecret
|
||
- subjectName
|
||
type: object
|
||
x-kubernetes-validations:
|
||
- message: subjectNames[0] must equal subjectName if set
|
||
rule: 'has(self.subjectNames) ? self.subjectNames[0]
|
||
== self.subjectName : true'
|
||
weight:
|
||
description: Weight defines percentage of traffic to balance
|
||
traffic
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
required:
|
||
- name
|
||
- port
|
||
type: object
|
||
type: array
|
||
timeoutPolicy:
|
||
description: The timeout policy for this route.
|
||
properties:
|
||
idle:
|
||
description: |-
|
||
Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
|
||
Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
|
||
If not specified, there is no per-route idle timeout, though a connection manager-wide
|
||
stream_idle_timeout default of 5m still applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
idleConnection:
|
||
description: |-
|
||
Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
|
||
If not supplied, Envoy's default value of 1h applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
response:
|
||
description: |-
|
||
Timeout for receiving a response from the server after processing a request from client.
|
||
If not supplied, Envoy's default value of 15s applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
type: object
|
||
type: object
|
||
type: array
|
||
tcpproxy:
|
||
description: TCPProxy holds TCP proxy information.
|
||
properties:
|
||
healthCheckPolicy:
|
||
description: The health check policy for this tcp proxy
|
||
properties:
|
||
healthyThresholdCount:
|
||
description: The number of healthy health checks required
|
||
before a host is marked healthy
|
||
format: int32
|
||
type: integer
|
||
intervalSeconds:
|
||
description: The interval (seconds) between health checks
|
||
format: int64
|
||
type: integer
|
||
timeoutSeconds:
|
||
description: The time to wait (seconds) for a health check
|
||
response
|
||
format: int64
|
||
type: integer
|
||
unhealthyThresholdCount:
|
||
description: The number of unhealthy health checks required
|
||
before a host is marked unhealthy
|
||
format: int32
|
||
type: integer
|
||
type: object
|
||
include:
|
||
description: Include specifies that this tcpproxy should be delegated
|
||
to another HTTPProxy.
|
||
properties:
|
||
name:
|
||
description: Name of the child HTTPProxy
|
||
type: string
|
||
namespace:
|
||
description: Namespace of the HTTPProxy to include. Defaults
|
||
to the current namespace if not supplied.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
includes:
|
||
description: |-
|
||
IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.
|
||
Exists due to a mistake when developing HTTPProxy and the field was marked plural
|
||
when it should have been singular. This field should stay to not break backwards compatibility to v1 users.
|
||
properties:
|
||
name:
|
||
description: Name of the child HTTPProxy
|
||
type: string
|
||
namespace:
|
||
description: Namespace of the HTTPProxy to include. Defaults
|
||
to the current namespace if not supplied.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
loadBalancerPolicy:
|
||
description: |-
|
||
The load balancing policy for the backend services. Note that the
|
||
`Cookie` and `RequestHash` load balancing strategies cannot be used
|
||
here.
|
||
properties:
|
||
requestHashPolicies:
|
||
description: |-
|
||
RequestHashPolicies contains a list of hash policies to apply when the
|
||
`RequestHash` load balancing strategy is chosen. If an element of the
|
||
supplied list of hash policies is invalid, it will be ignored. If the
|
||
list of hash policies is empty after validation, the load balancing
|
||
strategy will fall back to the default `RoundRobin`.
|
||
items:
|
||
description: |-
|
||
RequestHashPolicy contains configuration for an individual hash policy
|
||
on a request attribute.
|
||
properties:
|
||
hashSourceIP:
|
||
description: |-
|
||
HashSourceIP should be set to true when request source IP hash based
|
||
load balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
type: boolean
|
||
headerHashOptions:
|
||
description: |-
|
||
HeaderHashOptions should be set when request header hash based load
|
||
balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
properties:
|
||
headerName:
|
||
description: |-
|
||
HeaderName is the name of the HTTP request header that will be used to
|
||
calculate the hash key. If the header specified is not present on a
|
||
request, no hash will be produced.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
queryParameterHashOptions:
|
||
description: |-
|
||
QueryParameterHashOptions should be set when request query parameter hash based load
|
||
balancing is desired. It must be the only hash option field set,
|
||
otherwise this request hash policy object will be ignored.
|
||
properties:
|
||
parameterName:
|
||
description: |-
|
||
ParameterName is the name of the HTTP request query parameter that will be used to
|
||
calculate the hash key. If the query parameter specified is not present on a
|
||
request, no hash will be produced.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
terminal:
|
||
description: |-
|
||
Terminal is a flag that allows for short-circuiting computing of a hash
|
||
for a given request. If set to true, and the request attribute specified
|
||
in the attribute hash options is present, no further hash policies will
|
||
be used to calculate a hash for the request.
|
||
type: boolean
|
||
type: object
|
||
type: array
|
||
strategy:
|
||
description: |-
|
||
Strategy specifies the policy used to balance requests
|
||
across the pool of backend pods. Valid policy names are
|
||
`Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
|
||
and `RequestHash`. If an unknown strategy name is specified
|
||
or no policy is supplied, the default `RoundRobin` policy
|
||
is used.
|
||
type: string
|
||
type: object
|
||
services:
|
||
description: Services are the services to proxy traffic
|
||
items:
|
||
description: Service defines an Kubernetes Service to proxy
|
||
traffic.
|
||
properties:
|
||
cookieRewritePolicies:
|
||
description: The policies for rewriting Set-Cookie header
|
||
attributes.
|
||
items:
|
||
properties:
|
||
domainRewrite:
|
||
description: |-
|
||
DomainRewrite enables rewriting the Set-Cookie Domain element.
|
||
If not set, Domain will not be rewritten.
|
||
properties:
|
||
value:
|
||
description: |-
|
||
Value is the value to rewrite the Domain attribute to.
|
||
For now this is required.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||
type: string
|
||
required:
|
||
- value
|
||
type: object
|
||
name:
|
||
description: Name is the name of the cookie for which
|
||
attributes will be rewritten.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
|
||
type: string
|
||
pathRewrite:
|
||
description: |-
|
||
PathRewrite enables rewriting the Set-Cookie Path element.
|
||
If not set, Path will not be rewritten.
|
||
properties:
|
||
value:
|
||
description: |-
|
||
Value is the value to rewrite the Path attribute to.
|
||
For now this is required.
|
||
maxLength: 4096
|
||
minLength: 1
|
||
pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
|
||
type: string
|
||
required:
|
||
- value
|
||
type: object
|
||
sameSite:
|
||
description: |-
|
||
SameSite enables rewriting the Set-Cookie SameSite element.
|
||
If not set, SameSite attribute will not be rewritten.
|
||
enum:
|
||
- Strict
|
||
- Lax
|
||
- None
|
||
type: string
|
||
secure:
|
||
description: |-
|
||
Secure enables rewriting the Set-Cookie Secure element.
|
||
If not set, Secure attribute will not be rewritten.
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
type: array
|
||
healthPort:
|
||
description: |-
|
||
HealthPort is the port for this service healthcheck.
|
||
If not specified, Port is used for service healthchecks.
|
||
maximum: 65535
|
||
minimum: 1
|
||
type: integer
|
||
mirror:
|
||
description: |-
|
||
If Mirror is true the Service will receive a read only mirror of the traffic for this route.
|
||
If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight
|
||
field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.
|
||
NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This
|
||
occurs since we cannot distinguish omitted fields from those explicitly set to their default
|
||
values
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of Kubernetes service to proxy traffic.
|
||
Names defined here will be used to look up corresponding endpoints which contain the ips to route.
|
||
type: string
|
||
port:
|
||
description: Port (defined as Integer) to proxy traffic
|
||
to since a service can have multiple defined.
|
||
exclusiveMaximum: true
|
||
maximum: 65536
|
||
minimum: 1
|
||
type: integer
|
||
protocol:
|
||
description: |-
|
||
Protocol may be used to specify (or override) the protocol used to reach this Service.
|
||
Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
|
||
enum:
|
||
- h2
|
||
- h2c
|
||
- tls
|
||
type: string
|
||
requestHeadersPolicy:
|
||
description: The policy for managing request headers during
|
||
proxying.
|
||
properties:
|
||
remove:
|
||
description: Remove specifies a list of HTTP header
|
||
names to remove.
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
description: |-
|
||
Set specifies a list of HTTP header values that will be set in the HTTP header.
|
||
If the header does not exist it will be added, otherwise it will be overwritten with the new value.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a header
|
||
specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
type: object
|
||
responseHeadersPolicy:
|
||
description: |-
|
||
The policy for managing response headers during proxying.
|
||
Rewriting the 'Host' header is not supported.
|
||
properties:
|
||
remove:
|
||
description: Remove specifies a list of HTTP header
|
||
names to remove.
|
||
items:
|
||
type: string
|
||
type: array
|
||
set:
|
||
description: |-
|
||
Set specifies a list of HTTP header values that will be set in the HTTP header.
|
||
If the header does not exist it will be added, otherwise it will be overwritten with the new value.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a header
|
||
specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
type: object
|
||
slowStartPolicy:
|
||
description: Slow start will gradually increase amount of
|
||
traffic to a newly added endpoint.
|
||
properties:
|
||
aggression:
|
||
default: "1.0"
|
||
description: |-
|
||
The speed of traffic increase over the slow start window.
|
||
Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic.
|
||
When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.
|
||
The value of aggression parameter should be greater than 0.0.
|
||
More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
|
||
pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
|
||
type: string
|
||
minWeightPercent:
|
||
default: 10
|
||
description: |-
|
||
The minimum or starting percentage of traffic to send to new endpoints.
|
||
A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.
|
||
If not specified, the default is 10%.
|
||
format: int32
|
||
maximum: 100
|
||
minimum: 0
|
||
type: integer
|
||
window:
|
||
description: |-
|
||
The duration of slow start window.
|
||
Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
||
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
|
||
type: string
|
||
required:
|
||
- window
|
||
type: object
|
||
validation:
|
||
description: UpstreamValidation defines how to verify the
|
||
backend service's certificate
|
||
properties:
|
||
caSecret:
|
||
description: |-
|
||
Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
|
||
The secret must contain key named ca.crt.
|
||
The name can be optionally prefixed with namespace "namespace/name".
|
||
When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
|
||
Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
|
||
maxLength: 317
|
||
minLength: 1
|
||
type: string
|
||
subjectName:
|
||
description: |-
|
||
Key which is expected to be present in the 'subjectAltName' of the presented certificate.
|
||
Deprecated: migrate to using the plural field subjectNames.
|
||
maxLength: 250
|
||
minLength: 1
|
||
type: string
|
||
subjectNames:
|
||
description: |-
|
||
List of keys, of which at least one is expected to be present in the 'subjectAltName of the
|
||
presented certificate.
|
||
items:
|
||
type: string
|
||
maxItems: 8
|
||
minItems: 1
|
||
type: array
|
||
required:
|
||
- caSecret
|
||
- subjectName
|
||
type: object
|
||
x-kubernetes-validations:
|
||
- message: subjectNames[0] must equal subjectName if set
|
||
rule: 'has(self.subjectNames) ? self.subjectNames[0] ==
|
||
self.subjectName : true'
|
||
weight:
|
||
description: Weight defines percentage of traffic to balance
|
||
traffic
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
required:
|
||
- name
|
||
- port
|
||
type: object
|
||
type: array
|
||
type: object
|
||
virtualhost:
|
||
description: |-
|
||
Virtualhost appears at most once. If it is present, the object is considered
|
||
to be a "root" HTTPProxy.
|
||
properties:
|
||
authorization:
|
||
description: |-
|
||
This field configures an extension service to perform
|
||
authorization for this virtual host. Authorization can
|
||
only be configured on virtual hosts that have TLS enabled.
|
||
If the TLS configuration requires client certificate
|
||
validation, the client certificate is always included in the
|
||
authentication check request.
|
||
properties:
|
||
authPolicy:
|
||
description: |-
|
||
AuthPolicy sets a default authorization policy for client requests.
|
||
This policy will be used unless overridden by individual routes.
|
||
properties:
|
||
context:
|
||
additionalProperties:
|
||
type: string
|
||
description: |-
|
||
Context is a set of key/value pairs that are sent to the
|
||
authentication server in the check request. If a context
|
||
is provided at an enclosing scope, the entries are merged
|
||
such that the inner scope overrides matching keys from the
|
||
outer scope.
|
||
type: object
|
||
disabled:
|
||
description: |-
|
||
When true, this field disables client request authentication
|
||
for the scope of the policy.
|
||
type: boolean
|
||
type: object
|
||
extensionRef:
|
||
description: ExtensionServiceRef specifies the extension resource
|
||
that will authorize client requests.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
API version of the referent.
|
||
If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
|
||
minLength: 1
|
||
type: string
|
||
name:
|
||
description: |-
|
||
Name of the referent.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||
minLength: 1
|
||
type: string
|
||
namespace:
|
||
description: |-
|
||
Namespace of the referent.
|
||
If this field is not specifies, the namespace of the resource that targets the referent will be used.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
failOpen:
|
||
description: |-
|
||
If FailOpen is true, the client request is forwarded to the upstream service
|
||
even if the authorization server fails to respond. This field should not be
|
||
set in most cases. It is intended for use only while migrating applications
|
||
from internal authorization to Contour external authorization.
|
||
type: boolean
|
||
responseTimeout:
|
||
description: |-
|
||
ResponseTimeout configures maximum time to wait for a check response from the authorization server.
|
||
Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
||
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
||
The string "infinity" is also a valid input and specifies no timeout.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
|
||
type: string
|
||
withRequestBody:
|
||
description: WithRequestBody specifies configuration for sending
|
||
the client request's body to authorization server.
|
||
properties:
|
||
allowPartialMessage:
|
||
description: If AllowPartialMessage is true, then Envoy
|
||
will buffer the body until MaxRequestBytes are reached.
|
||
type: boolean
|
||
maxRequestBytes:
|
||
default: 1024
|
||
description: MaxRequestBytes sets the maximum size of
|
||
message body ExtAuthz filter will hold in-memory.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
packAsBytes:
|
||
description: If PackAsBytes is true, the body sent to
|
||
Authorization Server is in raw bytes.
|
||
type: boolean
|
||
type: object
|
||
type: object
|
||
corsPolicy:
|
||
description: Specifies the cross-origin policy to apply to the
|
||
VirtualHost.
|
||
properties:
|
||
allowCredentials:
|
||
description: Specifies whether the resource allows credentials.
|
||
type: boolean
|
||
allowHeaders:
|
||
description: AllowHeaders specifies the content for the *access-control-allow-headers*
|
||
header.
|
||
items:
|
||
description: CORSHeaderValue specifies the value of the
|
||
string headers returned by a cross-domain request.
|
||
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
|
||
type: string
|
||
minItems: 1
|
||
type: array
|
||
allowMethods:
|
||
description: AllowMethods specifies the content for the *access-control-allow-methods*
|
||
header.
|
||
items:
|
||
description: CORSHeaderValue specifies the value of the
|
||
string headers returned by a cross-domain request.
|
||
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
|
||
type: string
|
||
minItems: 1
|
||
type: array
|
||
allowOrigin:
|
||
description: |-
|
||
AllowOrigin specifies the origins that will be allowed to do CORS requests.
|
||
Allowed values include "*" which signifies any origin is allowed, an exact
|
||
origin of the form "scheme://host[:port]" (where port is optional), or a valid
|
||
regex pattern.
|
||
Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com)
|
||
will be rejected or produce unexpected matches when applied as a regex.
|
||
items:
|
||
type: string
|
||
minItems: 1
|
||
type: array
|
||
allowPrivateNetwork:
|
||
description: |-
|
||
AllowPrivateNetwork specifies whether to allow private network requests.
|
||
See https://developer.chrome.com/blog/private-network-access-preflight.
|
||
type: boolean
|
||
exposeHeaders:
|
||
description: ExposeHeaders Specifies the content for the *access-control-expose-headers*
|
||
header.
|
||
items:
|
||
description: CORSHeaderValue specifies the value of the
|
||
string headers returned by a cross-domain request.
|
||
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
|
||
type: string
|
||
minItems: 1
|
||
type: array
|
||
maxAge:
|
||
description: |-
|
||
MaxAge indicates for how long the results of a preflight request can be cached.
|
||
MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
||
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
||
Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS
|
||
check for all cross-origin requests.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$
|
||
type: string
|
||
required:
|
||
- allowMethods
|
||
- allowOrigin
|
||
type: object
|
||
fqdn:
|
||
description: |-
|
||
The fully qualified domain name of the root of the ingress tree
|
||
all leaves of the DAG rooted at this object relate to the fqdn.
|
||
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
||
type: string
|
||
ipAllowPolicy:
|
||
description: |-
|
||
IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
|
||
requests should be allowed. All other requests will be denied.
|
||
Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
|
||
The rules defined here may be overridden in a Route.
|
||
items:
|
||
properties:
|
||
cidr:
|
||
description: |-
|
||
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
|
||
a bare IP address (without a mask) to filter on exactly one address.
|
||
type: string
|
||
source:
|
||
description: |-
|
||
Source indicates how to determine the ip address to filter on, and can be
|
||
one of two values:
|
||
- `Remote` filters on the ip address of the client, accounting for PROXY and
|
||
X-Forwarded-For as needed.
|
||
- `Peer` filters on the ip of the network request, ignoring PROXY and
|
||
X-Forwarded-For.
|
||
enum:
|
||
- Peer
|
||
- Remote
|
||
type: string
|
||
required:
|
||
- cidr
|
||
- source
|
||
type: object
|
||
type: array
|
||
ipDenyPolicy:
|
||
description: |-
|
||
IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
|
||
requests should be denied. All other requests will be allowed.
|
||
Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
|
||
The rules defined here may be overridden in a Route.
|
||
items:
|
||
properties:
|
||
cidr:
|
||
description: |-
|
||
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
|
||
a bare IP address (without a mask) to filter on exactly one address.
|
||
type: string
|
||
source:
|
||
description: |-
|
||
Source indicates how to determine the ip address to filter on, and can be
|
||
one of two values:
|
||
- `Remote` filters on the ip address of the client, accounting for PROXY and
|
||
X-Forwarded-For as needed.
|
||
- `Peer` filters on the ip of the network request, ignoring PROXY and
|
||
X-Forwarded-For.
|
||
enum:
|
||
- Peer
|
||
- Remote
|
||
type: string
|
||
required:
|
||
- cidr
|
||
- source
|
||
type: object
|
||
type: array
|
||
jwtProviders:
|
||
description: Providers to use for verifying JSON Web Tokens (JWTs)
|
||
on the virtual host.
|
||
items:
|
||
description: JWTProvider defines how to verify JWTs on requests.
|
||
properties:
|
||
audiences:
|
||
description: |-
|
||
Audiences that JWTs are allowed to have in the "aud" field.
|
||
If not provided, JWT audiences are not checked.
|
||
items:
|
||
type: string
|
||
type: array
|
||
default:
|
||
description: |-
|
||
Whether the provider should apply to all
|
||
routes in the HTTPProxy/its includes by
|
||
default. At most one provider can be marked
|
||
as the default. If no provider is marked
|
||
as the default, individual routes must explicitly
|
||
identify the provider they require.
|
||
type: boolean
|
||
forwardJWT:
|
||
description: |-
|
||
Whether the JWT should be forwarded to the backend
|
||
service after successful verification. By default,
|
||
the JWT is not forwarded.
|
||
type: boolean
|
||
issuer:
|
||
description: |-
|
||
Issuer that JWTs are required to have in the "iss" field.
|
||
If not provided, JWT issuers are not checked.
|
||
type: string
|
||
name:
|
||
description: Unique name for the provider.
|
||
minLength: 1
|
||
type: string
|
||
remoteJWKS:
|
||
description: Remote JWKS to use for verifying JWT signatures.
|
||
properties:
|
||
cacheDuration:
|
||
description: |-
|
||
How long to cache the JWKS locally. If not specified,
|
||
Envoy's default of 5m applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
|
||
type: string
|
||
dnsLookupFamily:
|
||
description: |-
|
||
The DNS IP address resolution policy for the JWKS URI.
|
||
When configured as "v4", the DNS resolver will only perform a lookup
|
||
for addresses in the IPv4 family. If "v6" is configured, the DNS resolver
|
||
will only perform a lookup for addresses in the IPv6 family.
|
||
If "all" is configured, the DNS resolver
|
||
will perform a lookup for addresses in both the IPv4 and IPv6 family.
|
||
If "auto" is configured, the DNS resolver will first perform a lookup
|
||
for addresses in the IPv6 family and fallback to a lookup for addresses
|
||
in the IPv4 family. If not specified, the Contour-wide setting defined
|
||
in the config file or ContourConfiguration applies (defaults to "auto").
|
||
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
|
||
for more information.
|
||
enum:
|
||
- auto
|
||
- v4
|
||
- v6
|
||
type: string
|
||
timeout:
|
||
description: |-
|
||
How long to wait for a response from the URI.
|
||
If not specified, a default of 1s applies.
|
||
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
|
||
type: string
|
||
uri:
|
||
description: The URI for the JWKS.
|
||
minLength: 1
|
||
type: string
|
||
validation:
|
||
description: UpstreamValidation defines how to verify
|
||
the JWKS's TLS certificate.
|
||
properties:
|
||
caSecret:
|
||
description: |-
|
||
Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
|
||
The secret must contain key named ca.crt.
|
||
The name can be optionally prefixed with namespace "namespace/name".
|
||
When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
|
||
Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
|
||
maxLength: 317
|
||
minLength: 1
|
||
type: string
|
||
subjectName:
|
||
description: |-
|
||
Key which is expected to be present in the 'subjectAltName' of the presented certificate.
|
||
Deprecated: migrate to using the plural field subjectNames.
|
||
maxLength: 250
|
||
minLength: 1
|
||
type: string
|
||
subjectNames:
|
||
description: |-
|
||
List of keys, of which at least one is expected to be present in the 'subjectAltName of the
|
||
presented certificate.
|
||
items:
|
||
type: string
|
||
maxItems: 8
|
||
minItems: 1
|
||
type: array
|
||
required:
|
||
- caSecret
|
||
- subjectName
|
||
type: object
|
||
x-kubernetes-validations:
|
||
- message: subjectNames[0] must equal subjectName if
|
||
set
|
||
rule: 'has(self.subjectNames) ? self.subjectNames[0]
|
||
== self.subjectName : true'
|
||
required:
|
||
- uri
|
||
type: object
|
||
required:
|
||
- name
|
||
- remoteJWKS
|
||
type: object
|
||
type: array
|
||
rateLimitPolicy:
|
||
description: The policy for rate limiting on the virtual host.
|
||
properties:
|
||
global:
|
||
description: |-
|
||
Global defines global rate limiting parameters, i.e. parameters
|
||
defining descriptors that are sent to an external rate limit
|
||
service (RLS) for a rate limit decision on each request.
|
||
properties:
|
||
descriptors:
|
||
description: |-
|
||
Descriptors defines the list of descriptors that will
|
||
be generated and sent to the rate limit service. Each
|
||
descriptor contains 1+ key-value pair entries.
|
||
items:
|
||
description: RateLimitDescriptor defines a list of key-value
|
||
pair generators.
|
||
properties:
|
||
entries:
|
||
description: Entries is the list of key-value pair
|
||
generators.
|
||
items:
|
||
description: |-
|
||
RateLimitDescriptorEntry is a key-value pair generator. Exactly
|
||
one field on this struct must be non-nil.
|
||
properties:
|
||
genericKey:
|
||
description: GenericKey defines a descriptor
|
||
entry with a static key and value.
|
||
properties:
|
||
key:
|
||
description: |-
|
||
Key defines the key of the descriptor entry. If not set, the
|
||
key is set to "generic_key".
|
||
type: string
|
||
value:
|
||
description: Value defines the value of
|
||
the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
remoteAddress:
|
||
description: |-
|
||
RemoteAddress defines a descriptor entry with a key of "remote_address"
|
||
and a value equal to the client's IP address (from x-forwarded-for).
|
||
type: object
|
||
requestHeader:
|
||
description: |-
|
||
RequestHeader defines a descriptor entry that's populated only if
|
||
a given header is present on the request. The descriptor key is static,
|
||
and the descriptor value is equal to the value of the header.
|
||
properties:
|
||
descriptorKey:
|
||
description: DescriptorKey defines the
|
||
key to use on the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
headerName:
|
||
description: HeaderName defines the name
|
||
of the header to look for on the request.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
requestHeaderValueMatch:
|
||
description: |-
|
||
RequestHeaderValueMatch defines a descriptor entry that's populated
|
||
if the request's headers match a set of 1+ match criteria. The
|
||
descriptor key is "header_match", and the descriptor value is static.
|
||
properties:
|
||
expectMatch:
|
||
default: true
|
||
description: |-
|
||
ExpectMatch defines whether the request must positively match the match
|
||
criteria in order to generate a descriptor entry (i.e. true), or not
|
||
match the match criteria in order to generate a descriptor entry (i.e. false).
|
||
The default is true.
|
||
type: boolean
|
||
headers:
|
||
description: |-
|
||
Headers is a list of 1+ match criteria to apply against the request
|
||
to determine whether to populate the descriptor entry or not.
|
||
items:
|
||
description: |-
|
||
HeaderMatchCondition specifies how to conditionally match against HTTP
|
||
headers. The Name field is required, only one of Present, NotPresent,
|
||
Contains, NotContains, Exact, NotExact and Regex can be set.
|
||
For negative matching rules only (e.g. NotContains or NotExact) you can set
|
||
TreatMissingAsEmpty.
|
||
IgnoreCase has no effect for Regex.
|
||
properties:
|
||
contains:
|
||
description: |-
|
||
Contains specifies a substring that must be present in
|
||
the header value.
|
||
type: string
|
||
exact:
|
||
description: Exact specifies a string
|
||
that the header value must be
|
||
equal to.
|
||
type: string
|
||
ignoreCase:
|
||
description: |-
|
||
IgnoreCase specifies that string matching should be case insensitive.
|
||
Note that this has no effect on the Regex parameter.
|
||
type: boolean
|
||
name:
|
||
description: |-
|
||
Name is the name of the header to match against. Name is required.
|
||
Header names are case insensitive.
|
||
type: string
|
||
notcontains:
|
||
description: |-
|
||
NotContains specifies a substring that must not be present
|
||
in the header value.
|
||
type: string
|
||
notexact:
|
||
description: |-
|
||
NoExact specifies a string that the header value must not be
|
||
equal to. The condition is true if the header has any other value.
|
||
type: string
|
||
notpresent:
|
||
description: |-
|
||
NotPresent specifies that condition is true when the named header
|
||
is not present. Note that setting NotPresent to false does not
|
||
make the condition true if the named header is present.
|
||
type: boolean
|
||
present:
|
||
description: |-
|
||
Present specifies that condition is true when the named header
|
||
is present, regardless of its value. Note that setting Present
|
||
to false does not make the condition true if the named header
|
||
is absent.
|
||
type: boolean
|
||
regex:
|
||
description: |-
|
||
Regex specifies a regular expression pattern that must match the header
|
||
value.
|
||
type: string
|
||
treatMissingAsEmpty:
|
||
description: |-
|
||
TreatMissingAsEmpty specifies if the header match rule specified header
|
||
does not exist, this header value will be treated as empty. Defaults to false.
|
||
Unlike the underlying Envoy implementation this is **only** supported for
|
||
negative matches (e.g. NotContains, NotExact).
|
||
type: boolean
|
||
required:
|
||
- name
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
value:
|
||
description: Value defines the value of
|
||
the descriptor entry.
|
||
minLength: 1
|
||
type: string
|
||
type: object
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
type: object
|
||
minItems: 1
|
||
type: array
|
||
disabled:
|
||
description: |-
|
||
Disabled configures the HTTPProxy to not use
|
||
the default global rate limit policy defined by the Contour configuration.
|
||
type: boolean
|
||
type: object
|
||
local:
|
||
description: |-
|
||
Local defines local rate limiting parameters, i.e. parameters
|
||
for rate limiting that occurs within each Envoy pod as requests
|
||
are handled.
|
||
properties:
|
||
burst:
|
||
description: |-
|
||
Burst defines the number of requests above the requests per
|
||
unit that should be allowed within a short period of time.
|
||
format: int32
|
||
type: integer
|
||
requests:
|
||
description: |-
|
||
Requests defines how many requests per unit of time should
|
||
be allowed before rate limiting occurs.
|
||
format: int32
|
||
minimum: 1
|
||
type: integer
|
||
responseHeadersToAdd:
|
||
description: |-
|
||
ResponseHeadersToAdd is an optional list of response headers to
|
||
set when a request is rate-limited.
|
||
items:
|
||
description: HeaderValue represents a header name/value
|
||
pair
|
||
properties:
|
||
name:
|
||
description: Name represents a key of a header
|
||
minLength: 1
|
||
type: string
|
||
value:
|
||
description: Value represents the value of a header
|
||
specified by a key
|
||
minLength: 1
|
||
type: string
|
||
required:
|
||
- name
|
||
- value
|
||
type: object
|
||
type: array
|
||
responseStatusCode:
|
||
description: |-
|
||
ResponseStatusCode is the HTTP status code to use for responses
|
||
to rate-limited requests. Codes must be in the 400-599 range
|
||
(inclusive). If not specified, the Envoy default of 429 (Too
|
||
Many Requests) is used.
|
||
format: int32
|
||
maximum: 599
|
||
minimum: 400
|
||
type: integer
|
||
unit:
|
||
description: |-
|
||
Unit defines the period of time within which requests
|
||
over the limit will be rate limited. Valid values are
|
||
"second", "minute" and "hour".
|
||
enum:
|
||
- second
|
||
- minute
|
||
- hour
|
||
type: string
|
||
required:
|
||
- requests
|
||
- unit
|
||
type: object
|
||
type: object
|
||
tls:
|
||
description: |-
|
||
If present the fields describes TLS properties of the virtual
|
||
host. The SNI names that will be matched on are described in fqdn,
|
||
the tls.secretName secret must contain a certificate that itself
|
||
contains a name that matches the FQDN.
|
||
properties:
|
||
clientValidation:
|
||
description: |-
|
||
ClientValidation defines how to verify the client certificate
|
||
when an external client establishes a TLS connection to Envoy.
|
||
This setting:
|
||
1. Enables TLS client certificate validation.
|
||
2. Specifies how the client certificate will be validated (i.e.
|
||
validation required or skipped).
|
||
Note: Setting client certificate validation to be skipped should
|
||
be only used in conjunction with an external authorization server that
|
||
performs client validation as Contour will ensure client certificates
|
||
are passed along.
|
||
properties:
|
||
caSecret:
|
||
description: |-
|
||
Name of a Kubernetes secret that contains a CA certificate bundle.
|
||
The secret must contain key named ca.crt.
|
||
The client certificate must validate against the certificates in the bundle.
|
||
If specified and SkipClientCertValidation is true, client certificates will
|
||
be required on requests.
|
||
The name can be optionally prefixed with namespace "namespace/name".
|
||
When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
|
||
minLength: 1
|
||
type: string
|
||
crlOnlyVerifyLeafCert:
|
||
description: |-
|
||
If this option is set to true, only the certificate at the end of the
|
||
certificate chain will be subject to validation by CRL.
|
||
type: boolean
|
||
crlSecret:
|
||
description: |-
|
||
Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs.
|
||
The secret must contain key named crl.pem.
|
||
This field will be used to verify that a client certificate has not been revoked.
|
||
CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true.
|
||
Large CRL lists are not supported since individual secrets are limited to 1MiB in size.
|
||
The name can be optionally prefixed with namespace "namespace/name".
|
||
When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
|
||
minLength: 1
|
||
type: string
|
||
forwardClientCertificate:
|
||
description: |-
|
||
ForwardClientCertificate adds the selected data from the passed client TLS certificate
|
||
to the x-forwarded-client-cert header.
|
||
properties:
|
||
cert:
|
||
description: Client cert in URL encoded PEM format.
|
||
type: boolean
|
||
chain:
|
||
description: Client cert chain (including the leaf
|
||
cert) in URL encoded PEM format.
|
||
type: boolean
|
||
dns:
|
||
description: DNS type Subject Alternative Names of
|
||
the client cert.
|
||
type: boolean
|
||
subject:
|
||
description: Subject of the client cert.
|
||
type: boolean
|
||
uri:
|
||
description: URI type Subject Alternative Name of
|
||
the client cert.
|
||
type: boolean
|
||
type: object
|
||
optionalClientCertificate:
|
||
description: |-
|
||
OptionalClientCertificate when set to true will request a client certificate
|
||
but allow the connection to continue if the client does not provide one.
|
||
If a client certificate is sent, it will be verified according to the
|
||
other properties, which includes disabling validation if
|
||
SkipClientCertValidation is set. Defaults to false.
|
||
type: boolean
|
||
skipClientCertValidation:
|
||
description: |-
|
||
SkipClientCertValidation disables downstream client certificate
|
||
validation. Defaults to false. This field is intended to be used in
|
||
conjunction with external authorization in order to enable the external
|
||
authorization server to validate client certificates. When this field
|
||
is set to true, client certificates are requested but not verified by
|
||
Envoy. If CACertificate is specified, client certificates are required on
|
||
requests, but not verified. If external authorization is in use, they are
|
||
presented to the external authorization server.
|
||
type: boolean
|
||
type: object
|
||
enableFallbackCertificate:
|
||
description: |-
|
||
EnableFallbackCertificate defines if the vhost should allow a default certificate to
|
||
be applied which handles all requests which don't match the SNI defined in this vhost.
|
||
type: boolean
|
||
maximumProtocolVersion:
|
||
description: |-
|
||
MaximumProtocolVersion is the maximum TLS version this vhost should
|
||
negotiate. Valid options are `1.2` and `1.3` (default). Any other value
|
||
defaults to TLS 1.3.
|
||
type: string
|
||
minimumProtocolVersion:
|
||
description: |-
|
||
MinimumProtocolVersion is the minimum TLS version this vhost should
|
||
negotiate. Valid options are `1.2` (default) and `1.3`. Any other value
|
||
defaults to TLS 1.2.
|
||
type: string
|
||
passthrough:
|
||
description: |-
|
||
Passthrough defines whether the encrypted TLS handshake will be
|
||
passed through to the backing cluster. Either Passthrough or
|
||
SecretName must be specified, but not both.
|
||
type: boolean
|
||
secretName:
|
||
description: |-
|
||
SecretName is the name of a TLS secret.
|
||
Either SecretName or Passthrough must be specified, but not both.
|
||
If specified, the named secret must contain a matching certificate
|
||
for the virtual host's FQDN.
|
||
The name can be optionally prefixed with namespace "namespace/name".
|
||
When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
|
||
type: string
|
||
type: object
|
||
required:
|
||
- fqdn
|
||
type: object
|
||
type: object
|
||
status:
|
||
default:
|
||
currentStatus: NotReconciled
|
||
description: Waiting for controller
|
||
description: Status is a container for computed information about the
|
||
HTTPProxy.
|
||
properties:
|
||
conditions:
|
||
description: |-
|
||
Conditions contains information about the current status of the HTTPProxy,
|
||
in an upstream-friendly container.
|
||
Contour will update a single condition, `Valid`, that is in normal-true polarity.
|
||
That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,
|
||
and vice versa.
|
||
Contour will leave untouched any other Conditions set in this block,
|
||
in case some other controller wants to add a Condition.
|
||
If you are another controller owner and wish to add a condition, you *should*
|
||
namespace your condition with a label, like `controller.domain.com/ConditionName`.
|
||
items:
|
||
description: |-
|
||
DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
|
||
fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
|
||
of the condition.
|
||
`errors` holds information about sub-conditions which are fatal to that condition and render its state False.
|
||
`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
|
||
Remember that Conditions have a type, a status, and a reason.
|
||
The type is the type of the condition, the most important one in this CRD set is `Valid`.
|
||
`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
|
||
In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
|
||
`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
|
||
slice in this case.
|
||
`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
|
||
The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
|
||
slice if `status` is `false`.
|
||
For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
|
||
When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
|
||
When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
|
||
In either case, there may be entries in the `warnings` slice.
|
||
Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
|
||
(if there is one and only one entry in total across both the `errors` and `warnings` slices), or
|
||
`MultipleReasons` if there is more than one entry.
|
||
properties:
|
||
errors:
|
||
description: |-
|
||
Errors contains a slice of relevant error subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
|
||
An empty slice here indicates no errors.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
lastTransitionTime:
|
||
description: |-
|
||
lastTransitionTime is the last time the condition transitioned from one status to another.
|
||
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: |-
|
||
message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
observedGeneration:
|
||
description: |-
|
||
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
||
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
||
with respect to the current state of the instance.
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
reason:
|
||
description: |-
|
||
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: status of the condition, one of True, False, Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
type of condition in CamelCase or in foo.example.com/CamelCase.
|
||
---
|
||
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
|
||
useful (see .node.status.conditions), the ability to deconflict is important.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
warnings:
|
||
description: |-
|
||
Warnings contains a slice of relevant warning subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
|
||
An empty slice here indicates no warnings.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
required:
|
||
- lastTransitionTime
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-map-keys:
|
||
- type
|
||
x-kubernetes-list-type: map
|
||
currentStatus:
|
||
type: string
|
||
description:
|
||
type: string
|
||
loadBalancer:
|
||
description: LoadBalancer contains the current status of the load
|
||
balancer.
|
||
properties:
|
||
ingress:
|
||
description: |-
|
||
Ingress is a list containing ingress points for the load-balancer.
|
||
Traffic intended for the service should be sent to these ingress points.
|
||
items:
|
||
description: |-
|
||
LoadBalancerIngress represents the status of a load-balancer ingress point:
|
||
traffic intended for the service should be sent to an ingress point.
|
||
properties:
|
||
hostname:
|
||
description: |-
|
||
Hostname is set for load-balancer ingress points that are DNS based
|
||
(typically AWS load-balancers)
|
||
type: string
|
||
ip:
|
||
description: |-
|
||
IP is set for load-balancer ingress points that are IP based
|
||
(typically GCE or OpenStack load-balancers)
|
||
type: string
|
||
ipMode:
|
||
description: |-
|
||
IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.
|
||
Setting this to "VIP" indicates that traffic is delivered to the node with
|
||
the destination set to the load-balancer's IP and port.
|
||
Setting this to "Proxy" indicates that traffic is delivered to the node or pod with
|
||
the destination set to the node's IP and node port or the pod's IP and port.
|
||
Service implementations may use this information to adjust traffic routing.
|
||
type: string
|
||
ports:
|
||
description: |-
|
||
Ports is a list of records of service ports
|
||
If used, every port defined in the service should have an entry in it
|
||
items:
|
||
properties:
|
||
error:
|
||
description: |-
|
||
Error is to record the problem with the service port
|
||
The format of the error shall comply with the following rules:
|
||
- built-in error values shall be specified in this file and those shall use
|
||
CamelCase names
|
||
- cloud provider specific error values must have names that comply with the
|
||
format foo.example.com/CamelCase.
|
||
---
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
port:
|
||
description: Port is the port number of the service
|
||
port of which status is recorded here
|
||
format: int32
|
||
type: integer
|
||
protocol:
|
||
default: TCP
|
||
description: |-
|
||
Protocol is the protocol of the service port of which status is recorded here
|
||
The supported values are: "TCP", "UDP", "SCTP"
|
||
type: string
|
||
required:
|
||
- port
|
||
- protocol
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-type: atomic
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
required:
|
||
- metadata
|
||
- spec
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
subresources:
|
||
status: {}
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
controller-gen.kubebuilder.io/version: v0.14.0
|
||
name: tlscertificatedelegations.projectcontour.io
|
||
spec:
|
||
preserveUnknownFields: false
|
||
group: projectcontour.io
|
||
names:
|
||
kind: TLSCertificateDelegation
|
||
listKind: TLSCertificateDelegationList
|
||
plural: tlscertificatedelegations
|
||
shortNames:
|
||
- tlscerts
|
||
singular: tlscertificatedelegation
|
||
scope: Namespaced
|
||
versions:
|
||
- name: v1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: |-
|
||
TLSCertificateDelegation is an TLS Certificate Delegation CRD specification.
|
||
See design/tls-certificate-delegation.md for details.
|
||
properties:
|
||
apiVersion:
|
||
description: |-
|
||
APIVersion defines the versioned schema of this representation of an object.
|
||
Servers should convert recognized schemas to the latest internal value, and
|
||
may reject unrecognized values.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||
type: string
|
||
kind:
|
||
description: |-
|
||
Kind is a string value representing the REST resource this object represents.
|
||
Servers may infer this from the endpoint the client submits requests to.
|
||
Cannot be updated.
|
||
In CamelCase.
|
||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: TLSCertificateDelegationSpec defines the spec of the CRD
|
||
properties:
|
||
delegations:
|
||
items:
|
||
description: |-
|
||
CertificateDelegation maps the authority to reference a secret
|
||
in the current namespace to a set of namespaces.
|
||
properties:
|
||
secretName:
|
||
description: required, the name of a secret in the current namespace.
|
||
type: string
|
||
targetNamespaces:
|
||
description: |-
|
||
required, the namespaces the authority to reference the
|
||
secret will be delegated to.
|
||
If TargetNamespaces is nil or empty, the CertificateDelegation'
|
||
is ignored. If the TargetNamespace list contains the character, "*"
|
||
the secret will be delegated to all namespaces.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- secretName
|
||
- targetNamespaces
|
||
type: object
|
||
type: array
|
||
required:
|
||
- delegations
|
||
type: object
|
||
status:
|
||
description: |-
|
||
TLSCertificateDelegationStatus allows for the status of the delegation
|
||
to be presented to the user.
|
||
properties:
|
||
conditions:
|
||
description: |-
|
||
Conditions contains information about the current status of the HTTPProxy,
|
||
in an upstream-friendly container.
|
||
Contour will update a single condition, `Valid`, that is in normal-true polarity.
|
||
That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,
|
||
and vice versa.
|
||
Contour will leave untouched any other Conditions set in this block,
|
||
in case some other controller wants to add a Condition.
|
||
If you are another controller owner and wish to add a condition, you *should*
|
||
namespace your condition with a label, like `controller.domain.com\ConditionName`.
|
||
items:
|
||
description: |-
|
||
DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
|
||
fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
|
||
of the condition.
|
||
`errors` holds information about sub-conditions which are fatal to that condition and render its state False.
|
||
`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
|
||
Remember that Conditions have a type, a status, and a reason.
|
||
The type is the type of the condition, the most important one in this CRD set is `Valid`.
|
||
`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
|
||
In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
|
||
`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
|
||
slice in this case.
|
||
`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
|
||
The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
|
||
slice if `status` is `false`.
|
||
For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
|
||
When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
|
||
When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
|
||
In either case, there may be entries in the `warnings` slice.
|
||
Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
|
||
(if there is one and only one entry in total across both the `errors` and `warnings` slices), or
|
||
`MultipleReasons` if there is more than one entry.
|
||
properties:
|
||
errors:
|
||
description: |-
|
||
Errors contains a slice of relevant error subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
|
||
An empty slice here indicates no errors.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
lastTransitionTime:
|
||
description: |-
|
||
lastTransitionTime is the last time the condition transitioned from one status to another.
|
||
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: |-
|
||
message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
observedGeneration:
|
||
description: |-
|
||
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
||
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
||
with respect to the current state of the instance.
|
||
format: int64
|
||
minimum: 0
|
||
type: integer
|
||
reason:
|
||
description: |-
|
||
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: status of the condition, one of True, False, Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
type of condition in CamelCase or in foo.example.com/CamelCase.
|
||
---
|
||
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
|
||
useful (see .node.status.conditions), the ability to deconflict is important.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
warnings:
|
||
description: |-
|
||
Warnings contains a slice of relevant warning subconditions for this object.
|
||
Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
|
||
An empty slice here indicates no warnings.
|
||
items:
|
||
description: |-
|
||
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
|
||
It contains a subset of the Condition fields.
|
||
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
|
||
that is, they should be of the form "ErrorPresent: true".
|
||
The expected lifecycle for these errors is that they should only be present when the error or warning is,
|
||
and should be removed when they are not relevant.
|
||
properties:
|
||
message:
|
||
description: |-
|
||
Message is a human readable message indicating details about the transition.
|
||
This may be an empty string.
|
||
maxLength: 32768
|
||
type: string
|
||
reason:
|
||
description: |-
|
||
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||
Producers of specific condition types may define expected values and meanings for this field,
|
||
and whether the values are considered a guaranteed API.
|
||
The value should be a CamelCase string.
|
||
This field may not be empty.
|
||
maxLength: 1024
|
||
minLength: 1
|
||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of True, False,
|
||
Unknown.
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: |-
|
||
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
|
||
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
|
||
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||
maxLength: 316
|
||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||
type: string
|
||
required:
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
required:
|
||
- lastTransitionTime
|
||
- message
|
||
- reason
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
x-kubernetes-list-map-keys:
|
||
- type
|
||
x-kubernetes-list-type: map
|
||
type: object
|
||
required:
|
||
- metadata
|
||
- spec
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
subresources:
|
||
status: {}
|
||
|
||
---
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: contour-certgen
|
||
namespace: projectcontour
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: RoleBinding
|
||
metadata:
|
||
name: contour
|
||
namespace: projectcontour
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: Role
|
||
name: contour-certgen
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: contour-certgen
|
||
namespace: projectcontour
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: Role
|
||
metadata:
|
||
name: contour-certgen
|
||
namespace: projectcontour
|
||
rules:
|
||
- apiGroups:
|
||
- ""
|
||
resources:
|
||
- secrets
|
||
verbs:
|
||
- create
|
||
- update
|
||
---
|
||
apiVersion: batch/v1
|
||
kind: Job
|
||
metadata:
|
||
name: contour-certgen-v1-28-3
|
||
namespace: projectcontour
|
||
spec:
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: "contour-certgen"
|
||
spec:
|
||
containers:
|
||
- name: contour
|
||
image: ghcr.io/projectcontour/contour:v1.28.3
|
||
imagePullPolicy: IfNotPresent
|
||
command:
|
||
- contour
|
||
- certgen
|
||
- --kube
|
||
- --incluster
|
||
- --overwrite
|
||
- --secrets-format=compact
|
||
- --namespace=$(CONTOUR_NAMESPACE)
|
||
env:
|
||
- name: CONTOUR_NAMESPACE
|
||
valueFrom:
|
||
fieldRef:
|
||
fieldPath: metadata.namespace
|
||
restartPolicy: Never
|
||
serviceAccountName: contour-certgen
|
||
securityContext:
|
||
runAsNonRoot: true
|
||
runAsUser: 65534
|
||
runAsGroup: 65534
|
||
parallelism: 1
|
||
completions: 1
|
||
backoffLimit: 1
|
||
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: ClusterRoleBinding
|
||
metadata:
|
||
name: contour
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: ClusterRole
|
||
name: contour
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: contour
|
||
namespace: projectcontour
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: RoleBinding
|
||
metadata:
|
||
name: contour-rolebinding
|
||
namespace: projectcontour
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: Role
|
||
name: contour
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: contour
|
||
namespace: projectcontour
|
||
|
||
# The following ClusterRole and Role are generated from kubebuilder RBAC tags by
|
||
# generate-rbac.sh. Do not edit this file directly but instead edit the source
|
||
# files and re-render.
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: ClusterRole
|
||
metadata:
|
||
name: contour
|
||
rules:
|
||
- apiGroups:
|
||
- ""
|
||
resources:
|
||
- configmaps
|
||
- endpoints
|
||
- namespaces
|
||
- secrets
|
||
- services
|
||
verbs:
|
||
- get
|
||
- list
|
||
- watch
|
||
- apiGroups:
|
||
- discovery.k8s.io
|
||
resources:
|
||
- endpointslices
|
||
verbs:
|
||
- get
|
||
- list
|
||
- watch
|
||
- apiGroups:
|
||
- gateway.networking.k8s.io
|
||
resources:
|
||
- backendtlspolicies
|
||
- gatewayclasses
|
||
- gateways
|
||
- grpcroutes
|
||
- httproutes
|
||
- referencegrants
|
||
- tcproutes
|
||
- tlsroutes
|
||
verbs:
|
||
- get
|
||
- list
|
||
- watch
|
||
- apiGroups:
|
||
- gateway.networking.k8s.io
|
||
resources:
|
||
- backendtlspolicies/status
|
||
- gatewayclasses/status
|
||
- gateways/status
|
||
- grpcroutes/status
|
||
- httproutes/status
|
||
- tcproutes/status
|
||
- tlsroutes/status
|
||
verbs:
|
||
- update
|
||
- apiGroups:
|
||
- networking.k8s.io
|
||
resources:
|
||
- ingresses
|
||
verbs:
|
||
- get
|
||
- list
|
||
- watch
|
||
- apiGroups:
|
||
- networking.k8s.io
|
||
resources:
|
||
- ingresses/status
|
||
verbs:
|
||
- create
|
||
- get
|
||
- update
|
||
- apiGroups:
|
||
- projectcontour.io
|
||
resources:
|
||
- contourconfigurations
|
||
- extensionservices
|
||
- httpproxies
|
||
- tlscertificatedelegations
|
||
verbs:
|
||
- get
|
||
- list
|
||
- watch
|
||
- apiGroups:
|
||
- projectcontour.io
|
||
resources:
|
||
- contourconfigurations/status
|
||
- extensionservices/status
|
||
- httpproxies/status
|
||
verbs:
|
||
- create
|
||
- get
|
||
- update
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: Role
|
||
metadata:
|
||
name: contour
|
||
namespace: projectcontour
|
||
rules:
|
||
- apiGroups:
|
||
- ""
|
||
resources:
|
||
- events
|
||
verbs:
|
||
- create
|
||
- get
|
||
- update
|
||
- apiGroups:
|
||
- coordination.k8s.io
|
||
resources:
|
||
- leases
|
||
verbs:
|
||
- create
|
||
- get
|
||
- update
|
||
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: contour
|
||
namespace: projectcontour
|
||
spec:
|
||
ports:
|
||
- port: 8001
|
||
name: xds
|
||
protocol: TCP
|
||
targetPort: 8001
|
||
selector:
|
||
app: contour
|
||
type: ClusterIP
|
||
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: envoy
|
||
namespace: projectcontour
|
||
annotations:
|
||
# This annotation puts the AWS ELB into "TCP" mode so that it does not
|
||
# do HTTP negotiation for HTTPS connections at the ELB edge.
|
||
# The downside of this is the remote IP address of all connections will
|
||
# appear to be the internal address of the ELB. See docs/proxy-proto.md
|
||
# for information about enabling the PROXY protocol on the ELB to recover
|
||
# the original remote IP address.
|
||
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
|
||
spec:
|
||
externalTrafficPolicy: Local
|
||
ports:
|
||
- port: 80
|
||
name: http
|
||
protocol: TCP
|
||
targetPort: 8080
|
||
- port: 443
|
||
name: https
|
||
protocol: TCP
|
||
targetPort: 8443
|
||
selector:
|
||
app: envoy
|
||
type: LoadBalancer
|
||
|
||
---
|
||
apiVersion: apps/v1
|
||
kind: Deployment
|
||
metadata:
|
||
labels:
|
||
app: contour
|
||
name: contour
|
||
namespace: projectcontour
|
||
spec:
|
||
replicas: 2
|
||
strategy:
|
||
type: RollingUpdate
|
||
rollingUpdate:
|
||
# This value of maxSurge means that during a rolling update
|
||
# the new ReplicaSet will be created first.
|
||
maxSurge: 50%
|
||
selector:
|
||
matchLabels:
|
||
app: contour
|
||
template:
|
||
metadata:
|
||
annotations:
|
||
prometheus.io/scrape: "true"
|
||
prometheus.io/port: "8000"
|
||
labels:
|
||
app: contour
|
||
spec:
|
||
affinity:
|
||
podAntiAffinity:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
- podAffinityTerm:
|
||
labelSelector:
|
||
matchLabels:
|
||
app: contour
|
||
topologyKey: kubernetes.io/hostname
|
||
weight: 100
|
||
containers:
|
||
- args:
|
||
- serve
|
||
- --incluster
|
||
- --xds-address=0.0.0.0
|
||
- --xds-port=8001
|
||
- --contour-cafile=/certs/ca.crt
|
||
- --contour-cert-file=/certs/tls.crt
|
||
- --contour-key-file=/certs/tls.key
|
||
- --config-path=/config/contour.yaml
|
||
command: ["contour"]
|
||
image: ghcr.io/projectcontour/contour:v1.28.3
|
||
imagePullPolicy: IfNotPresent
|
||
name: contour
|
||
ports:
|
||
- containerPort: 8001
|
||
name: xds
|
||
protocol: TCP
|
||
- containerPort: 8000
|
||
name: metrics
|
||
protocol: TCP
|
||
- containerPort: 6060
|
||
name: debug
|
||
protocol: TCP
|
||
livenessProbe:
|
||
httpGet:
|
||
path: /healthz
|
||
port: 8000
|
||
readinessProbe:
|
||
tcpSocket:
|
||
port: 8001
|
||
periodSeconds: 10
|
||
volumeMounts:
|
||
- name: contourcert
|
||
mountPath: /certs
|
||
readOnly: true
|
||
- name: contour-config
|
||
mountPath: /config
|
||
readOnly: true
|
||
env:
|
||
- name: CONTOUR_NAMESPACE
|
||
valueFrom:
|
||
fieldRef:
|
||
apiVersion: v1
|
||
fieldPath: metadata.namespace
|
||
- name: POD_NAME
|
||
valueFrom:
|
||
fieldRef:
|
||
apiVersion: v1
|
||
fieldPath: metadata.name
|
||
dnsPolicy: ClusterFirst
|
||
serviceAccountName: contour
|
||
securityContext:
|
||
runAsNonRoot: true
|
||
runAsUser: 65534
|
||
runAsGroup: 65534
|
||
volumes:
|
||
- name: contourcert
|
||
secret:
|
||
secretName: contourcert
|
||
- name: contour-config
|
||
configMap:
|
||
name: contour
|
||
defaultMode: 0644
|
||
items:
|
||
- key: contour.yaml
|
||
path: contour.yaml
|
||
|
||
---
|
||
apiVersion: apps/v1
|
||
kind: DaemonSet
|
||
metadata:
|
||
labels:
|
||
app: envoy
|
||
name: envoy
|
||
namespace: projectcontour
|
||
spec:
|
||
updateStrategy:
|
||
type: RollingUpdate
|
||
rollingUpdate:
|
||
maxUnavailable: 10%
|
||
selector:
|
||
matchLabels:
|
||
app: envoy
|
||
template:
|
||
metadata:
|
||
annotations:
|
||
prometheus.io/scrape: "true"
|
||
prometheus.io/port: "8002"
|
||
prometheus.io/path: "/stats/prometheus"
|
||
labels:
|
||
app: envoy
|
||
spec:
|
||
containers:
|
||
- command:
|
||
- /bin/contour
|
||
args:
|
||
- envoy
|
||
- shutdown-manager
|
||
image: ghcr.io/projectcontour/contour:v1.28.3
|
||
imagePullPolicy: IfNotPresent
|
||
lifecycle:
|
||
preStop:
|
||
exec:
|
||
command:
|
||
- /bin/contour
|
||
- envoy
|
||
- shutdown
|
||
name: shutdown-manager
|
||
volumeMounts:
|
||
- name: envoy-admin
|
||
mountPath: /admin
|
||
- args:
|
||
- -c
|
||
- /config/envoy.json
|
||
- --service-cluster $(CONTOUR_NAMESPACE)
|
||
- --service-node $(ENVOY_POD_NAME)
|
||
- --log-level info
|
||
command:
|
||
- envoy
|
||
image: docker.io/envoyproxy/envoy:v1.29.4
|
||
imagePullPolicy: IfNotPresent
|
||
name: envoy
|
||
env:
|
||
- name: CONTOUR_NAMESPACE
|
||
valueFrom:
|
||
fieldRef:
|
||
apiVersion: v1
|
||
fieldPath: metadata.namespace
|
||
- name: ENVOY_POD_NAME
|
||
valueFrom:
|
||
fieldRef:
|
||
apiVersion: v1
|
||
fieldPath: metadata.name
|
||
ports:
|
||
- containerPort: 8080
|
||
hostPort: 80
|
||
name: http
|
||
protocol: TCP
|
||
- containerPort: 8443
|
||
hostPort: 443
|
||
name: https
|
||
protocol: TCP
|
||
readinessProbe:
|
||
httpGet:
|
||
path: /ready
|
||
port: 8002
|
||
initialDelaySeconds: 3
|
||
periodSeconds: 4
|
||
volumeMounts:
|
||
- name: envoy-config
|
||
mountPath: /config
|
||
readOnly: true
|
||
- name: envoycert
|
||
mountPath: /certs
|
||
readOnly: true
|
||
- name: envoy-admin
|
||
mountPath: /admin
|
||
lifecycle:
|
||
preStop:
|
||
httpGet:
|
||
path: /shutdown
|
||
port: 8090
|
||
scheme: HTTP
|
||
initContainers:
|
||
- args:
|
||
- bootstrap
|
||
- /config/envoy.json
|
||
- --xds-address=contour
|
||
- --xds-port=8001
|
||
- --xds-resource-version=v3
|
||
- --resources-dir=/config/resources
|
||
- --envoy-cafile=/certs/ca.crt
|
||
- --envoy-cert-file=/certs/tls.crt
|
||
- --envoy-key-file=/certs/tls.key
|
||
command:
|
||
- contour
|
||
image: ghcr.io/projectcontour/contour:v1.28.3
|
||
imagePullPolicy: IfNotPresent
|
||
name: envoy-initconfig
|
||
volumeMounts:
|
||
- name: envoy-config
|
||
mountPath: /config
|
||
- name: envoycert
|
||
mountPath: /certs
|
||
readOnly: true
|
||
env:
|
||
- name: CONTOUR_NAMESPACE
|
||
valueFrom:
|
||
fieldRef:
|
||
fieldPath: metadata.namespace
|
||
automountServiceAccountToken: false
|
||
serviceAccountName: envoy
|
||
terminationGracePeriodSeconds: 300
|
||
volumes:
|
||
- name: envoy-admin
|
||
emptyDir: {}
|
||
- name: envoy-config
|
||
emptyDir: {}
|
||
- name: envoycert
|
||
secret:
|
||
secretName: envoycert
|
||
restartPolicy: Always
|
||
securityContext:
|
||
runAsNonRoot: true
|
||
runAsUser: 65534
|
||
runAsGroup: 65534
|