diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index e967051d7dc..0768f77040b 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -316,6 +316,13 @@ type EnvoyConfig struct { // Network holds various configurable Envoy network values. // +optional Network *NetworkParameters `json:"network,omitempty"` + + // OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + // the envoy overload manager actions, such as global connection limits, enforced. + // + // This is disbled by default + // +optional + OMEnforcedHealth *HealthConfig `json:"om_enforced_health,omitempty"` } // DebugConfig contains Contour specific troubleshooting options. diff --git a/apis/projectcontour/v1alpha1/contourconfig_helpers.go b/apis/projectcontour/v1alpha1/contourconfig_helpers.go index babadc5bc09..c3711b4717b 100644 --- a/apis/projectcontour/v1alpha1/contourconfig_helpers.go +++ b/apis/projectcontour/v1alpha1/contourconfig_helpers.go @@ -126,6 +126,10 @@ func (e *EnvoyConfig) Validate() error { return fmt.Errorf("invalid envoy configuration: %v", err) } + if err := healthEndpointsInConflict(e.Metrics, e.Health, e.OMEnforcedHealth); err != nil { + return fmt.Errorf("invalid envoy configuration: %v", err) + } + if err := e.Logging.Validate(); err != nil { return err } @@ -313,3 +317,17 @@ func endpointsInConfict(health *HealthConfig, metrics *MetricsConfig) error { } return nil } + +// healthEndpointsInConflict returns an error if the same address and port are used between the overload manager enforced health listener and metrics +// _or_ the stats listener. Since the metrics would be validated against the stats listener already we only need to check that the overload manager +// health listener is not in conflict with either metrics or stats +func healthEndpointsInConflict(metrics *MetricsConfig, stats *HealthConfig, omEnforcedHealth *HealthConfig) error { + switch { + case omEnforcedHealth != nil && stats != nil && omEnforcedHealth.Address == stats.Address && omEnforcedHealth.Port == stats.Port: + return fmt.Errorf("cannot use the same port for health checks and overload-manager enforced health checks") + case omEnforcedHealth != nil && metrics != nil && omEnforcedHealth.Address == metrics.Address && omEnforcedHealth.Port == metrics.Port: + return fmt.Errorf("cannot use the same port for metrics and overload-manager enforced health checks") + default: + return nil + } +} diff --git a/changelogs/unreleased/6308-sethepps-minor.md b/changelogs/unreleased/6308-sethepps-minor.md new file mode 100644 index 00000000000..58063f79988 --- /dev/null +++ b/changelogs/unreleased/6308-sethepps-minor.md @@ -0,0 +1,47 @@ +## Overload Manager - Max Global Connections + +Introduces an envoy bootstrap flag to enable the [global downstream connection limit overload manager resource monitors](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto#envoy-v3-api-msg-extensions-resource-monitors-downstream-connections-v3-downstreamconnectionsconfig). + +The new flag can be passed as an integer flag to the contour bootstrap subcommand, `overload-dowstream-max-conn`. + +```sh +contour bootstrap --help +INFO[0000] maxprocs: Leaving GOMAXPROCS=10: CPU quota undefined +usage: contour bootstrap [] + +Generate bootstrap configuration. + + +Flags: + -h, --[no-]help Show context-sensitive help (also try --help-long and --help-man). + --log-format=text Log output format for Contour. Either text or json. + --admin-address="/admin/admin.sock" + Path to Envoy admin unix domain socket. + --admin-port=ADMIN-PORT DEPRECATED: Envoy admin interface port. + --dns-lookup-family=DNS-LOOKUP-FAMILY + Defines what DNS Resolution Policy to use for Envoy -> Contour cluster name lookup. Either v4, v6, auto, or all. + --envoy-cafile=ENVOY-CAFILE + CA Filename for Envoy secure xDS gRPC communication. ($ENVOY_CAFILE) + --envoy-cert-file=ENVOY-CERT-FILE + Client certificate filename for Envoy secure xDS gRPC communication. ($ENVOY_CERT_FILE) + --envoy-key-file=ENVOY-KEY-FILE + Client key filename for Envoy secure xDS gRPC communication. ($ENVOY_KEY_FILE) + --namespace="projectcontour" + The namespace the Envoy container will run in. ($CONTOUR_NAMESPACE) + --overload-dowstream-max-conn=OVERLOAD-DOWSTREAM-MAX-CONN + Defines the Envoy global downstream connection limit + --overload-max-heap=OVERLOAD-MAX-HEAP + Defines the maximum heap size in bytes until overload manager stops accepting new connections. + --resources-dir=RESOURCES-DIR + Directory where configuration files will be written to. + --xds-address=XDS-ADDRESS xDS gRPC API address. + --xds-port=XDS-PORT xDS gRPC API port. + --xds-resource-version="v3" + The versions of the xDS resources to request from Contour. + +Args: + Configuration file ('-' for standard output). +``` + +As part of this change, we also set the `ignore_global_conn_limit` flag to `true` on the existing admin listeners such that envoy remains live, ready, and serving stats even though it is rejecting downstream connections. +To add some flexibility for health checks, in addition to adding a new bootstrap flag there is a new configuration option for the envoy health config to enforce the envoy overload manager actions, namely rejecting requests. This "advanced" configuration gives the operator the ability to configure readiness and liveness to handle taking pods out of the pool of pods that can service k8s service traffic. diff --git a/cmd/contour/bootstrap.go b/cmd/contour/bootstrap.go index dfa365f90a1..39595f54136 100644 --- a/cmd/contour/bootstrap.go +++ b/cmd/contour/bootstrap.go @@ -34,6 +34,7 @@ func registerBootstrap(app *kingpin.Application) (*kingpin.CmdClause, *envoy.Boo bootstrap.Flag("envoy-cert-file", "Client certificate filename for Envoy secure xDS gRPC communication.").Envar("ENVOY_CERT_FILE").StringVar(&config.GrpcClientCert) bootstrap.Flag("envoy-key-file", "Client key filename for Envoy secure xDS gRPC communication.").Envar("ENVOY_KEY_FILE").StringVar(&config.GrpcClientKey) bootstrap.Flag("namespace", "The namespace the Envoy container will run in.").Envar("CONTOUR_NAMESPACE").Default("projectcontour").StringVar(&config.Namespace) + bootstrap.Flag("overload-dowstream-max-conn", "Defines the Envoy global downstream connection limit").Int64Var(&config.GlobalDownstreamConnectionLimit) bootstrap.Flag("overload-max-heap", "Defines the maximum heap size in bytes until overload manager stops accepting new connections.").Uint64Var(&config.MaximumHeapSizeBytes) bootstrap.Flag("resources-dir", "Directory where configuration files will be written to.").StringVar(&config.ResourcesDir) bootstrap.Flag("xds-address", "xDS gRPC API address.").StringVar(&config.XDSAddress) diff --git a/cmd/contour/contour.go b/cmd/contour/contour.go index 48f2997d3ee..15ced502315 100644 --- a/cmd/contour/contour.go +++ b/cmd/contour/contour.go @@ -104,6 +104,9 @@ func main() { if err := envoy.ValidAdminAddress(bootstrapCtx.AdminAddress); err != nil { log.WithField("flag", "--admin-address").WithError(err).Fatal("failed to parse bootstrap args") } + if err := envoy.ValidConnectionLimit(bootstrapCtx.GlobalDownstreamConnectionLimit); err != nil { + log.WithField("flag", "--overload-dowstream-max-conn").WithError(err).Fatal("failed to parse bootstrap args") + } if err := envoy_v3.WriteBootstrap(bootstrapCtx); err != nil { log.WithError(err).Fatal("failed to write bootstrap configuration") } diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 0697b45a2f8..f2321855dec 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -493,7 +493,7 @@ func (s *Server) doServe() error { } resources := []xdscache.ResourceCache{ - xdscache_v3.NewListenerCache(listenerConfig, *contourConfiguration.Envoy.Metrics, *contourConfiguration.Envoy.Health, *contourConfiguration.Envoy.Network.EnvoyAdminPort), + xdscache_v3.NewListenerCache(listenerConfig, *contourConfiguration.Envoy.Metrics, *contourConfiguration.Envoy.Health, *contourConfiguration.Envoy.Network.EnvoyAdminPort, contourConfiguration.Envoy.OMEnforcedHealth), xdscache_v3.NewSecretsCache(envoy_v3.StatsSecrets(contourConfiguration.Envoy.Metrics.TLS)), &xdscache_v3.RouteCache{}, &xdscache_v3.ClusterCache{}, diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go index 3a1057b6479..ac83e660665 100644 --- a/cmd/contour/servecontext.go +++ b/cmd/contour/servecontext.go @@ -495,6 +495,14 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co Port: ctx.statsPort, } + var envoyOMEnforcedHealthListenerConfig contour_v1alpha1.HealthConfig + if ctx.Config.OMEnforcedHealthListener != nil { + envoyOMEnforcedHealthListenerConfig = contour_v1alpha1.HealthConfig{ + Address: ctx.Config.OMEnforcedHealthListener.Address, + Port: ctx.Config.OMEnforcedHealthListener.Port, + } + } + // Override metrics endpoint info from config files // // Note! @@ -581,6 +589,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops, EnvoyAdminPort: &ctx.Config.Network.EnvoyAdminPort, }, + OMEnforcedHealth: &envoyOMEnforcedHealthListenerConfig, }, Gateway: gatewayConfig, HTTPProxy: &contour_v1alpha1.HTTPProxyConfig{ diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 0666bd83e57..e022ac3b618 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -516,6 +516,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. @@ -4201,6 +4215,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index c5fe223017e..9c013fbf8b7 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -736,6 +736,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. @@ -4421,6 +4435,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 396d8c87dc7..af219889053 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -527,6 +527,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. @@ -4212,6 +4226,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index d68bc13728d..f7340c77fa7 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -552,6 +552,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. @@ -4237,6 +4251,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 1246f04d59a..fe0e21b5022 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -736,6 +736,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. @@ -4421,6 +4435,20 @@ spec: format: int32 type: integer type: object + om_enforced_health: + description: |- + OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with + the envoy overload manager actions, such as global connection limits, enforced. + This is disbled by default + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + type: object service: description: |- Service holds Envoy service parameters for setting Ingress status. diff --git a/internal/envoy/bootstrap.go b/internal/envoy/bootstrap.go index c268c0fdc4f..e1b6c84eece 100644 --- a/internal/envoy/bootstrap.go +++ b/internal/envoy/bootstrap.go @@ -95,6 +95,12 @@ type BootstrapConfig struct { // MaximumHeapSizeBytes specifies the number of bytes that overload manager allows heap to grow to. // When reaching the set threshold, new connections are denied. MaximumHeapSizeBytes uint64 + + // GlobalDownstreamConnectionLimit specifies the maximum number of global open downstream connections to envoy. + // When at the limit, envoy will reject connections at L4. + // + // Although a valid limit must be >= 0, to avoid overflow we require the type be int64 + GlobalDownstreamConnectionLimit int64 } // GetXdsAddress returns the address configured or defaults to "127.0.0.1" @@ -130,6 +136,16 @@ func ValidAdminAddress(address string) error { return nil } +// ValidConnectionLimit checks if the supplied +// envoy global connection limit is an integer +// greater than or equal to 0. +func ValidConnectionLimit(limit int64) error { + if limit < 0 { + return fmt.Errorf("invalid value %d, cannot be < 0", limit) + } + return nil +} + func stringOrDefault(s, def string) string { if s == "" { return def diff --git a/internal/envoy/bootstrap_test.go b/internal/envoy/bootstrap_test.go index 987058daea6..aa932aae9e0 100644 --- a/internal/envoy/bootstrap_test.go +++ b/internal/envoy/bootstrap_test.go @@ -14,6 +14,7 @@ package envoy import ( + "errors" "fmt" "testing" @@ -39,3 +40,23 @@ func TestValidAdminAddress(t *testing.T) { }) } } + +func TestValidConnectionLimit(t *testing.T) { + + tests := []struct { + name string + connLimit int64 + want error + }{ + {name: "valid connection limit", connLimit: 10, want: nil}, + {name: "valid connection limit", connLimit: 0, want: nil}, + {name: "invalid connection limit", connLimit: -10, want: errors.New("invalid value -10, cannot be < 0")}, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + got := ValidConnectionLimit(tc.connLimit) + assert.Equal(t, tc.want, got) + }) + } +} diff --git a/internal/envoy/v3/bootstrap.go b/internal/envoy/v3/bootstrap.go index 2552dee7602..ad516e4fa98 100644 --- a/internal/envoy/v3/bootstrap.go +++ b/internal/envoy/v3/bootstrap.go @@ -32,6 +32,7 @@ import ( envoy_config_overload_v3 "github.com/envoyproxy/go-control-plane/envoy/config/overload/v3" envoy_access_logger_file_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/file/v3" envoy_regex_engines_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/regex_engines/v3" + envoy_downstream_connections_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/downstream_connections/v3" envoy_fixed_heap_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/fixed_heap/v3" envoy_transport_socket_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" envoy_service_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" @@ -250,50 +251,14 @@ func bootstrapConfig(c *envoy.BootstrapConfig) *envoy_config_bootstrap_v3.Bootst Address: UnixSocketAddress(c.GetAdminAddress()), }, } - if c.MaximumHeapSizeBytes > 0 { + if c.MaximumHeapSizeBytes > 0 || c.GlobalDownstreamConnectionLimit > 0 { bootstrap.OverloadManager = &envoy_config_overload_v3.OverloadManager{ RefreshInterval: durationpb.New(250 * time.Millisecond), - ResourceMonitors: []*envoy_config_overload_v3.ResourceMonitor{ - { - Name: "envoy.resource_monitors.fixed_heap", - ConfigType: &envoy_config_overload_v3.ResourceMonitor_TypedConfig{ - TypedConfig: protobuf.MustMarshalAny( - &envoy_fixed_heap_v3.FixedHeapConfig{ - MaxHeapSizeBytes: c.MaximumHeapSizeBytes, - }), - }, - }, - }, - Actions: []*envoy_config_overload_v3.OverloadAction{ - { - Name: "envoy.overload_actions.shrink_heap", - Triggers: []*envoy_config_overload_v3.Trigger{ - { - Name: "envoy.resource_monitors.fixed_heap", - TriggerOneof: &envoy_config_overload_v3.Trigger_Threshold{ - Threshold: &envoy_config_overload_v3.ThresholdTrigger{ - Value: 0.95, - }, - }, - }, - }, - }, - { - Name: "envoy.overload_actions.stop_accepting_requests", - Triggers: []*envoy_config_overload_v3.Trigger{ - { - Name: "envoy.resource_monitors.fixed_heap", - TriggerOneof: &envoy_config_overload_v3.Trigger_Threshold{ - Threshold: &envoy_config_overload_v3.ThresholdTrigger{ - Value: 0.98, - }, - }, - }, - }, - }, - }, } + includeMaxHeapMonitoring(bootstrap, c.MaximumHeapSizeBytes) + includeMaxConnectionMonitoring(bootstrap, c.GlobalDownstreamConnectionLimit) } + return bootstrap } @@ -443,3 +408,68 @@ func validationContextSdsSecretConfig(c *envoy.BootstrapConfig) *envoy_service_d Resources: []*anypb.Any{protobuf.MustMarshalAny(secret)}, } } + +// includeMaxHeapMonitoring appends the fixed heap resource monitor and corresponding +// overload actions to the overload manager +func includeMaxHeapMonitoring(bootstrap *envoy_config_bootstrap_v3.Bootstrap, maxHeapBytes uint64) { + if maxHeapBytes > 0 { + bootstrap.OverloadManager.ResourceMonitors = append(bootstrap.OverloadManager.ResourceMonitors, + &envoy_config_overload_v3.ResourceMonitor{ + Name: "envoy.resource_monitors.fixed_heap", + ConfigType: &envoy_config_overload_v3.ResourceMonitor_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny( + &envoy_fixed_heap_v3.FixedHeapConfig{ + MaxHeapSizeBytes: maxHeapBytes, + }), + }, + }, + ) + + bootstrap.OverloadManager.Actions = append(bootstrap.OverloadManager.Actions, + &envoy_config_overload_v3.OverloadAction{ + Name: "envoy.overload_actions.shrink_heap", + Triggers: []*envoy_config_overload_v3.Trigger{ + { + Name: "envoy.resource_monitors.fixed_heap", + TriggerOneof: &envoy_config_overload_v3.Trigger_Threshold{ + Threshold: &envoy_config_overload_v3.ThresholdTrigger{ + Value: 0.95, + }, + }, + }, + }, + }, + &envoy_config_overload_v3.OverloadAction{ + Name: "envoy.overload_actions.stop_accepting_requests", + Triggers: []*envoy_config_overload_v3.Trigger{ + { + Name: "envoy.resource_monitors.fixed_heap", + TriggerOneof: &envoy_config_overload_v3.Trigger_Threshold{ + Threshold: &envoy_config_overload_v3.ThresholdTrigger{ + Value: 0.98, + }, + }, + }, + }, + }, + ) + } +} + +// includeMaxConnectionMonitoring appends the downstream connection resource monitor to +// the overload manager +func includeMaxConnectionMonitoring(bootstrap *envoy_config_bootstrap_v3.Bootstrap, maxConns int64) { + if maxConns > 0 { + bootstrap.OverloadManager.ResourceMonitors = append(bootstrap.OverloadManager.ResourceMonitors, + &envoy_config_overload_v3.ResourceMonitor{ + Name: "envoy.resource_monitors.global_downstream_max_connections", + ConfigType: &envoy_config_overload_v3.ResourceMonitor_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny( + &envoy_downstream_connections_v3.DownstreamConnectionsConfig{ + MaxActiveDownstreamConnections: maxConns, + }), + }, + }, + ) + } +} diff --git a/internal/envoy/v3/bootstrap_test.go b/internal/envoy/v3/bootstrap_test.go index 2012179f900..0c505d8fd96 100644 --- a/internal/envoy/v3/bootstrap_test.go +++ b/internal/envoy/v3/bootstrap_test.go @@ -1770,7 +1770,7 @@ func TestBootstrap(t *testing.T) { }, wantedError: true, }, - "Enable overload manager by specifying --overload-max-heap=2147483648": { + "Enable fixed heap overload manager by specifying --overload-max-heap=2147483648": { config: envoy.BootstrapConfig{ Path: "envoy.json", Namespace: "projectcontour", @@ -1983,8 +1983,419 @@ func TestBootstrap(t *testing.T) { } ] } - }`, - }, + }`}, + "Enable max downstream connections overload manager by specifying --overload-dowstream-max-conn=54321": { + config: envoy.BootstrapConfig{ + Path: "envoy.json", + Namespace: "projectcontour", + GlobalDownstreamConnectionLimit: 54321, + }, + wantedBootstrapConfig: `{ + "static_resources": { + "clusters": [ + { + "name": "contour", + "alt_stat_name": "projectcontour_contour_8001", + "type": "STATIC", + "connect_timeout": "5s", + "load_assignment": { + "cluster_name": "contour", + "endpoints": [ + { + "lb_endpoints": [ + { + "endpoint": { + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 8001 + } + } + } + } + ] + } + ] + }, + "circuit_breakers": { + "thresholds": [ + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 60000000, + "max_retries": 50 + }, + { + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 60000000, + "max_retries": 50 + } + ] + }, + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_probes": 3, + "keepalive_time": 30, + "keepalive_interval": 5 + } + } + }, + { + "name": "envoy-admin", + "alt_stat_name": "projectcontour_envoy-admin_9001", + "type": "STATIC", + "connect_timeout": "0.250s", + "load_assignment": { + "cluster_name": "envoy-admin", + "endpoints": [ + { + "lb_endpoints": [ + { + "endpoint": { + "address": { + "pipe": { + "path": "/admin/admin.sock", + "mode": 420 + } + } + } + } + ] + } + ] + } + } + ] + }, + "default_regex_engine": { + "name": "envoy.regex_engines.google_re2", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.regex_engines.v3.GoogleRE2" + } + }, + "dynamic_resources": { + "lds_config": { + "api_config_source": { + "api_type": "GRPC", + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "contour", + "authority": "contour" + } + } + ] + }, + "resource_api_version": "V3" + }, + "cds_config": { + "api_config_source": { + "api_type": "GRPC", + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "contour", + "authority": "contour" + } + } + ] + }, + "resource_api_version": "V3" + } + }, + "layered_runtime": { + "layers": [ + { + "name": "dynamic", + "rtds_layer": { + "name": "dynamic", + "rtds_config": { + "api_config_source": { + "api_type": "GRPC", + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "contour", + "authority": "contour" + } + } + ] + }, + "resource_api_version": "V3" + } + } + }, + { + "name": "admin", + "admin_layer": {} + } + ] + }, + "admin": { + "access_log": [ + { + "name": "envoy.access_loggers.file", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", + "path": "/dev/null" + } + } + ], + "address": { + "pipe": { + "path": "/admin/admin.sock", + "mode": 420 + } + } + }, + "overload_manager": { + "refresh_interval": "0.250s", + "resource_monitors": [ + { + "name": "envoy.resource_monitors.global_downstream_max_connections", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig", + "max_active_downstream_connections": "54321" + } + } + ] + } + }`}, + "Enable max downstream connections and fixed heap overload manager": { + config: envoy.BootstrapConfig{ + Path: "envoy.json", + Namespace: "projectcontour", + MaximumHeapSizeBytes: 2147483648, // 2 GiB + GlobalDownstreamConnectionLimit: 54321, + }, + wantedBootstrapConfig: `{ + "static_resources": { + "clusters": [ + { + "name": "contour", + "alt_stat_name": "projectcontour_contour_8001", + "type": "STATIC", + "connect_timeout": "5s", + "load_assignment": { + "cluster_name": "contour", + "endpoints": [ + { + "lb_endpoints": [ + { + "endpoint": { + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 8001 + } + } + } + } + ] + } + ] + }, + "circuit_breakers": { + "thresholds": [ + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 60000000, + "max_retries": 50 + }, + { + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 60000000, + "max_retries": 50 + } + ] + }, + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_probes": 3, + "keepalive_time": 30, + "keepalive_interval": 5 + } + } + }, + { + "name": "envoy-admin", + "alt_stat_name": "projectcontour_envoy-admin_9001", + "type": "STATIC", + "connect_timeout": "0.250s", + "load_assignment": { + "cluster_name": "envoy-admin", + "endpoints": [ + { + "lb_endpoints": [ + { + "endpoint": { + "address": { + "pipe": { + "path": "/admin/admin.sock", + "mode": 420 + } + } + } + } + ] + } + ] + } + } + ] + }, + "default_regex_engine": { + "name": "envoy.regex_engines.google_re2", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.regex_engines.v3.GoogleRE2" + } + }, + "dynamic_resources": { + "lds_config": { + "api_config_source": { + "api_type": "GRPC", + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "contour", + "authority": "contour" + } + } + ] + }, + "resource_api_version": "V3" + }, + "cds_config": { + "api_config_source": { + "api_type": "GRPC", + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "contour", + "authority": "contour" + } + } + ] + }, + "resource_api_version": "V3" + } + }, + "layered_runtime": { + "layers": [ + { + "name": "dynamic", + "rtds_layer": { + "name": "dynamic", + "rtds_config": { + "api_config_source": { + "api_type": "GRPC", + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "contour", + "authority": "contour" + } + } + ] + }, + "resource_api_version": "V3" + } + } + }, + { + "name": "admin", + "admin_layer": {} + } + ] + }, + "admin": { + "access_log": [ + { + "name": "envoy.access_loggers.file", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", + "path": "/dev/null" + } + } + ], + "address": { + "pipe": { + "path": "/admin/admin.sock", + "mode": 420 + } + } + }, + "overload_manager": { + "refresh_interval": "0.250s", + "resource_monitors": [ + { + "name": "envoy.resource_monitors.fixed_heap", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig", + "max_heap_size_bytes": "2147483648" + } + }, + { + "name": "envoy.resource_monitors.global_downstream_max_connections", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig", + "max_active_downstream_connections": "54321" + } + } + ], + "actions": [ + { + "name": "envoy.overload_actions.shrink_heap", + "triggers": [ + { + "name": "envoy.resource_monitors.fixed_heap", + "threshold": { + "value": 0.95 + } + } + ] + }, + { + "name": "envoy.overload_actions.stop_accepting_requests", + "triggers": [ + { + "name": "envoy.resource_monitors.fixed_heap", + "threshold": { + "value": 0.98 + } + } + ] + } + ] + } + }`}, } for name, tc := range tests { diff --git a/internal/envoy/v3/stats.go b/internal/envoy/v3/stats.go index 21cc7b57c1f..35c6548e95f 100644 --- a/internal/envoy/v3/stats.go +++ b/internal/envoy/v3/stats.go @@ -37,7 +37,7 @@ const ( // The listeners are configured to serve: // - prometheus metrics on /stats (either over HTTP or HTTPS) // - readiness probe on /ready (always over HTTP) -func StatsListeners(metrics contour_v1alpha1.MetricsConfig, health contour_v1alpha1.HealthConfig) []*envoy_config_listener_v3.Listener { +func StatsListeners(metrics contour_v1alpha1.MetricsConfig, health contour_v1alpha1.HealthConfig, omEnforcedHealth *contour_v1alpha1.HealthConfig) []*envoy_config_listener_v3.Listener { var listeners []*envoy_config_listener_v3.Listener switch { @@ -50,38 +50,53 @@ func StatsListeners(metrics contour_v1alpha1.MetricsConfig, health contour_v1alp FilterChains: filterChain("stats", DownstreamTLSTransportSocket( downstreamTLSContext(metrics.TLS.CAFile != "")), routeForAdminInterface("/stats")), + IgnoreGlobalConnLimit: true, }, { - Name: "health", - Address: SocketAddress(health.Address, health.Port), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready")), + Name: "health", + Address: SocketAddress(health.Address, health.Port), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready")), + IgnoreGlobalConnLimit: true, }} // Create combined HTTP listener for metrics and health. case (metrics.Address == health.Address) && (metrics.Port == health.Port): listeners = []*envoy_config_listener_v3.Listener{{ - Name: "stats-health", - Address: SocketAddress(metrics.Address, metrics.Port), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready", "/stats")), + Name: "stats-health", + Address: SocketAddress(metrics.Address, metrics.Port), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready", "/stats")), + IgnoreGlobalConnLimit: true, }} // Create separate HTTP listeners for metrics and health. default: listeners = []*envoy_config_listener_v3.Listener{{ - Name: "stats", - Address: SocketAddress(metrics.Address, metrics.Port), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - FilterChains: filterChain("stats", nil, routeForAdminInterface("/stats")), + Name: "stats", + Address: SocketAddress(metrics.Address, metrics.Port), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + FilterChains: filterChain("stats", nil, routeForAdminInterface("/stats")), + IgnoreGlobalConnLimit: true, }, { - Name: "health", - Address: SocketAddress(health.Address, health.Port), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready")), + Name: "health", + Address: SocketAddress(health.Address, health.Port), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready")), + IgnoreGlobalConnLimit: true, }} } + if omEnforcedHealth != nil { + listeners = append(listeners, &envoy_config_listener_v3.Listener{ + Name: "health-om-enforced", + Address: SocketAddress(omEnforcedHealth.Address, omEnforcedHealth.Port), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready")), + IgnoreGlobalConnLimit: false, + }) + } + return listeners } @@ -106,7 +121,8 @@ func AdminListener(port int) *envoy_config_listener_v3.Listener { "/stats/recentlookups", ), ), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, } } diff --git a/internal/envoy/v3/stats_test.go b/internal/envoy/v3/stats_test.go index dc10c34808f..0e56169f95a 100644 --- a/internal/envoy/v3/stats_test.go +++ b/internal/envoy/v3/stats_test.go @@ -61,23 +61,25 @@ func TestStatsListeners(t *testing.T) { } type testcase struct { - metrics contour_v1alpha1.MetricsConfig - health contour_v1alpha1.HealthConfig - want []*envoy_config_listener_v3.Listener + metrics contour_v1alpha1.MetricsConfig + health contour_v1alpha1.HealthConfig + omHealthConfig *contour_v1alpha1.HealthConfig + want []*envoy_config_listener_v3.Listener } run := func(t *testing.T, name string, tc testcase) { t.Helper() t.Run(name, func(t *testing.T) { t.Helper() - got := StatsListeners(tc.metrics, tc.health) + got := StatsListeners(tc.metrics, tc.health, tc.omHealthConfig) protobuf.ExpectEqual(t, tc.want, got) }) } run(t, "stats-and-health-over-http-single-listener", testcase{ - metrics: contour_v1alpha1.MetricsConfig{Address: "127.0.0.127", Port: 8123}, - health: contour_v1alpha1.HealthConfig{Address: "127.0.0.127", Port: 8123}, + metrics: contour_v1alpha1.MetricsConfig{Address: "127.0.0.127", Port: 8123}, + health: contour_v1alpha1.HealthConfig{Address: "127.0.0.127", Port: 8123}, + omHealthConfig: nil, want: []*envoy_config_listener_v3.Listener{{ Name: "stats-health", Address: SocketAddress("127.0.0.127", 8123), @@ -107,7 +109,8 @@ func TestStatsListeners(t *testing.T) { }, }, ), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, }}, }) @@ -124,6 +127,7 @@ func TestStatsListeners(t *testing.T) { Address: "127.0.0.127", Port: 8124, }, + omHealthConfig: nil, want: []*envoy_config_listener_v3.Listener{{ Name: "stats", Address: SocketAddress("127.0.0.127", 8123), @@ -167,7 +171,8 @@ func TestStatsListeners(t *testing.T) { }, ), }}, - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, }, { Name: "health", Address: SocketAddress("127.0.0.127", 8124), @@ -197,7 +202,8 @@ func TestStatsListeners(t *testing.T) { }, }, ), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, }}, }) @@ -215,6 +221,7 @@ func TestStatsListeners(t *testing.T) { Address: "127.0.0.127", Port: 8124, }, + omHealthConfig: nil, want: []*envoy_config_listener_v3.Listener{{ Name: "stats", Address: SocketAddress("127.0.0.127", 8123), @@ -265,7 +272,8 @@ func TestStatsListeners(t *testing.T) { }, ), }}, - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, }, { Name: "health", Address: SocketAddress("127.0.0.127", 8124), @@ -295,7 +303,8 @@ func TestStatsListeners(t *testing.T) { }, }, ), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, }}, }) @@ -308,6 +317,7 @@ func TestStatsListeners(t *testing.T) { Address: "127.0.0.128", Port: 8124, }, + omHealthConfig: nil, want: []*envoy_config_listener_v3.Listener{{ Name: "stats", Address: SocketAddress("127.0.0.127", 8123), @@ -337,7 +347,8 @@ func TestStatsListeners(t *testing.T) { }, }, ), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, }, { Name: "health", Address: SocketAddress("127.0.0.128", 8124), @@ -367,7 +378,77 @@ func TestStatsListeners(t *testing.T) { }, }, ), - SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, + }}, + }) + + run(t, "stats-and-health-over-http-single-listener-with-om-enforced-health-listener", testcase{ + metrics: contour_v1alpha1.MetricsConfig{Address: "127.0.0.127", Port: 8123}, + health: contour_v1alpha1.HealthConfig{Address: "127.0.0.127", Port: 8123}, + omHealthConfig: &contour_v1alpha1.HealthConfig{Address: "127.0.0.127", Port: 8124}, + want: []*envoy_config_listener_v3.Listener{{ + Name: "stats-health", + Address: SocketAddress("127.0.0.127", 8123), + FilterChains: FilterChains( + &envoy_config_listener_v3.Filter{ + Name: wellknown.HTTPConnectionManager, + ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(&envoy_filter_network_http_connection_manager_v3.HttpConnectionManager{ + StatPrefix: "stats", + RouteSpecifier: &envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_RouteConfig{ + RouteConfig: &envoy_config_route_v3.RouteConfiguration{ + VirtualHosts: []*envoy_config_route_v3.VirtualHost{{ + Name: "backend", + Domains: []string{"*"}, + Routes: []*envoy_config_route_v3.Route{readyRoute, statsRoute}, + }}, + }, + }, + HttpFilters: []*envoy_filter_network_http_connection_manager_v3.HttpFilter{{ + Name: wellknown.Router, + ConfigType: &envoy_filter_network_http_connection_manager_v3.HttpFilter_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(&envoy_filter_http_router_v3.Router{}), + }, + }}, + NormalizePath: wrapperspb.Bool(true), + }), + }, + }, + ), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: true, + }, { + Name: "health-om-enforced", + Address: SocketAddress("127.0.0.127", 8124), + FilterChains: FilterChains( + &envoy_config_listener_v3.Filter{ + Name: wellknown.HTTPConnectionManager, + ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(&envoy_filter_network_http_connection_manager_v3.HttpConnectionManager{ + StatPrefix: "stats", + RouteSpecifier: &envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_RouteConfig{ + RouteConfig: &envoy_config_route_v3.RouteConfiguration{ + VirtualHosts: []*envoy_config_route_v3.VirtualHost{{ + Name: "backend", + Domains: []string{"*"}, + Routes: []*envoy_config_route_v3.Route{readyRoute}, + }}, + }, + }, + HttpFilters: []*envoy_filter_network_http_connection_manager_v3.HttpFilter{{ + Name: wellknown.Router, + ConfigType: &envoy_filter_network_http_connection_manager_v3.HttpFilter_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(&envoy_filter_http_router_v3.Router{}), + }, + }}, + NormalizePath: wrapperspb.Bool(true), + }), + }, + }, + ), + SocketOptions: NewSocketOptions().TCPKeepalive().Build(), + IgnoreGlobalConnLimit: false, }}, }) } diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go index 6d3187a66bd..cf02d04c7bf 100644 --- a/internal/featuretests/v3/envoy.go +++ b/internal/featuretests/v3/envoy.go @@ -593,7 +593,8 @@ func statsListener() *envoy_config_listener_v3.Listener { // Single listener with metrics and health endpoints. listeners := envoy_v3.StatsListeners( contour_v1alpha1.MetricsConfig{Address: "0.0.0.0", Port: 8002}, - contour_v1alpha1.HealthConfig{Address: "0.0.0.0", Port: 8002}) + contour_v1alpha1.HealthConfig{Address: "0.0.0.0", Port: 8002}, + nil) return listeners[0] } diff --git a/internal/featuretests/v3/featuretests.go b/internal/featuretests/v3/featuretests.go index 67e0f428890..da7ca6a9f56 100644 --- a/internal/featuretests/v3/featuretests.go +++ b/internal/featuretests/v3/featuretests.go @@ -97,6 +97,7 @@ func setup(t *testing.T, opts ...any) (ResourceEventHandlerWrapper, *Contour, fu contour_v1alpha1.MetricsConfig{Address: "0.0.0.0", Port: 8002}, contour_v1alpha1.HealthConfig{Address: "0.0.0.0", Port: 8002}, 0, + nil, ), &xdscache_v3.SecretCache{}, &xdscache_v3.RouteCache{}, diff --git a/internal/featuretests/v3/listeners_test.go b/internal/featuretests/v3/listeners_test.go index 55ed7208cab..da8e87cdb37 100644 --- a/internal/featuretests/v3/listeners_test.go +++ b/internal/featuretests/v3/listeners_test.go @@ -51,6 +51,7 @@ func customAdminPort(t *testing.T, port int) []xdscache.ResourceCache { contour_v1alpha1.MetricsConfig{Address: "0.0.0.0", Port: 8002}, contour_v1alpha1.HealthConfig{Address: "0.0.0.0", Port: 8002}, port, + nil, ), &xdscache_v3.SecretCache{}, &xdscache_v3.RouteCache{}, diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index 975c0654743..055621a95da 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -291,13 +291,14 @@ func NewListenerCache( metricsConfig contour_v1alpha1.MetricsConfig, healthConfig contour_v1alpha1.HealthConfig, adminPort int, + omEnforcedHealthConfig *contour_v1alpha1.HealthConfig, ) *ListenerCache { listenerCache := &ListenerCache{ Config: listenerConfig, staticValues: map[string]*envoy_config_listener_v3.Listener{}, } - for _, l := range envoy_v3.StatsListeners(metricsConfig, healthConfig) { + for _, l := range envoy_v3.StatsListeners(metricsConfig, healthConfig, omEnforcedHealthConfig) { listenerCache.staticValues[l.Name] = l } diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index e1bafe249f9..5f755639c93 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -712,6 +712,11 @@ type Parameters struct { // from k8s endpoint slices. defaults to false and reading endpoint // data from the k8s endpoints. FeatureFlags []string `yaml:"featureFlags,omitempty"` + + // OMEnforcedHealthListener holds configuration for an envoy listener + // that enforces the overload manager actions, like global downstream + // connection limits. + OMEnforcedHealthListener *OMEnforcedHealthListenerConfig `yaml:"om_enforced_health_listener,omitempty"` } // Tracing defines properties for exporting trace data to OpenTelemetry. @@ -883,6 +888,14 @@ type MetricsServerParameters struct { // to toggle new contour features. type FeatureFlags []string +type OMEnforcedHealthListenerConfig struct { + // Address that the listener will bind to + Address string `yaml:"address,omitempty"` + + // Port that the listener will bind to. + Port int `yaml:"port,omitempty"` +} + func (p *MetricsParameters) Validate() error { if err := p.Contour.Validate(); err != nil { return fmt.Errorf("metrics.contour: %v", err) diff --git a/site/content/docs/1.28/config/api-reference.html b/site/content/docs/1.28/config/api-reference.html index 522e89d16a8..1cf5da33cad 100644 --- a/site/content/docs/1.28/config/api-reference.html +++ b/site/content/docs/1.28/config/api-reference.html @@ -1,492 +1,509 @@

Packages:

projectcontour.io/v1

Package v1 holds the specification for the projectcontour.io Custom Resource Definitions (CRDs).

-

In building this CRD, we’ve inadvertently overloaded the word “Condition”, so we’ve tried to make -this spec clear as to which types of condition are which.

-

MatchConditions are used by Routes and Includes to specify rules to match requests against for either -routing or inclusion.

-

DetailedConditions are used in the Status of these objects to hold information about the relevant -state of the object and the world around it.

-

SubConditions are used underneath DetailedConditions to give more detail to errors or warnings.

+

In building this CRD, we’ve inadvertently overloaded the word “Condition”, so we’ve tried to + make + this spec clear as to which types of condition are which.

+

MatchConditions are used by Routes and Includes to specify rules to match + requests against for either + routing or inclusion.

+

DetailedConditions are used in the Status of these objects to hold information about the + relevant + state of the object and the world around it.

+

SubConditions are used underneath DetailedConditions to give more detail to errors or + warnings.

Resource Types: - +

HTTPProxy

HTTPProxy is an Ingress CRD specification.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-apiVersion
-string		 - -projectcontour.io/v1 - -
-kind
-string -		HTTPProxy
-metadata -
- - -Kubernetes meta/v1.ObjectMeta - - -		 -Refer to the Kubernetes API documentation for the fields of the -metadata field. -
-spec -
- - -HTTPProxySpec - - -		 -
-
- - - - - - - - - - - - - - - - - - - - - -
-virtualhost -
- - -VirtualHost - - -		 -(Optional) -

Virtualhost appears at most once. If it is present, the object is considered -to be a “root” HTTPProxy.

-
-routes -
- - -[]Route - - -		 -(Optional) -

Routes are the ingress routes. If TCPProxy is present, Routes is ignored.

-
-tcpproxy -
- - -TCPProxy - - -		 -(Optional) -

TCPProxy holds TCP proxy information.

-
-includes -
- - -[]Include - - -		 -(Optional) -

Includes allow for specific routing configuration to be included from another HTTPProxy, -possibly in another namespace.

-
-ingressClassName -
- -string - -		 -(Optional) -

IngressClassName optionally specifies the ingress class to use for this -HTTPProxy. This replaces the deprecated kubernetes.io/ingress.class -annotation. For backwards compatibility, when that annotation is set, it -is given precedence over this field.

-
-
-status -
- - -HTTPProxyStatus - - -		 -(Optional) -

Status is a container for computed information about the HTTPProxy.

-
FieldDescription
+ apiVersion
+ string + 		+ + projectcontour.io/v1 + +
+ kind
+ string + 		HTTPProxy
+ metadata +
+ + + Kubernetes meta/v1.ObjectMeta + + + 		+ Refer to the Kubernetes API documentation for the fields of the + metadata field. +
+ spec +
+ + + HTTPProxySpec + + + 		+
+
+ + + + + + + + + + + + + + + + + + + + + +
+ virtualhost +
+ + + VirtualHost + + + 		+ (Optional) +

Virtualhost appears at most once. If it is present, the object is considered + to be a “root” HTTPProxy.

+
+ routes +
+ + + []Route + + + 		+ (Optional) +

Routes are the ingress routes. If TCPProxy is present, Routes is ignored.

+
+ tcpproxy +
+ + + TCPProxy + + + 		+ (Optional) +

TCPProxy holds TCP proxy information.

+
+ includes +
+ + + []Include + + + 		+ (Optional) +

Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace.

+
+ ingressClassName +
+ + string + + 		+ (Optional) +

IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated kubernetes.io/ingress.class + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field.

+
+
+ status +
+ + + HTTPProxyStatus + + + 		+ (Optional) +

Status is a container for computed information about the HTTPProxy.

+

TLSCertificateDelegation

TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. -See design/tls-certificate-delegation.md for details.

+ See design/tls-certificate-delegation.md for details.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-apiVersion
-string		 - -projectcontour.io/v1 - -
-kind
-string -		TLSCertificateDelegation
-metadata -
- - -Kubernetes meta/v1.ObjectMeta - - -		 -Refer to the Kubernetes API documentation for the fields of the -metadata field. -
-spec -
- - -TLSCertificateDelegationSpec - - -		 -
-
- - - - - -
-delegations -
- - -[]CertificateDelegation - - -		 -
-
-status -
- - -TLSCertificateDelegationStatus - - -		 -(Optional) -
FieldDescription
+ apiVersion
+ string + 		+ + projectcontour.io/v1 + +
+ kind
+ string + 		TLSCertificateDelegation
+ metadata +
+ + + Kubernetes meta/v1.ObjectMeta + + + 		+ Refer to the Kubernetes API documentation for the fields of the + metadata field. +
+ spec +
+ + + TLSCertificateDelegationSpec + + + 		+
+
+ + + + + +
+ delegations +
+ + + []CertificateDelegation + + + 		+
+
+ status +
+ + + TLSCertificateDelegationStatus + + + 		+ (Optional) +

AuthorizationPolicy

-(Appears on: -AuthorizationServer, -Route) + (Appears on: + AuthorizationServer, + Route)

AuthorizationPolicy modifies how client requests are authenticated.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-disabled -
- -bool - -		 -(Optional) -

When true, this field disables client request authentication -for the scope of the policy.

-
-context -
- -map[string]string - -		 -(Optional) -

Context is a set of key/value pairs that are sent to the -authentication server in the check request. If a context -is provided at an enclosing scope, the entries are merged -such that the inner scope overrides matching keys from the -outer scope.

-
FieldDescription
+ disabled +
+ + bool + + 		+ (Optional) +

When true, this field disables client request authentication + for the scope of the policy.

+
+ context +
+ + map[string]string + + 		+ (Optional) +

Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope.

+

AuthorizationServer

-(Appears on: -VirtualHost, -ContourConfigurationSpec) + (Appears on: + VirtualHost, + ContourConfigurationSpec)

AuthorizationServer configures an external server to authenticate -client requests. The external server must implement the v3 Envoy -external authorization GRPC protocol (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).

+ client requests. The external server must implement the v3 Envoy + external authorization GRPC protocol (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto). +

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-extensionRef -
- - -ExtensionServiceReference - - -		 -(Optional) -

ExtensionServiceRef specifies the extension resource that will authorize client requests.

-
-authPolicy -
- - -AuthorizationPolicy - - -		 -(Optional) -

AuthPolicy sets a default authorization policy for client requests. -This policy will be used unless overridden by individual routes.

-
-responseTimeout -
- -string - -		 -(Optional) -

ResponseTimeout configures maximum time to wait for a check response from the authorization server. -Timeout durations are expressed in the Go Duration format. -Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. -The string “infinity” is also a valid input and specifies no timeout.

-
-failOpen -
- -bool - -		 -(Optional) -

If FailOpen is true, the client request is forwarded to the upstream service -even if the authorization server fails to respond. This field should not be -set in most cases. It is intended for use only while migrating applications -from internal authorization to Contour external authorization.

-
-withRequestBody -
- - -AuthorizationServerBufferSettings - - -		 -(Optional) -

WithRequestBody specifies configuration for sending the client request’s body to authorization server.

-
FieldDescription
+ extensionRef +
+ + + ExtensionServiceReference + + + 		+ (Optional) +

ExtensionServiceRef specifies the extension resource that will authorize client requests.

+
+ authPolicy +
+ + + AuthorizationPolicy + + + 		+ (Optional) +

AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes.

+
+ responseTimeout +
+ + string + + 		+ (Optional) +

ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go Duration + format. + Valid time units are “ns”, “us” (or “µs”), “ms”, + “s”, “m”, “h”. + The string “infinity” is also a valid input and specifies no timeout.

+
+ failOpen +
+ + bool + + 		+ (Optional) +

If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization.

+
+ withRequestBody +
+ + + AuthorizationServerBufferSettings + + + 		+ (Optional) +

WithRequestBody specifies configuration for sending the client request’s body to authorization + server.

+

AuthorizationServerBufferSettings

-(Appears on: -AuthorizationServer) + (Appears on: + AuthorizationServer)

-

AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client request data and send it as part of authorization request

+

AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client request data and send it as part of + authorization request

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-maxRequestBytes -
- -uint32 - -		 -(Optional) -

MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory.

-
-allowPartialMessage -
- -bool - -		 -(Optional) -

If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached.

-
-packAsBytes -
- -bool - -		 -(Optional) -

If PackAsBytes is true, the body sent to Authorization Server is in raw bytes.

-
FieldDescription
+ maxRequestBytes +
+ + uint32 + + 		+ (Optional) +

MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory.

+
+ allowPartialMessage +
+ + bool + + 		+ (Optional) +

If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached. +

+
+ packAsBytes +
+ + bool + + 		+ (Optional) +

If PackAsBytes is true, the body sent to Authorization Server is in raw bytes.

+

CORSHeaderValue -(string alias)

+ (string alias)

+

-(Appears on: -CORSPolicy) + (Appears on: + CORSPolicy)

CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.

@@ -494,2598 +511,2648 @@

CORSHeaderValue

CORSPolicy

-(Appears on: -VirtualHost) + (Appears on: + VirtualHost)

CORSPolicy allows setting the CORS policy

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-allowCredentials -
- -bool - -		 -(Optional) -

Specifies whether the resource allows credentials.

-
-allowOrigin -
- -[]string - -		 -

AllowOrigin specifies the origins that will be allowed to do CORS requests. -Allowed values include “*” which signifies any origin is allowed, an exact -origin of the form “scheme://host[:port]” (where port is optional), or a valid -regex pattern. -Note that regex patterns are validated and a simple “glob” pattern (e.g. *.foo.com) -will be rejected or produce unexpected matches when applied as a regex.

-
-allowMethods -
- - -[]CORSHeaderValue - - -		 -

AllowMethods specifies the content for the access-control-allow-methods header.

-
-allowHeaders -
- - -[]CORSHeaderValue - - -		 -(Optional) -

AllowHeaders specifies the content for the access-control-allow-headers header.

-
-exposeHeaders -
- - -[]CORSHeaderValue - - -		 -(Optional) -

ExposeHeaders Specifies the content for the access-control-expose-headers header.

-
-maxAge -
- -string - -		 -(Optional) -

MaxAge indicates for how long the results of a preflight request can be cached. -MaxAge durations are expressed in the Go Duration format. -Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. -Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS -check for all cross-origin requests.

-
-allowPrivateNetwork -
- -bool - -		 -

AllowPrivateNetwork specifies whether to allow private network requests. -See https://developer.chrome.com/blog/private-network-access-preflight.

-
FieldDescription
+ allowCredentials +
+ + bool + + 		+ (Optional) +

Specifies whether the resource allows credentials.

+
+ allowOrigin +
+ + []string + + 		+

AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include “*” which signifies any origin is allowed, an exact + origin of the form “scheme://host[:port]” (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple “glob” pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex.

+
+ allowMethods +
+ + + []CORSHeaderValue + + + 		+

AllowMethods specifies the content for the access-control-allow-methods header.

+
+ allowHeaders +
+ + + []CORSHeaderValue + + + 		+ (Optional) +

AllowHeaders specifies the content for the access-control-allow-headers header.

+
+ exposeHeaders +
+ + + []CORSHeaderValue + + + 		+ (Optional) +

ExposeHeaders Specifies the content for the access-control-expose-headers header.

+
+ maxAge +
+ + string + + 		+ (Optional) +

MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go Duration + format. + Valid time units are “ns”, “us” (or “µs”), “ms”, + “s”, “m”, “h”. + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests.

+
+ allowPrivateNetwork +
+ + bool + + 		+

AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. +

+

CertificateDelegation

-(Appears on: -TLSCertificateDelegationSpec) + (Appears on: + TLSCertificateDelegationSpec)

CertificateDelegation maps the authority to reference a secret -in the current namespace to a set of namespaces.

+ in the current namespace to a set of namespaces.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-secretName -
- -string - -		 -

required, the name of a secret in the current namespace.

-
-targetNamespaces -
- -[]string - -		 -

required, the namespaces the authority to reference the -secret will be delegated to. -If TargetNamespaces is nil or empty, the CertificateDelegation’ -is ignored. If the TargetNamespace list contains the character, “*” -the secret will be delegated to all namespaces.

-
FieldDescription
+ secretName +
+ + string + + 		+

required, the name of a secret in the current namespace.

+
+ targetNamespaces +
+ + []string + + 		+

required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation’ + is ignored. If the TargetNamespace list contains the character, “*” + the secret will be delegated to all namespaces.

+

ClientCertificateDetails

-(Appears on: -DownstreamValidation) + (Appears on: + DownstreamValidation)

ClientCertificateDetails defines which parts of the client certificate will be forwarded.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-subject -
- -bool - -		 -(Optional) -

Subject of the client cert.

-
-cert -
- -bool - -		 -(Optional) -

Client cert in URL encoded PEM format.

-
-chain -
- -bool - -		 -(Optional) -

Client cert chain (including the leaf cert) in URL encoded PEM format.

-
-dns -
- -bool - -		 -(Optional) -

DNS type Subject Alternative Names of the client cert.

-
-uri -
- -bool - -		 -(Optional) -

URI type Subject Alternative Name of the client cert.

-
FieldDescription
+ subject +
+ + bool + + 		+ (Optional) +

Subject of the client cert.

+
+ cert +
+ + bool + + 		+ (Optional) +

Client cert in URL encoded PEM format.

+
+ chain +
+ + bool + + 		+ (Optional) +

Client cert chain (including the leaf cert) in URL encoded PEM format.

+
+ dns +
+ + bool + + 		+ (Optional) +

DNS type Subject Alternative Names of the client cert.

+
+ uri +
+ + bool + + 		+ (Optional) +

URI type Subject Alternative Name of the client cert.

+

CookieDomainRewrite

-(Appears on: -CookieRewritePolicy) + (Appears on: + CookieRewritePolicy)

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-value -
- -string - -		 -

Value is the value to rewrite the Domain attribute to. -For now this is required.

-
FieldDescription
+ value +
+ + string + + 		+

Value is the value to rewrite the Domain attribute to. + For now this is required.

+

CookiePathRewrite

-(Appears on: -CookieRewritePolicy) + (Appears on: + CookieRewritePolicy)

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-value -
- -string - -		 -

Value is the value to rewrite the Path attribute to. -For now this is required.

-
FieldDescription
+ value +
+ + string + + 		+

Value is the value to rewrite the Path attribute to. + For now this is required.

+

CookieRewritePolicy

-(Appears on: -Route, -Service) + (Appears on: + Route, + Service)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name is the name of the cookie for which attributes will be rewritten.

-
-pathRewrite -
- - -CookiePathRewrite - - -		 -(Optional) -

PathRewrite enables rewriting the Set-Cookie Path element. -If not set, Path will not be rewritten.

-
-domainRewrite -
- - -CookieDomainRewrite - - -		 -(Optional) -

DomainRewrite enables rewriting the Set-Cookie Domain element. -If not set, Domain will not be rewritten.

-
-secure -
- -bool - -		 -(Optional) -

Secure enables rewriting the Set-Cookie Secure element. -If not set, Secure attribute will not be rewritten.

-
-sameSite -
- -string - -		 -(Optional) -

SameSite enables rewriting the Set-Cookie SameSite element. -If not set, SameSite attribute will not be rewritten.

-
FieldDescription
+ name +
+ + string + + 		+

Name is the name of the cookie for which attributes will be rewritten.

+
+ pathRewrite +
+ + + CookiePathRewrite + + + 		+ (Optional) +

PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten.

+
+ domainRewrite +
+ + + CookieDomainRewrite + + + 		+ (Optional) +

DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten.

+
+ secure +
+ + bool + + 		+ (Optional) +

Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten.

+
+ sameSite +
+ + string + + 		+ (Optional) +

SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten.

+

DetailedCondition

-(Appears on: -HTTPProxyStatus, -TLSCertificateDelegationStatus, -ContourConfigurationStatus, -ExtensionServiceStatus) + (Appears on: + HTTPProxyStatus, + TLSCertificateDelegationStatus, + ContourConfigurationStatus, + ExtensionServiceStatus)

DetailedCondition is an extension of the normal Kubernetes conditions, with two extra -fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) -of the condition.

-

errors holds information about sub-conditions which are fatal to that condition and render its state False.

-

warnings holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.

+ fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition.

+

errors holds information about sub-conditions which are fatal to that condition and render its state + False.

+

warnings holds information about sub-conditions which are not fatal to that condition and do not force + the state to be False.

Remember that Conditions have a type, a status, and a reason.

The type is the type of the condition, the most important one in this CRD set is Valid. -Valid is a positive-polarity condition: when it is status: true there are no problems.

+ Valid is a positive-polarity condition: when it is status: true there are no problems. +

In more detail, status: true means that the object is has been ingested into Contour with no errors. -warnings may still be present, and will be indicated in the Reason field. There must be zero entries in the errors -slice in this case.

-

Valid, status: false means that the object has had one or more fatal errors during processing into Contour. -The details of the errors will be present under the errors field. There must be at least one error in the errors -slice if status is false.

+ warnings may still be present, and will be indicated in the Reason field. There must be zero entries in + the errors + slice in this case. +

+

Valid, status: false means that the object has had one or more fatal errors during + processing into Contour. + The details of the errors will be present under the errors field. There must be at least one error in + the errors + slice if status is false.

For DetailedConditions of types other than Valid, the Condition must be in the negative polarity. -When they have status true, there is an error. There must be at least one entry in the errors Subcondition slice. -When they have status false, there are no serious errors, and there must be zero entries in the errors slice. -In either case, there may be entries in the warnings slice.

-

Regardless of the polarity, the reason and message fields must be updated with either the detail of the reason -(if there is one and only one entry in total across both the errors and warnings slices), or -MultipleReasons if there is more than one entry.

+ When they have status true, there is an error. There must be at least one entry in the + errors Subcondition slice. + When they have status false, there are no serious errors, and there must be zero entries + in the errors slice. + In either case, there may be entries in the warnings slice. +

+

Regardless of the polarity, the reason and message fields must be updated with either the + detail of the reason + (if there is one and only one entry in total across both the errors and warnings slices), + or + MultipleReasons if there is more than one entry. +

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-Condition -
- - -Kubernetes meta/v1.Condition - - -		 -

-(Members of Condition are embedded into this type.) -

-
-errors -
- - -[]SubCondition - - -		 -(Optional) -

Errors contains a slice of relevant error subconditions for this object.

-

Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. -An empty slice here indicates no errors.

-
-warnings -
- - -[]SubCondition - - -		 -(Optional) -

Warnings contains a slice of relevant warning subconditions for this object.

-

Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. -An empty slice here indicates no warnings.

-
FieldDescription
+ Condition +
+ + + Kubernetes meta/v1.Condition + + + 		+

+ (Members of Condition are embedded into this type.) +

+
+ errors +
+ + + []SubCondition + + + 		+ (Optional) +

Errors contains a slice of relevant error subconditions for this object.

+

Subconditions are expected to appear when relevant (when there is a error), and disappear when not + relevant. + An empty slice here indicates no errors.

+
+ warnings +
+ + + []SubCondition + + + 		+ (Optional) +

Warnings contains a slice of relevant warning subconditions for this object.

+

Subconditions are expected to appear when relevant (when there is a warning), and disappear when not + relevant. + An empty slice here indicates no warnings.

+

DownstreamValidation

-(Appears on: -TLS) + (Appears on: + TLS)

DownstreamValidation defines how to verify the client certificate.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-caSecret -
- -string - -		 -(Optional) -

Name of a Kubernetes secret that contains a CA certificate bundle. -The secret must contain key named ca.crt. -The client certificate must validate against the certificates in the bundle. -If specified and SkipClientCertValidation is true, client certificates will -be required on requests. -The name can be optionally prefixed with namespace “namespace/name”. -When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.

-
-skipClientCertValidation -
- -bool - -		 -(Optional) -

SkipClientCertValidation disables downstream client certificate -validation. Defaults to false. This field is intended to be used in -conjunction with external authorization in order to enable the external -authorization server to validate client certificates. When this field -is set to true, client certificates are requested but not verified by -Envoy. If CACertificate is specified, client certificates are required on -requests, but not verified. If external authorization is in use, they are -presented to the external authorization server.

-
-forwardClientCertificate -
- - -ClientCertificateDetails - - -		 -(Optional) -

ForwardClientCertificate adds the selected data from the passed client TLS certificate -to the x-forwarded-client-cert header.

-
-crlSecret -
- -string - -		 -(Optional) -

Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. -The secret must contain key named crl.pem. -This field will be used to verify that a client certificate has not been revoked. -CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. -Large CRL lists are not supported since individual secrets are limited to 1MiB in size. -The name can be optionally prefixed with namespace “namespace/name”. -When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.

-
-crlOnlyVerifyLeafCert -
- -bool - -		 -(Optional) -

If this option is set to true, only the certificate at the end of the -certificate chain will be subject to validation by CRL.

-
-optionalClientCertificate -
- -bool - -		 -(Optional) -

OptionalClientCertificate when set to true will request a client certificate -but allow the connection to continue if the client does not provide one. -If a client certificate is sent, it will be verified according to the -other properties, which includes disabling validation if -SkipClientCertValidation is set. Defaults to false.

-
FieldDescription
+ caSecret +
+ + string + + 		+ (Optional) +

Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. + The name can be optionally prefixed with namespace “namespace/name”. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the + namespace to grant access to the secret.

+
+ skipClientCertValidation +
+ + bool + + 		+ (Optional) +

SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server.

+
+ forwardClientCertificate +
+ + + ClientCertificateDetails + + + 		+ (Optional) +

ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header.

+
+ crlSecret +
+ + string + + 		+ (Optional) +

Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace “namespace/name”. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the + namespace to grant access to the secret.

+
+ crlOnlyVerifyLeafCert +
+ + bool + + 		+ (Optional) +

If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL.

+
+ optionalClientCertificate +
+ + bool + + 		+ (Optional) +

OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false.

+

ExtensionServiceReference

-(Appears on: -AuthorizationServer) + (Appears on: + AuthorizationServer)

ExtensionServiceReference names an ExtensionService resource.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-apiVersion -
- -string - -		 -(Optional) -

API version of the referent. -If this field is not specified, the default “projectcontour.io/v1alpha1” will be used

-
-namespace -
- -string - -		 -(Optional) -

Namespace of the referent. -If this field is not specifies, the namespace of the resource that targets the referent will be used.

-

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

-
-name -
- -string - -		 -

Name of the referent.

-

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

-
FieldDescription
+ apiVersion +
+ + string + + 		+ (Optional) +

API version of the referent. + If this field is not specified, the default “projectcontour.io/v1alpha1” will be used +

+
+ namespace +
+ + string + + 		+ (Optional) +

Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be + used.

+

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ +

+
+ name +
+ + string + + 		+

Name of the referent.

+

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +

+

Feature -(string alias)

+ (string alias)

+

-(Appears on: -ContourSettings) + (Appears on: + ContourSettings)

GenericKeyDescriptor

-(Appears on: -RateLimitDescriptorEntry) + (Appears on: + RateLimitDescriptorEntry)

GenericKeyDescriptor defines a descriptor entry with a static key and -value.

+ value.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-key -
- -string - -		 -(Optional) -

Key defines the key of the descriptor entry. If not set, the -key is set to “generic_key”.

-
-value -
- -string - -		 -

Value defines the value of the descriptor entry.

-
FieldDescription
+ key +
+ + string + + 		+ (Optional) +

Key defines the key of the descriptor entry. If not set, the + key is set to “generic_key”.

+
+ value +
+ + string + + 		+

Value defines the value of the descriptor entry.

+

GlobalRateLimitPolicy

-(Appears on: -RateLimitPolicy, -RateLimitServiceConfig) + (Appears on: + RateLimitPolicy, + RateLimitServiceConfig)

GlobalRateLimitPolicy defines global rate limiting parameters.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-disabled -
- -bool - -		 -(Optional) -

Disabled configures the HTTPProxy to not use -the default global rate limit policy defined by the Contour configuration.

-
-descriptors -
- - -[]RateLimitDescriptor - - -		 -(Optional) -

Descriptors defines the list of descriptors that will -be generated and sent to the rate limit service. Each -descriptor contains 1+ key-value pair entries.

-
FieldDescription
+ disabled +
+ + bool + + 		+ (Optional) +

Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration.

+
+ descriptors +
+ + + []RateLimitDescriptor + + + 		+ (Optional) +

Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries.

+

HTTPDirectResponsePolicy

-(Appears on: -Route) + (Appears on: + Route)

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-statusCode -
- -int - -		 -

StatusCode is the HTTP response status to be returned.

-
-body -
- -string - -		 -(Optional) -

Body is the content of the response body. -If this setting is omitted, no body is included in the generated response.

-

Note: Body is not recommended to set too long -otherwise it can have significant resource usage impacts.

-
FieldDescription
+ statusCode +
+ + int + + 		+

StatusCode is the HTTP response status to be returned.

+
+ body +
+ + string + + 		+ (Optional) +

Body is the content of the response body. + If this setting is omitted, no body is included in the generated response.

+

Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts.

+

HTTPHealthCheckPolicy

-(Appears on: -Route) + (Appears on: + Route)

HTTPHealthCheckPolicy defines health checks on the upstream service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-path -
- -string - -		 -

HTTP endpoint used to perform health checks on upstream service

-
-host -
- -string - -		 -

The value of the host header in the HTTP health check request. -If left empty (default value), the name “contour-envoy-healthcheck” -will be used.

-
-intervalSeconds -
- -int64 - -		 -(Optional) -

The interval (seconds) between health checks

-
-timeoutSeconds -
- -int64 - -		 -(Optional) -

The time to wait (seconds) for a health check response

-
-unhealthyThresholdCount -
- -int64 - -		 -(Optional) -

The number of unhealthy health checks required before a host is marked unhealthy

-
-healthyThresholdCount -
- -int64 - -		 -(Optional) -

The number of healthy health checks required before a host is marked healthy

-
-expectedStatuses -
- - -[]HTTPStatusRange - - -		 -(Optional) -

The ranges of HTTP response statuses considered healthy. Follow half-open -semantics, i.e. for each range the start is inclusive and the end is exclusive. -Must be within the range [100,600). If not specified, only a 200 response status -is considered healthy.

-
FieldDescription
+ path +
+ + string + + 		+

HTTP endpoint used to perform health checks on upstream service

+
+ host +
+ + string + + 		+

The value of the host header in the HTTP health check request. + If left empty (default value), the name “contour-envoy-healthcheck” + will be used.

+
+ intervalSeconds +
+ + int64 + + 		+ (Optional) +

The interval (seconds) between health checks

+
+ timeoutSeconds +
+ + int64 + + 		+ (Optional) +

The time to wait (seconds) for a health check response

+
+ unhealthyThresholdCount +
+ + int64 + + 		+ (Optional) +

The number of unhealthy health checks required before a host is marked unhealthy

+
+ healthyThresholdCount +
+ + int64 + + 		+ (Optional) +

The number of healthy health checks required before a host is marked healthy

+
+ expectedStatuses +
+ + + []HTTPStatusRange + + + 		+ (Optional) +

The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy.

+

HTTPInternalRedirectPolicy

-(Appears on: -Route) + (Appears on: + Route)

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-maxInternalRedirects -
- -uint32 - -		 -(Optional) -

MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal -redirects that a downstream request has encountered is lower than this value.

-
-redirectResponseCodes -
- - -[]RedirectResponseCode - - -		 -(Optional) -

RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. -Only 301, 302, 303, 307 and 308 are valid values.

-
-allowCrossSchemeRedirect -
- -string - -		 -(Optional) -

AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme -than the value of x-forwarded-proto. -SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream -scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme -is HTTP, only HTTP redirect targets are allowed.

-
-denyRepeatedRouteRedirect -
- -bool - -		 -(Optional) -

If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has -been followed by a previous redirect from the current route.

-
FieldDescription
+ maxInternalRedirects +
+ + uint32 + + 		+ (Optional) +

MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value.

+
+ redirectResponseCodes +
+ + + []RedirectResponseCode + + + 		+ (Optional) +

RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values.

+
+ allowCrossSchemeRedirect +
+ + string + + 		+ (Optional) +

AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed.

+
+ denyRepeatedRouteRedirect +
+ + bool + + 		+ (Optional) +

If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route.

+

HTTPProxySpec

-(Appears on: -HTTPProxy) + (Appears on: + HTTPProxy)

HTTPProxySpec defines the spec of the CRD.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-virtualhost -
- - -VirtualHost - - -		 -(Optional) -

Virtualhost appears at most once. If it is present, the object is considered -to be a “root” HTTPProxy.

-
-routes -
- - -[]Route - - -		 -(Optional) -

Routes are the ingress routes. If TCPProxy is present, Routes is ignored.

-
-tcpproxy -
- - -TCPProxy - - -		 -(Optional) -

TCPProxy holds TCP proxy information.

-
-includes -
- - -[]Include - - -		 -(Optional) -

Includes allow for specific routing configuration to be included from another HTTPProxy, -possibly in another namespace.

-
-ingressClassName -
- -string - -		 -(Optional) -

IngressClassName optionally specifies the ingress class to use for this -HTTPProxy. This replaces the deprecated kubernetes.io/ingress.class -annotation. For backwards compatibility, when that annotation is set, it -is given precedence over this field.

-
FieldDescription
+ virtualhost +
+ + + VirtualHost + + + 		+ (Optional) +

Virtualhost appears at most once. If it is present, the object is considered + to be a “root” HTTPProxy.

+
+ routes +
+ + + []Route + + + 		+ (Optional) +

Routes are the ingress routes. If TCPProxy is present, Routes is ignored.

+
+ tcpproxy +
+ + + TCPProxy + + + 		+ (Optional) +

TCPProxy holds TCP proxy information.

+
+ includes +
+ + + []Include + + + 		+ (Optional) +

Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace.

+
+ ingressClassName +
+ + string + + 		+ (Optional) +

IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated kubernetes.io/ingress.class + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field.

+

HTTPProxyStatus

-(Appears on: -HTTPProxy) + (Appears on: + HTTPProxy)

HTTPProxyStatus reports the current state of the HTTPProxy.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-currentStatus -
- -string - -		 -(Optional) -
-description -
- -string - -		 -(Optional) -
-loadBalancer -
- - -Kubernetes core/v1.LoadBalancerStatus - - -		 -(Optional) -

LoadBalancer contains the current status of the load balancer.

-
-conditions -
- - -[]DetailedCondition - - -		 -(Optional) -

Conditions contains information about the current status of the HTTPProxy, -in an upstream-friendly container.

-

Contour will update a single condition, Valid, that is in normal-true polarity. -That is, when currentStatus is valid, the Valid condition will be status: true, -and vice versa.

-

Contour will leave untouched any other Conditions set in this block, -in case some other controller wants to add a Condition.

-

If you are another controller owner and wish to add a condition, you should -namespace your condition with a label, like controller.domain.com/ConditionName.

-
FieldDescription
+ currentStatus +
+ + string + + 		+ (Optional) +
+ description +
+ + string + + 		+ (Optional) +
+ loadBalancer +
+ + + Kubernetes core/v1.LoadBalancerStatus + + + 		+ (Optional) +

LoadBalancer contains the current status of the load balancer.

+
+ conditions +
+ + + []DetailedCondition + + + 		+ (Optional) +

Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container.

+

Contour will update a single condition, Valid, that is in normal-true polarity. + That is, when currentStatus is valid, the Valid condition + will be status: true, + and vice versa.

+

Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition.

+

If you are another controller owner and wish to add a condition, you should + namespace your condition with a label, like controller.domain.com/ConditionName.

+

HTTPRequestRedirectPolicy

-(Appears on: -Route) + (Appears on: + Route)

HTTPRequestRedirectPolicy defines configuration for redirecting a request.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-scheme -
- -string - -		 -(Optional) -

Scheme is the scheme to be used in the value of the Location -header in the response. -When empty, the scheme of the request is used.

-
-hostname -
- -string - -		 -(Optional) -

Hostname is the precise hostname to be used in the value of the Location -header in the response. -When empty, the hostname of the request is used. -No wildcards are allowed.

-
-port -
- -int32 - -		 -(Optional) -

Port is the port to be used in the value of the Location -header in the response. -When empty, port (if specified) of the request is used.

-
-statusCode -
- -int - -		 -(Optional) -

StatusCode is the HTTP status code to be used in response.

-
-path -
- -string - -		 -(Optional) -

Path allows for redirection to a different path from the -original on the request. The path must start with a -leading slash.

-

Note: Only one of Path or Prefix can be defined.

-
-prefix -
- -string - -		 -(Optional) -

Prefix defines the value to swap the matched prefix or path with. -The prefix must start with a leading slash.

-

Note: Only one of Path or Prefix can be defined.

-
FieldDescription
+ scheme +
+ + string + + 		+ (Optional) +

Scheme is the scheme to be used in the value of the Location + header in the response. + When empty, the scheme of the request is used.

+
+ hostname +
+ + string + + 		+ (Optional) +

Hostname is the precise hostname to be used in the value of the Location + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed.

+
+ port +
+ + int32 + + 		+ (Optional) +

Port is the port to be used in the value of the Location + header in the response. + When empty, port (if specified) of the request is used.

+
+ statusCode +
+ + int + + 		+ (Optional) +

StatusCode is the HTTP status code to be used in response.

+
+ path +
+ + string + + 		+ (Optional) +

Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash.

+

Note: Only one of Path or Prefix can be defined.

+
+ prefix +
+ + string + + 		+ (Optional) +

Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash.

+

Note: Only one of Path or Prefix can be defined.

+

HTTPStatusRange

-(Appears on: -HTTPHealthCheckPolicy) + (Appears on: + HTTPHealthCheckPolicy)

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-start -
- -int64 - -		 -

The start (inclusive) of a range of HTTP status codes.

-
-end -
- -int64 - -		 -

The end (exclusive) of a range of HTTP status codes.

-
FieldDescription
+ start +
+ + int64 + + 		+

The start (inclusive) of a range of HTTP status codes.

+
+ end +
+ + int64 + + 		+

The end (exclusive) of a range of HTTP status codes.

+

HeaderHashOptions

-(Appears on: -RequestHashPolicy) + (Appears on: + RequestHashPolicy)

HeaderHashOptions contains options to configure a HTTP request header hash -policy, used in request attribute hash based load balancing.

+ policy, used in request attribute hash based load balancing.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-headerName -
- -string - -		 -

HeaderName is the name of the HTTP request header that will be used to -calculate the hash key. If the header specified is not present on a -request, no hash will be produced.

-
FieldDescription
+ headerName +
+ + string + + 		+

HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced.

+

HeaderMatchCondition

-(Appears on: -MatchCondition, -RequestHeaderValueMatchDescriptor) + (Appears on: + MatchCondition, + RequestHeaderValueMatchDescriptor)

HeaderMatchCondition specifies how to conditionally match against HTTP -headers. The Name field is required, only one of Present, NotPresent, -Contains, NotContains, Exact, NotExact and Regex can be set. -For negative matching rules only (e.g. NotContains or NotExact) you can set -TreatMissingAsEmpty. -IgnoreCase has no effect for Regex.

+ headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name is the name of the header to match against. Name is required. -Header names are case insensitive.

-
-present -
- -bool - -		 -(Optional) -

Present specifies that condition is true when the named header -is present, regardless of its value. Note that setting Present -to false does not make the condition true if the named header -is absent.

-
-notpresent -
- -bool - -		 -(Optional) -

NotPresent specifies that condition is true when the named header -is not present. Note that setting NotPresent to false does not -make the condition true if the named header is present.

-
-contains -
- -string - -		 -(Optional) -

Contains specifies a substring that must be present in -the header value.

-
-notcontains -
- -string - -		 -(Optional) -

NotContains specifies a substring that must not be present -in the header value.

-
-ignoreCase -
- -bool - -		 -(Optional) -

IgnoreCase specifies that string matching should be case insensitive. -Note that this has no effect on the Regex parameter.

-
-exact -
- -string - -		 -(Optional) -

Exact specifies a string that the header value must be equal to.

-
-notexact -
- -string - -		 -(Optional) -

NoExact specifies a string that the header value must not be -equal to. The condition is true if the header has any other value.

-
-regex -
- -string - -		 -(Optional) -

Regex specifies a regular expression pattern that must match the header -value.

-
-treatMissingAsEmpty -
- -bool - -		 -(Optional) -

TreatMissingAsEmpty specifies if the header match rule specified header -does not exist, this header value will be treated as empty. Defaults to false. -Unlike the underlying Envoy implementation this is only supported for -negative matches (e.g. NotContains, NotExact).

-
FieldDescription
+ name +
+ + string + + 		+

Name is the name of the header to match against. Name is required. + Header names are case insensitive.

+
+ present +
+ + bool + + 		+ (Optional) +

Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent.

+
+ notpresent +
+ + bool + + 		+ (Optional) +

NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present.

+
+ contains +
+ + string + + 		+ (Optional) +

Contains specifies a substring that must be present in + the header value.

+
+ notcontains +
+ + string + + 		+ (Optional) +

NotContains specifies a substring that must not be present + in the header value.

+
+ ignoreCase +
+ + bool + + 		+ (Optional) +

IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter.

+
+ exact +
+ + string + + 		+ (Optional) +

Exact specifies a string that the header value must be equal to.

+
+ notexact +
+ + string + + 		+ (Optional) +

NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value.

+
+ regex +
+ + string + + 		+ (Optional) +

Regex specifies a regular expression pattern that must match the header + value.

+
+ treatMissingAsEmpty +
+ + bool + + 		+ (Optional) +

TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is only supported for + negative matches (e.g. NotContains, NotExact).

+

HeaderValue

-(Appears on: -HeadersPolicy, -LocalRateLimitPolicy) + (Appears on: + HeadersPolicy, + LocalRateLimitPolicy)

HeaderValue represents a header name/value pair

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name represents a key of a header

-
-value -
- -string - -		 -

Value represents the value of a header specified by a key

-
FieldDescription
+ name +
+ + string + + 		+

Name represents a key of a header

+
+ value +
+ + string + + 		+

Value represents the value of a header specified by a key

+

HeadersPolicy

-(Appears on: -Route, -Service) + (Appears on: + Route, + Service)

HeadersPolicy defines how headers are managed during forwarding. -The Host header is treated specially and if set in a HTTP request -will be used as the SNI server name when forwarding over TLS. It is an -error to attempt to set the Host header in a HTTP response.

+ The Host header is treated specially and if set in a HTTP request + will be used as the SNI server name when forwarding over TLS. It is an + error to attempt to set the Host header in a HTTP response.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-set -
- - -[]HeaderValue - - -		 -(Optional) -

Set specifies a list of HTTP header values that will be set in the HTTP header. -If the header does not exist it will be added, otherwise it will be overwritten with the new value.

-
-remove -
- -[]string - -		 -(Optional) -

Remove specifies a list of HTTP header names to remove.

-
FieldDescription
+ set +
+ + + []HeaderValue + + + 		+ (Optional) +

Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. +

+
+ remove +
+ + []string + + 		+ (Optional) +

Remove specifies a list of HTTP header names to remove.

+

IPFilterPolicy

-(Appears on: -Route, -VirtualHost) + (Appears on: + Route, + VirtualHost)

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-source -
- - -IPFilterSource - - -		 -

Source indicates how to determine the ip address to filter on, and can be -one of two values: -- Remote filters on the ip address of the client, accounting for PROXY and -X-Forwarded-For as needed. -- Peer filters on the ip of the network request, ignoring PROXY and -X-Forwarded-For.

-
-cidr -
- -string - -		 -

CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be -a bare IP address (without a mask) to filter on exactly one address.

-
FieldDescription
+ source +
+ + + IPFilterSource + + + 		+

Source indicates how to determine the ip address to filter on, and can be + one of two values: + - Remote filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - Peer filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For.

+
+ cidr +
+ + string + + 		+

CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address.

+

IPFilterSource -(string alias)

+ (string alias)

+

-(Appears on: -IPFilterPolicy) + (Appears on: + IPFilterPolicy)

IPFilterSource indicates which IP should be considered for filtering

- - - - - - - - - - - + + + + + + + + + + + + + + + +
ValueDescription

"Peer"

"Remote"

ValueDescription
+

"Peer"

+
+

"Remote"

+

Include

-(Appears on: -HTTPProxySpec) + (Appears on: + HTTPProxySpec)

Include describes a set of policies that can be applied to an HTTPProxy in a namespace.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name of the HTTPProxy

-
-namespace -
- -string - -		 -(Optional) -

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

-
-conditions -
- - -[]MatchCondition - - -		 -(Optional) -

Conditions are a set of rules that are applied to included HTTPProxies. -In effect, they are added onto the Conditions of included HTTPProxy Route -structs. -When applied, they are merged using AND, with one exception: -There can be only one Prefix MatchCondition per Conditions slice. -More than one Prefix, or contradictory Conditions, will make the -include invalid. Exact and Regex match conditions are not allowed -on includes.

-
FieldDescription
+ name +
+ + string + + 		+

Name of the HTTPProxy

+
+ namespace +
+ + string + + 		+ (Optional) +

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

+
+ conditions +
+ + + []MatchCondition + + + 		+ (Optional) +

Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes.

+

JWTProvider

-(Appears on: -VirtualHost) + (Appears on: + VirtualHost)

JWTProvider defines how to verify JWTs on requests.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Unique name for the provider.

-
-default -
- -bool - -		 -(Optional) -

Whether the provider should apply to all -routes in the HTTPProxy/its includes by -default. At most one provider can be marked -as the default. If no provider is marked -as the default, individual routes must explicitly -identify the provider they require.

-
-issuer -
- -string - -		 -(Optional) -

Issuer that JWTs are required to have in the “iss” field. -If not provided, JWT issuers are not checked.

-
-audiences -
- -[]string - -		 -(Optional) -

Audiences that JWTs are allowed to have in the “aud” field. -If not provided, JWT audiences are not checked.

-
-remoteJWKS -
- - -RemoteJWKS - - -		 -

Remote JWKS to use for verifying JWT signatures.

-
-forwardJWT -
- -bool - -		 -(Optional) -

Whether the JWT should be forwarded to the backend -service after successful verification. By default, -the JWT is not forwarded.

-
FieldDescription
+ name +
+ + string + + 		+

Unique name for the provider.

+
+ default +
+ + bool + + 		+ (Optional) +

Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly + identify the provider they require.

+
+ issuer +
+ + string + + 		+ (Optional) +

Issuer that JWTs are required to have in the “iss” field. + If not provided, JWT issuers are not checked.

+
+ audiences +
+ + []string + + 		+ (Optional) +

Audiences that JWTs are allowed to have in the “aud” field. + If not provided, JWT audiences are not checked.

+
+ remoteJWKS +
+ + + RemoteJWKS + + + 		+

Remote JWKS to use for verifying JWT signatures.

+
+ forwardJWT +
+ + bool + + 		+ (Optional) +

Whether the JWT should be forwarded to the backend + service after successful verification. By default, + the JWT is not forwarded.

+

JWTVerificationPolicy

-(Appears on: -Route) + (Appears on: + Route)

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-require -
- -string - -		 -(Optional) -

Require names a specific JWT provider (defined in the virtual host) -to require for the route. If specified, this field overrides the -default provider if one exists. If this field is not specified, -the default provider will be required if one exists. At most one of -this field or the “disabled” field can be specified.

-
-disabled -
- -bool - -		 -(Optional) -

Disabled defines whether to disable all JWT verification for this -route. This can be used to opt specific routes out of the default -JWT provider for the HTTPProxy. At most one of this field or the -“require” field can be specified.

-
FieldDescription
+ require +
+ + string + + 		+ (Optional) +

Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the “disabled” field can be specified.

+
+ disabled +
+ + bool + + 		+ (Optional) +

Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + “require” field can be specified.

+

LoadBalancerPolicy

-(Appears on: -Route, -TCPProxy, -ExtensionServiceSpec) + (Appears on: + Route, + TCPProxy, + ExtensionServiceSpec)

LoadBalancerPolicy defines the load balancing policy.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-strategy -
- -string - -		 -

Strategy specifies the policy used to balance requests -across the pool of backend pods. Valid policy names are -Random, RoundRobin, WeightedLeastRequest, Cookie, -and RequestHash. If an unknown strategy name is specified -or no policy is supplied, the default RoundRobin policy -is used.

-
-requestHashPolicies -
- - -[]RequestHashPolicy - - -		 -

RequestHashPolicies contains a list of hash policies to apply when the -RequestHash load balancing strategy is chosen. If an element of the -supplied list of hash policies is invalid, it will be ignored. If the -list of hash policies is empty after validation, the load balancing -strategy will fall back to the default RoundRobin.

-
FieldDescription
+ strategy +
+ + string + + 		+

Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + Random, RoundRobin, WeightedLeastRequest, + Cookie, + and RequestHash. If an unknown strategy name is specified + or no policy is supplied, the default RoundRobin policy + is used. +

+
+ requestHashPolicies +
+ + + []RequestHashPolicy + + + 		+

RequestHashPolicies contains a list of hash policies to apply when the + RequestHash load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default RoundRobin. +

+

LocalRateLimitPolicy

-(Appears on: -RateLimitPolicy) + (Appears on: + RateLimitPolicy)

LocalRateLimitPolicy defines local rate limiting parameters.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-requests -
- -uint32 - -		 -

Requests defines how many requests per unit of time should -be allowed before rate limiting occurs.

-
-unit -
- -string - -		 -

Unit defines the period of time within which requests -over the limit will be rate limited. Valid values are -“second”, “minute” and “hour”.

-
-burst -
- -uint32 - -		 -(Optional) -

Burst defines the number of requests above the requests per -unit that should be allowed within a short period of time.

-
-responseStatusCode -
- -uint32 - -		 -(Optional) -

ResponseStatusCode is the HTTP status code to use for responses -to rate-limited requests. Codes must be in the 400-599 range -(inclusive). If not specified, the Envoy default of 429 (Too -Many Requests) is used.

-
-responseHeadersToAdd -
- - -[]HeaderValue - - -		 -(Optional) -

ResponseHeadersToAdd is an optional list of response headers to -set when a request is rate-limited.

-
FieldDescription
+ requests +
+ + uint32 + + 		+

Requests defines how many requests per unit of time should + be allowed before rate limiting occurs.

+
+ unit +
+ + string + + 		+

Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + “second”, “minute” and “hour”.

+
+ burst +
+ + uint32 + + 		+ (Optional) +

Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time.

+
+ responseStatusCode +
+ + uint32 + + 		+ (Optional) +

ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used.

+
+ responseHeadersToAdd +
+ + + []HeaderValue + + + 		+ (Optional) +

ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited.

+

MatchCondition

-(Appears on: -Include, -Route) + (Appears on: + Include, + Route)

MatchCondition are a general holder for matching rules for HTTPProxies. -One of Prefix, Exact, Regex, Header or QueryParameter must be provided.

+ One of Prefix, Exact, Regex, Header or QueryParameter must be provided.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-prefix -
- -string - -		 -(Optional) -

Prefix defines a prefix match for a request.

-
-exact -
- -string - -		 -(Optional) -

Exact defines a exact match for a request. -This field is not allowed in include match conditions.

-
-regex -
- -string - -		 -(Optional) -

Regex defines a regex match for a request. -This field is not allowed in include match conditions.

-
-header -
- - -HeaderMatchCondition - - -		 -(Optional) -

Header specifies the header condition to match.

-
-queryParameter -
- - -QueryParameterMatchCondition - - -		 -(Optional) -

QueryParameter specifies the query parameter condition to match.

-
FieldDescription
+ prefix +
+ + string + + 		+ (Optional) +

Prefix defines a prefix match for a request.

+
+ exact +
+ + string + + 		+ (Optional) +

Exact defines a exact match for a request. + This field is not allowed in include match conditions.

+
+ regex +
+ + string + + 		+ (Optional) +

Regex defines a regex match for a request. + This field is not allowed in include match conditions.

+
+ header +
+ + + HeaderMatchCondition + + + 		+ (Optional) +

Header specifies the header condition to match.

+
+ queryParameter +
+ + + QueryParameterMatchCondition + + + 		+ (Optional) +

QueryParameter specifies the query parameter condition to match.

+

Namespace -(string alias)

+ (string alias)

+

-(Appears on: -ContourSettings) + (Appears on: + ContourSettings)

Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.

This validation is based off of the corresponding Kubernetes validation: -https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187

+ https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187 +

This is used for Namespace name validation here: -https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63

+ https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63 +

Valid values include:

    -
  • “example”
    • +
  • “example”

Invalid values include:

    -
  • “example.com” - “.” is an invalid character
    • +
  • “example.com” - “.” is an invalid character

PathRewritePolicy

-(Appears on: -Route) + (Appears on: + Route)

PathRewritePolicy specifies how a request URL path should be -rewritten. This rewriting takes place after a request is routed -and has no subsequent effects on the proxy’s routing decision. -No HTTP headers or body content is rewritten.

+ rewritten. This rewriting takes place after a request is routed + and has no subsequent effects on the proxy’s routing decision. + No HTTP headers or body content is rewritten.

Exactly one field in this struct may be specified.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-replacePrefix -
- - -[]ReplacePrefix - - -		 -(Optional) -

ReplacePrefix describes how the path prefix should be replaced.

-
FieldDescription
+ replacePrefix +
+ + + []ReplacePrefix + + + 		+ (Optional) +

ReplacePrefix describes how the path prefix should be replaced.

+

QueryParameterHashOptions

-(Appears on: -RequestHashPolicy) + (Appears on: + RequestHashPolicy)

QueryParameterHashOptions contains options to configure a query parameter based hash -policy, used in request attribute hash based load balancing.

+ policy, used in request attribute hash based load balancing.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-parameterName -
- -string - -		 -

ParameterName is the name of the HTTP request query parameter that will be used to -calculate the hash key. If the query parameter specified is not present on a -request, no hash will be produced.

-
FieldDescription
+ parameterName +
+ + string + + 		+

ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced.

+

QueryParameterMatchCondition

-(Appears on: -MatchCondition) + (Appears on: + MatchCondition)

QueryParameterMatchCondition specifies how to conditionally match against HTTP -query parameters. The Name field is required, only one of Exact, Prefix, -Suffix, Regex, Contains and Present can be set. IgnoreCase has no effect -for Regex.

+ query parameters. The Name field is required, only one of Exact, Prefix, + Suffix, Regex, Contains and Present can be set. IgnoreCase has no effect + for Regex.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name is the name of the query parameter to match against. Name is required. -Query parameter names are case insensitive.

-
-exact -
- -string - -		 -(Optional) -

Exact specifies a string that the query parameter value must be equal to.

-
-prefix -
- -string - -		 -(Optional) -

Prefix defines a prefix match for the query parameter value.

-
-suffix -
- -string - -		 -(Optional) -

Suffix defines a suffix match for a query parameter value.

-
-regex -
- -string - -		 -(Optional) -

Regex specifies a regular expression pattern that must match the query -parameter value.

-
-contains -
- -string - -		 -(Optional) -

Contains specifies a substring that must be present in -the query parameter value.

-
-ignoreCase -
- -bool - -		 -(Optional) -

IgnoreCase specifies that string matching should be case insensitive. -Note that this has no effect on the Regex parameter.

-
-present -
- -bool - -		 -(Optional) -

Present specifies that condition is true when the named query parameter -is present, regardless of its value. Note that setting Present -to false does not make the condition true if the named query parameter -is absent.

-
FieldDescription
+ name +
+ + string + + 		+

Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive.

+
+ exact +
+ + string + + 		+ (Optional) +

Exact specifies a string that the query parameter value must be equal to.

+
+ prefix +
+ + string + + 		+ (Optional) +

Prefix defines a prefix match for the query parameter value.

+
+ suffix +
+ + string + + 		+ (Optional) +

Suffix defines a suffix match for a query parameter value.

+
+ regex +
+ + string + + 		+ (Optional) +

Regex specifies a regular expression pattern that must match the query + parameter value.

+
+ contains +
+ + string + + 		+ (Optional) +

Contains specifies a substring that must be present in + the query parameter value.

+
+ ignoreCase +
+ + bool + + 		+ (Optional) +

IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter.

+
+ present +
+ + bool + + 		+ (Optional) +

Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent.

+

RateLimitDescriptor

-(Appears on: -GlobalRateLimitPolicy) + (Appears on: + GlobalRateLimitPolicy)

RateLimitDescriptor defines a list of key-value pair generators.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-entries -
- - -[]RateLimitDescriptorEntry - - -		 -

Entries is the list of key-value pair generators.

-
FieldDescription
+ entries +
+ + + []RateLimitDescriptorEntry + + + 		+

Entries is the list of key-value pair generators.

+

RateLimitDescriptorEntry

-(Appears on: -RateLimitDescriptor) + (Appears on: + RateLimitDescriptor)

RateLimitDescriptorEntry is a key-value pair generator. Exactly -one field on this struct must be non-nil.

+ one field on this struct must be non-nil.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-genericKey -
- - -GenericKeyDescriptor - - -		 -(Optional) -

GenericKey defines a descriptor entry with a static key and value.

-
-requestHeader -
- - -RequestHeaderDescriptor - - -		 -(Optional) -

RequestHeader defines a descriptor entry that’s populated only if -a given header is present on the request. The descriptor key is static, -and the descriptor value is equal to the value of the header.

-
-requestHeaderValueMatch -
- - -RequestHeaderValueMatchDescriptor - - -		 -(Optional) -

RequestHeaderValueMatch defines a descriptor entry that’s populated -if the request’s headers match a set of 1+ match criteria. The -descriptor key is “header_match”, and the descriptor value is static.

-
-remoteAddress -
- - -RemoteAddressDescriptor - - -		 -(Optional) -

RemoteAddress defines a descriptor entry with a key of “remote_address” -and a value equal to the client’s IP address (from x-forwarded-for).

-
FieldDescription
+ genericKey +
+ + + GenericKeyDescriptor + + + 		+ (Optional) +

GenericKey defines a descriptor entry with a static key and value.

+
+ requestHeader +
+ + + RequestHeaderDescriptor + + + 		+ (Optional) +

RequestHeader defines a descriptor entry that’s populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header.

+
+ requestHeaderValueMatch +
+ + + RequestHeaderValueMatchDescriptor + + + 		+ (Optional) +

RequestHeaderValueMatch defines a descriptor entry that’s populated + if the request’s headers match a set of 1+ match criteria. The + descriptor key is “header_match”, and the descriptor value is static.

+
+ remoteAddress +
+ + + RemoteAddressDescriptor + + + 		+ (Optional) +

RemoteAddress defines a descriptor entry with a key of “remote_address” + and a value equal to the client’s IP address (from x-forwarded-for).

+

RateLimitPolicy

-(Appears on: -Route, -VirtualHost) + (Appears on: + Route, + VirtualHost)

RateLimitPolicy defines rate limiting parameters.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-local -
- - -LocalRateLimitPolicy - - -		 -(Optional) -

Local defines local rate limiting parameters, i.e. parameters -for rate limiting that occurs within each Envoy pod as requests -are handled.

-
-global -
- - -GlobalRateLimitPolicy - - -		 -(Optional) -

Global defines global rate limiting parameters, i.e. parameters -defining descriptors that are sent to an external rate limit -service (RLS) for a rate limit decision on each request.

-
FieldDescription
+ local +
+ + + LocalRateLimitPolicy + + + 		+ (Optional) +

Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled.

+
+ global +
+ + + GlobalRateLimitPolicy + + + 		+ (Optional) +

Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request.

+

RedirectResponseCode -(uint32 alias)

+ (uint32 alias)

+

-(Appears on: -HTTPInternalRedirectPolicy) + (Appears on: + HTTPInternalRedirectPolicy)

RedirectResponseCode is a uint32 type alias with validation to ensure that the value is valid.

@@ -3093,362 +3160,364 @@

RedirectResponseCode

RemoteAddressDescriptor

-(Appears on: -RateLimitDescriptorEntry) + (Appears on: + RateLimitDescriptorEntry)

RemoteAddressDescriptor defines a descriptor entry with a key of -“remote_address” and a value equal to the client’s IP address -(from x-forwarded-for).

+ “remote_address” and a value equal to the client’s IP address + (from x-forwarded-for).

RemoteJWKS

-(Appears on: -JWTProvider) + (Appears on: + JWTProvider)

RemoteJWKS defines how to fetch a JWKS from an HTTP endpoint.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-uri -
- -string - -		 -

The URI for the JWKS.

-
-validation -
- - -UpstreamValidation - - -		 -(Optional) -

UpstreamValidation defines how to verify the JWKS’s TLS certificate.

-
-timeout -
- -string - -		 -(Optional) -

How long to wait for a response from the URI. -If not specified, a default of 1s applies.

-
-cacheDuration -
- -string - -		 -(Optional) -

How long to cache the JWKS locally. If not specified, -Envoy’s default of 5m applies.

-
-dnsLookupFamily -
- -string - -		 -(Optional) -

The DNS IP address resolution policy for the JWKS URI. -When configured as “v4”, the DNS resolver will only perform a lookup -for addresses in the IPv4 family. If “v6” is configured, the DNS resolver -will only perform a lookup for addresses in the IPv6 family. -If “all” is configured, the DNS resolver -will perform a lookup for addresses in both the IPv4 and IPv6 family. -If “auto” is configured, the DNS resolver will first perform a lookup -for addresses in the IPv6 family and fallback to a lookup for addresses -in the IPv4 family. If not specified, the Contour-wide setting defined -in the config file or ContourConfiguration applies (defaults to “auto”).

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily -for more information.

-
FieldDescription
+ uri +
+ + string + + 		+

The URI for the JWKS.

+
+ validation +
+ + + UpstreamValidation + + + 		+ (Optional) +

UpstreamValidation defines how to verify the JWKS’s TLS certificate.

+
+ timeout +
+ + string + + 		+ (Optional) +

How long to wait for a response from the URI. + If not specified, a default of 1s applies.

+
+ cacheDuration +
+ + string + + 		+ (Optional) +

How long to cache the JWKS locally. If not specified, + Envoy’s default of 5m applies.

+
+ dnsLookupFamily +
+ + string + + 		+ (Optional) +

The DNS IP address resolution policy for the JWKS URI. + When configured as “v4”, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If “v6” is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If “all” is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If “auto” is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to “auto”).

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information.

+

ReplacePrefix

-(Appears on: -PathRewritePolicy) + (Appears on: + PathRewritePolicy)

ReplacePrefix describes a path prefix replacement.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-prefix -
- -string - -		 -(Optional) -

Prefix specifies the URL path prefix to be replaced.

-

If Prefix is specified, it must exactly match the MatchCondition -prefix that is rendered by the chain of including HTTPProxies -and only that path prefix will be replaced by Replacement. -This allows HTTPProxies that are included through multiple -roots to only replace specific path prefixes, leaving others -unmodified.

-

If Prefix is not specified, all routing prefixes rendered -by the include chain will be replaced.

-
-replacement -
- -string - -		 -

Replacement is the string that the routing path prefix -will be replaced with. This must not be empty.

-
FieldDescription
+ prefix +
+ + string + + 		+ (Optional) +

Prefix specifies the URL path prefix to be replaced.

+

If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified.

+

If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced.

+
+ replacement +
+ + string + + 		+

Replacement is the string that the routing path prefix + will be replaced with. This must not be empty.

+

RequestHashPolicy

-(Appears on: -LoadBalancerPolicy) + (Appears on: + LoadBalancerPolicy)

RequestHashPolicy contains configuration for an individual hash policy -on a request attribute.

+ on a request attribute.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-terminal -
- -bool - -		 -

Terminal is a flag that allows for short-circuiting computing of a hash -for a given request. If set to true, and the request attribute specified -in the attribute hash options is present, no further hash policies will -be used to calculate a hash for the request.

-
-headerHashOptions -
- - -HeaderHashOptions - - -		 -(Optional) -

HeaderHashOptions should be set when request header hash based load -balancing is desired. It must be the only hash option field set, -otherwise this request hash policy object will be ignored.

-
-queryParameterHashOptions -
- - -QueryParameterHashOptions - - -		 -(Optional) -

QueryParameterHashOptions should be set when request query parameter hash based load -balancing is desired. It must be the only hash option field set, -otherwise this request hash policy object will be ignored.

-
-hashSourceIP -
- -bool - -		 -(Optional) -

HashSourceIP should be set to true when request source IP hash based -load balancing is desired. It must be the only hash option field set, -otherwise this request hash policy object will be ignored.

-
FieldDescription
+ terminal +
+ + bool + + 		+

Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request.

+
+ headerHashOptions +
+ + + HeaderHashOptions + + + 		+ (Optional) +

HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored.

+
+ queryParameterHashOptions +
+ + + QueryParameterHashOptions + + + 		+ (Optional) +

QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored.

+
+ hashSourceIP +
+ + bool + + 		+ (Optional) +

HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored.

+

RequestHeaderDescriptor

-(Appears on: -RateLimitDescriptorEntry) + (Appears on: + RateLimitDescriptorEntry)

RequestHeaderDescriptor defines a descriptor entry that’s populated only -if a given header is present on the request. The value of the descriptor -entry is equal to the value of the header (if present).

+ if a given header is present on the request. The value of the descriptor + entry is equal to the value of the header (if present).

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-headerName -
- -string - -		 -

HeaderName defines the name of the header to look for on the request.

-
-descriptorKey -
- -string - -		 -

DescriptorKey defines the key to use on the descriptor entry.

-
FieldDescription
+ headerName +
+ + string + + 		+

HeaderName defines the name of the header to look for on the request.

+
+ descriptorKey +
+ + string + + 		+

DescriptorKey defines the key to use on the descriptor entry.

+

RequestHeaderValueMatchDescriptor

-(Appears on: -RateLimitDescriptorEntry) + (Appears on: + RateLimitDescriptorEntry)

RequestHeaderValueMatchDescriptor defines a descriptor entry that’s populated -if the request’s headers match a set of 1+ match criteria. The descriptor key -is “header_match”, and the descriptor value is statically defined.

+ if the request’s headers match a set of 1+ match criteria. The descriptor key + is “header_match”, and the descriptor value is statically defined.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-headers -
- - -[]HeaderMatchCondition - - -		 -

Headers is a list of 1+ match criteria to apply against the request -to determine whether to populate the descriptor entry or not.

-
-expectMatch -
- -bool - -		 -

ExpectMatch defines whether the request must positively match the match -criteria in order to generate a descriptor entry (i.e. true), or not -match the match criteria in order to generate a descriptor entry (i.e. false). -The default is true.

-
-value -
- -string - -		 -

Value defines the value of the descriptor entry.

-
FieldDescription
+ headers +
+ + + []HeaderMatchCondition + + + 		+

Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not.

+
+ expectMatch +
+ + bool + + 		+

ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true.

+
+ value +
+ + string + + 		+

Value defines the value of the descriptor entry.

+

RetryOn -(string alias)

+ (string alias)

+

-(Appears on: -RetryPolicy) + (Appears on: + RetryPolicy)

RetryOn is a string type alias with validation to ensure that the value is valid.

@@ -3456,1764 +3525,1795 @@

RetryOn

RetryPolicy

-(Appears on: -Route) + (Appears on: + Route)

RetryPolicy defines the attributes associated with retrying policy.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-count -
- -int64 - -		 -(Optional) -

NumRetries is maximum allowed number of retries. -If set to -1, then retries are disabled. -If set to 0 or not supplied, the value is set -to the Envoy default of 1.

-
-perTryTimeout -
- -string - -		 -(Optional) -

PerTryTimeout specifies the timeout per retry attempt. -Ignored if NumRetries is not supplied.

-
-retryOn -
- - -[]RetryOn - - -		 -(Optional) -

RetryOn specifies the conditions on which to retry a request.

-

Supported HTTP conditions:

-
    -
  • 5xx
    • -
  • gateway-error
    • -
  • reset
    • -
  • connect-failure
    • -
  • retriable-4xx
    • -
  • refused-stream
    • -
  • retriable-status-codes
    • -
  • retriable-headers
    • -
-

Supported gRPC conditions:

-
    -
  • cancelled
    • -
  • deadline-exceeded
    • -
  • internal
    • -
  • resource-exhausted
    • -
  • unavailable
    • -
-
-retriableStatusCodes -
- -[]uint32 - -		 -(Optional) -

RetriableStatusCodes specifies the HTTP status codes that should be retried.

-

This field is only respected when you include retriable-status-codes in the RetryOn field.

-
FieldDescription
+ count +
+ + int64 + + 		+ (Optional) +

NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1.

+
+ perTryTimeout +
+ + string + + 		+ (Optional) +

PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied.

+
+ retryOn +
+ + + []RetryOn + + + 		+ (Optional) +

RetryOn specifies the conditions on which to retry a request.

+

Supported HTTP + conditions:

+
    +
  • 5xx
    • +
  • gateway-error
    • +
  • reset
    • +
  • connect-failure
    • +
  • retriable-4xx
    • +
  • refused-stream
    • +
  • retriable-status-codes
    • +
  • retriable-headers
    • +
+

Supported gRPC + conditions:

+
    +
  • cancelled
    • +
  • deadline-exceeded
    • +
  • internal
    • +
  • resource-exhausted
    • +
  • unavailable
    • +
+
+ retriableStatusCodes +
+ + []uint32 + + 		+ (Optional) +

RetriableStatusCodes specifies the HTTP status codes that should be retried.

+

This field is only respected when you include retriable-status-codes in the + RetryOn field. +

+

Route

-(Appears on: -HTTPProxySpec) + (Appears on: + HTTPProxySpec)

Route contains the set of routes for a virtual host.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-conditions -
- - -[]MatchCondition - - -		 -(Optional) -

Conditions are a set of rules that are applied to a Route. -When applied, they are merged using AND, with one exception: -There can be only one Prefix, Exact or Regex MatchCondition -per Conditions slice. More than one of these condition types, -or contradictory Conditions, will make the route invalid.

-
-services -
- - -[]Service - - -		 -(Optional) -

Services are the services to proxy traffic.

-
-enableWebsockets -
- -bool - -		 -(Optional) -

Enables websocket support for the route.

-
-permitInsecure -
- -bool - -		 -(Optional) -

Allow this path to respond to insecure requests over HTTP which are normally -not permitted when a virtualhost.tls block is present.

-
-authPolicy -
- - -AuthorizationPolicy - - -		 -(Optional) -

AuthPolicy updates the authorization policy that was set -on the root HTTPProxy object for client requests that -match this route.

-
-timeoutPolicy -
- - -TimeoutPolicy - - -		 -(Optional) -

The timeout policy for this route.

-
-retryPolicy -
- - -RetryPolicy - - -		 -(Optional) -

The retry policy for this route.

-
-healthCheckPolicy -
- - -HTTPHealthCheckPolicy - - -		 -(Optional) -

The health check policy for this route.

-
-loadBalancerPolicy -
- - -LoadBalancerPolicy - - -		 -(Optional) -

The load balancing policy for this route.

-
-pathRewritePolicy -
- - -PathRewritePolicy - - -		 -(Optional) -

The policy for rewriting the path of the request URL -after the request has been routed to a Service.

-
-requestHeadersPolicy -
- - -HeadersPolicy - - -		 -(Optional) -

The policy for managing request headers during proxying.

-

You may dynamically rewrite the Host header to be forwarded -upstream to the content of a request header using -the below format “%REQ(X-Header-Name)%”. If the value of the header -is empty, it is ignored.

-

*NOTE: Pay attention to the potential security implications of using this option. -Provided header must come from trusted source.

-

**NOTE: The header rewrite is only done while forwarding and has no bearing -on the routing decision.

-
-responseHeadersPolicy -
- - -HeadersPolicy - - -		 -(Optional) -

The policy for managing response headers during proxying. -Rewriting the ‘Host’ header is not supported.

-
-cookieRewritePolicies -
- - -[]CookieRewritePolicy - - -		 -(Optional) -

The policies for rewriting Set-Cookie header attributes. Note that -rewritten cookie names must be unique in this list. Order rewrite -policies are specified in does not matter.

-
-rateLimitPolicy -
- - -RateLimitPolicy - - -		 -(Optional) -

The policy for rate limiting on the route.

-
-requestRedirectPolicy -
- - -HTTPRequestRedirectPolicy - - -		 -(Optional) -

RequestRedirectPolicy defines an HTTP redirection.

-
-directResponsePolicy -
- - -HTTPDirectResponsePolicy - - -		 -(Optional) -

DirectResponsePolicy returns an arbitrary HTTP response directly.

-
-internalRedirectPolicy -
- - -HTTPInternalRedirectPolicy - - -		 -(Optional) -

The policy to define when to handle redirects responses internally.

-
-jwtVerificationPolicy -
- - -JWTVerificationPolicy - - -		 -(Optional) -

The policy for verifying JWTs for requests to this route.

-
-ipAllowPolicy -
- - -[]IPFilterPolicy - - -		 -

IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching -requests should be allowed. All other requests will be denied. -Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. -The rules defined here override any rules set on the root HTTPProxy.

-
-ipDenyPolicy -
- - -[]IPFilterPolicy - - -		 -

IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching -requests should be denied. All other requests will be allowed. -Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. -The rules defined here override any rules set on the root HTTPProxy.

-
FieldDescription
+ conditions +
+ + + []MatchCondition + + + 		+ (Optional) +

Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid.

+
+ services +
+ + + []Service + + + 		+ (Optional) +

Services are the services to proxy traffic.

+
+ enableWebsockets +
+ + bool + + 		+ (Optional) +

Enables websocket support for the route.

+
+ permitInsecure +
+ + bool + + 		+ (Optional) +

Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a virtualhost.tls block is present.

+
+ authPolicy +
+ + + AuthorizationPolicy + + + 		+ (Optional) +

AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that + match this route.

+
+ timeoutPolicy +
+ + + TimeoutPolicy + + + 		+ (Optional) +

The timeout policy for this route.

+
+ retryPolicy +
+ + + RetryPolicy + + + 		+ (Optional) +

The retry policy for this route.

+
+ healthCheckPolicy +
+ + + HTTPHealthCheckPolicy + + + 		+ (Optional) +

The health check policy for this route.

+
+ loadBalancerPolicy +
+ + + LoadBalancerPolicy + + + 		+ (Optional) +

The load balancing policy for this route.

+
+ pathRewritePolicy +
+ + + PathRewritePolicy + + + 		+ (Optional) +

The policy for rewriting the path of the request URL + after the request has been routed to a Service.

+
+ requestHeadersPolicy +
+ + + HeadersPolicy + + + 		+ (Optional) +

The policy for managing request headers during proxying.

+

You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format “%REQ(X-Header-Name)%”. If the value of the header + is empty, it is ignored.

+

*NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source.

+

**NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision.

+
+ responseHeadersPolicy +
+ + + HeadersPolicy + + + 		+ (Optional) +

The policy for managing response headers during proxying. + Rewriting the ‘Host’ header is not supported.

+
+ cookieRewritePolicies +
+ + + []CookieRewritePolicy + + + 		+ (Optional) +

The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter.

+
+ rateLimitPolicy +
+ + + RateLimitPolicy + + + 		+ (Optional) +

The policy for rate limiting on the route.

+
+ requestRedirectPolicy +
+ + + HTTPRequestRedirectPolicy + + + 		+ (Optional) +

RequestRedirectPolicy defines an HTTP redirection.

+
+ directResponsePolicy +
+ + + HTTPDirectResponsePolicy + + + 		+ (Optional) +

DirectResponsePolicy returns an arbitrary HTTP response directly.

+
+ internalRedirectPolicy +
+ + + HTTPInternalRedirectPolicy + + + 		+ (Optional) +

The policy to define when to handle redirects responses internally.

+
+ jwtVerificationPolicy +
+ + + JWTVerificationPolicy + + + 		+ (Optional) +

The policy for verifying JWTs for requests to this route.

+
+ ipAllowPolicy +
+ + + []IPFilterPolicy + + + 		+

IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy.

+
+ ipDenyPolicy +
+ + + []IPFilterPolicy + + + 		+

IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy.

+

Service

-(Appears on: -Route, -TCPProxy) + (Appears on: + Route, + TCPProxy)

Service defines an Kubernetes Service to proxy traffic.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name is the name of Kubernetes service to proxy traffic. -Names defined here will be used to look up corresponding endpoints which contain the ips to route.

-
-port -
- -int - -		 -

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

-
-healthPort -
- -int - -		 -(Optional) -

HealthPort is the port for this service healthcheck. -If not specified, Port is used for service healthchecks.

-
-protocol -
- -string - -		 -(Optional) -

Protocol may be used to specify (or override) the protocol used to reach this Service. -Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.

-
-weight -
- -int64 - -		 -(Optional) -

Weight defines percentage of traffic to balance traffic

-
-validation -
- - -UpstreamValidation - - -		 -(Optional) -

UpstreamValidation defines how to verify the backend service’s certificate

-
-mirror -
- -bool - -		 -

If Mirror is true the Service will receive a read only mirror of the traffic for this route. -If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight -field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. -NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This -occurs since we cannot distinguish omitted fields from those explicitly set to their default -values

-
-requestHeadersPolicy -
- - -HeadersPolicy - - -		 -(Optional) -

The policy for managing request headers during proxying.

-
-responseHeadersPolicy -
- - -HeadersPolicy - - -		 -(Optional) -

The policy for managing response headers during proxying. -Rewriting the ‘Host’ header is not supported.

-
-cookieRewritePolicies -
- - -[]CookieRewritePolicy - - -		 -(Optional) -

The policies for rewriting Set-Cookie header attributes.

-
-slowStartPolicy -
- - -SlowStartPolicy - - -		 -(Optional) -

Slow start will gradually increase amount of traffic to a newly added endpoint.

-
FieldDescription
+ name +
+ + string + + 		+

Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. +

+
+ port +
+ + int + + 		+

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

+
+ healthPort +
+ + int + + 		+ (Optional) +

HealthPort is the port for this service healthcheck. + If not specified, Port is used for service healthchecks.

+
+ protocol +
+ + string + + 		+ (Optional) +

Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.

+
+ weight +
+ + int64 + + 		+ (Optional) +

Weight defines percentage of traffic to balance traffic

+
+ validation +
+ + + UpstreamValidation + + + 		+ (Optional) +

UpstreamValidation defines how to verify the backend service’s certificate

+
+ mirror +
+ + bool + + 		+

If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values

+
+ requestHeadersPolicy +
+ + + HeadersPolicy + + + 		+ (Optional) +

The policy for managing request headers during proxying.

+
+ responseHeadersPolicy +
+ + + HeadersPolicy + + + 		+ (Optional) +

The policy for managing response headers during proxying. + Rewriting the ‘Host’ header is not supported.

+
+ cookieRewritePolicies +
+ + + []CookieRewritePolicy + + + 		+ (Optional) +

The policies for rewriting Set-Cookie header attributes.

+
+ slowStartPolicy +
+ + + SlowStartPolicy + + + 		+ (Optional) +

Slow start will gradually increase amount of traffic to a newly added endpoint.

+

SlowStartPolicy

-(Appears on: -Service) + (Appears on: + Service)

SlowStartPolicy will gradually increase amount of traffic to a newly added endpoint. -It can be used only with RoundRobin and WeightedLeastRequest load balancing strategies.

+ It can be used only with RoundRobin and WeightedLeastRequest load balancing strategies.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-window -
- -string - -		 -

The duration of slow start window. -Duration is expressed in the Go Duration format. -Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.

-
-aggression -
- -string - -		 -(Optional) -

The speed of traffic increase over the slow start window. -Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. -When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. -The value of aggression parameter should be greater than 0.0.

-

More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start

-
-minWeightPercent -
- -uint32 - -		 -(Optional) -

The minimum or starting percentage of traffic to send to new endpoints. -A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. -If not specified, the default is 10%.

-
FieldDescription
+ window +
+ + string + + 		+

The duration of slow start window. + Duration is expressed in the Go Duration format. + Valid time units are “ns”, “us” (or “µs”), “ms”, + “s”, “m”, “h”.

+
+ aggression +
+ + string + + 		+ (Optional) +

The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0.

+

More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start +

+
+ minWeightPercent +
+ + uint32 + + 		+ (Optional) +

The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start + mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%.

+

SubCondition

-(Appears on: -DetailedCondition) + (Appears on: + DetailedCondition)

SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.

It contains a subset of the Condition fields.

It is intended for warnings and errors, so type names should use abnormal-true polarity, -that is, they should be of the form “ErrorPresent: true”.

+ that is, they should be of the form “ErrorPresent: true”.

The expected lifecycle for these errors is that they should only be present when the error or warning is, -and should be removed when they are not relevant.

+ and should be removed when they are not relevant.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-type -
- -string - -		 -

Type of condition in CamelCase or in foo.example.com/CamelCase.

-

This must be in abnormal-true polarity, that is, ErrorFound or controller.io/ErrorFound.

-

The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

-
-status -
- - -Kubernetes meta/v1.ConditionStatus - - -		 -

Status of the condition, one of True, False, Unknown.

-
-reason -
- -string - -		 -

Reason contains a programmatic identifier indicating the reason for the condition’s last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API.

-

The value should be a CamelCase string.

-

This field may not be empty.

-
-message -
- -string - -		 -

Message is a human readable message indicating details about the transition.

-

This may be an empty string.

-
FieldDescription
+ type +
+ + string + + 		+

Type of condition in CamelCase or in foo.example.com/CamelCase.

+

This must be in abnormal-true polarity, that is, ErrorFound or + controller.io/ErrorFound. +

+

The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

+
+ status +
+ + + Kubernetes meta/v1.ConditionStatus + + + 		+

Status of the condition, one of True, False, Unknown.

+
+ reason +
+ + string + + 		+

Reason contains a programmatic identifier indicating the reason for the condition’s last + transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API.

+

The value should be a CamelCase string.

+

This field may not be empty.

+
+ message +
+ + string + + 		+

Message is a human readable message indicating details about the transition.

+

This may be an empty string.

+

TCPHealthCheckPolicy

-(Appears on: -TCPProxy) + (Appears on: + TCPProxy)

TCPHealthCheckPolicy defines health checks on the upstream service.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-intervalSeconds -
- -int64 - -		 -(Optional) -

The interval (seconds) between health checks

-
-timeoutSeconds -
- -int64 - -		 -(Optional) -

The time to wait (seconds) for a health check response

-
-unhealthyThresholdCount -
- -uint32 - -		 -(Optional) -

The number of unhealthy health checks required before a host is marked unhealthy

-
-healthyThresholdCount -
- -uint32 - -		 -(Optional) -

The number of healthy health checks required before a host is marked healthy

-
FieldDescription
+ intervalSeconds +
+ + int64 + + 		+ (Optional) +

The interval (seconds) between health checks

+
+ timeoutSeconds +
+ + int64 + + 		+ (Optional) +

The time to wait (seconds) for a health check response

+
+ unhealthyThresholdCount +
+ + uint32 + + 		+ (Optional) +

The number of unhealthy health checks required before a host is marked unhealthy

+
+ healthyThresholdCount +
+ + uint32 + + 		+ (Optional) +

The number of healthy health checks required before a host is marked healthy

+

TCPProxy

-(Appears on: -HTTPProxySpec) + (Appears on: + HTTPProxySpec)

TCPProxy contains the set of services to proxy TCP connections.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-loadBalancerPolicy -
- - -LoadBalancerPolicy - - -		 -(Optional) -

The load balancing policy for the backend services. Note that the -Cookie and RequestHash load balancing strategies cannot be used -here.

-
-services -
- - -[]Service - - -		 -(Optional) -

Services are the services to proxy traffic

-
-include -
- - -TCPProxyInclude - - -		 -(Optional) -

Include specifies that this tcpproxy should be delegated to another HTTPProxy.

-
-includes -
- - -TCPProxyInclude - - -		 -(Optional) -

IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.

-

Exists due to a mistake when developing HTTPProxy and the field was marked plural -when it should have been singular. This field should stay to not break backwards compatibility to v1 users.

-
-healthCheckPolicy -
- - -TCPHealthCheckPolicy - - -		 -(Optional) -

The health check policy for this tcp proxy

-
FieldDescription
+ loadBalancerPolicy +
+ + + LoadBalancerPolicy + + + 		+ (Optional) +

The load balancing policy for the backend services. Note that the + Cookie and RequestHash load balancing strategies cannot be used + here. +

+
+ services +
+ + + []Service + + + 		+ (Optional) +

Services are the services to proxy traffic

+
+ include +
+ + + TCPProxyInclude + + + 		+ (Optional) +

Include specifies that this tcpproxy should be delegated to another HTTPProxy.

+
+ includes +
+ + + TCPProxyInclude + + + 		+ (Optional) +

IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in + another namespace.

+

Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 + users.

+
+ healthCheckPolicy +
+ + + TCPHealthCheckPolicy + + + 		+ (Optional) +

The health check policy for this tcp proxy

+

TCPProxyInclude

-(Appears on: -TCPProxy) + (Appears on: + TCPProxy)

TCPProxyInclude describes a target HTTPProxy document which contains the TCPProxy details.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name of the child HTTPProxy

-
-namespace -
- -string - -		 -(Optional) -

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

-
FieldDescription
+ name +
+ + string + + 		+

Name of the child HTTPProxy

+
+ namespace +
+ + string + + 		+ (Optional) +

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

+

TLS

-(Appears on: -VirtualHost) + (Appears on: + VirtualHost)

TLS describes tls properties. The SNI names that will be matched on -are described in the HTTPProxy’s Spec.VirtualHost.Fqdn field.

+ are described in the HTTPProxy’s Spec.VirtualHost.Fqdn field.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-secretName -
- -string - -		 -

SecretName is the name of a TLS secret. -Either SecretName or Passthrough must be specified, but not both. -If specified, the named secret must contain a matching certificate -for the virtual host’s FQDN. -The name can be optionally prefixed with namespace “namespace/name”. -When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.

-
-minimumProtocolVersion -
- -string - -		 -(Optional) -

MinimumProtocolVersion is the minimum TLS version this vhost should -negotiate. Valid options are 1.2 (default) and 1.3. Any other value -defaults to TLS 1.2.

-
-maximumProtocolVersion -
- -string - -		 -(Optional) -

MaximumProtocolVersion is the maximum TLS version this vhost should -negotiate. Valid options are 1.2 and 1.3 (default). Any other value -defaults to TLS 1.3.

-
-passthrough -
- -bool - -		 -(Optional) -

Passthrough defines whether the encrypted TLS handshake will be -passed through to the backing cluster. Either Passthrough or -SecretName must be specified, but not both.

-
-clientValidation -
- - -DownstreamValidation - - -		 -(Optional) -

ClientValidation defines how to verify the client certificate -when an external client establishes a TLS connection to Envoy.

-

This setting:

-
    -
  1. Enables TLS client certificate validation.
    2. -
  2. Specifies how the client certificate will be validated (i.e. -validation required or skipped).
    3. -
-

Note: Setting client certificate validation to be skipped should -be only used in conjunction with an external authorization server that -performs client validation as Contour will ensure client certificates -are passed along.

-
-enableFallbackCertificate -
- -bool - -		 -

EnableFallbackCertificate defines if the vhost should allow a default certificate to -be applied which handles all requests which don’t match the SNI defined in this vhost.

-
FieldDescription
+ secretName +
+ + string + + 		+

SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. + If specified, the named secret must contain a matching certificate + for the virtual host’s FQDN. + The name can be optionally prefixed with namespace “namespace/name”. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the + namespace to grant access to the secret.

+
+ minimumProtocolVersion +
+ + string + + 		+ (Optional) +

MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are 1.2 (default) and 1.3. Any other value + defaults to TLS 1.2.

+
+ maximumProtocolVersion +
+ + string + + 		+ (Optional) +

MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are 1.2 and 1.3 (default). Any other value + defaults to TLS 1.3.

+
+ passthrough +
+ + bool + + 		+ (Optional) +

Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both.

+
+ clientValidation +
+ + + DownstreamValidation + + + 		+ (Optional) +

ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy.

+

This setting:

+
    +
  1. Enables TLS client certificate validation.
    2. +
  2. Specifies how the client certificate will be validated (i.e. + validation required or skipped).
    3. +
+

Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along.

+
+ enableFallbackCertificate +
+ + bool + + 		+

EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don’t match the SNI defined in this vhost.

+

TLSCertificateDelegationSpec

-(Appears on: -TLSCertificateDelegation) + (Appears on: + TLSCertificateDelegation)

TLSCertificateDelegationSpec defines the spec of the CRD

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-delegations -
- - -[]CertificateDelegation - - -		 -
FieldDescription
+ delegations +
+ + + []CertificateDelegation + + + 		+

TLSCertificateDelegationStatus

-(Appears on: -TLSCertificateDelegation) + (Appears on: + TLSCertificateDelegation)

TLSCertificateDelegationStatus allows for the status of the delegation -to be presented to the user.

+ to be presented to the user.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-conditions -
- - -[]DetailedCondition - - -		 -(Optional) -

Conditions contains information about the current status of the HTTPProxy, -in an upstream-friendly container.

-

Contour will update a single condition, Valid, that is in normal-true polarity. -That is, when currentStatus is valid, the Valid condition will be status: true, -and vice versa.

-

Contour will leave untouched any other Conditions set in this block, -in case some other controller wants to add a Condition.

-

If you are another controller owner and wish to add a condition, you should -namespace your condition with a label, like controller.domain.com\ConditionName.

-
FieldDescription
+ conditions +
+ + + []DetailedCondition + + + 		+ (Optional) +

Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container.

+

Contour will update a single condition, Valid, that is in normal-true polarity. + That is, when currentStatus is valid, the Valid condition + will be status: true, + and vice versa.

+

Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition.

+

If you are another controller owner and wish to add a condition, you should + namespace your condition with a label, like controller.domain.com\ConditionName.

+

TimeoutPolicy

-(Appears on: -Route, -ExtensionServiceSpec) + (Appears on: + Route, + ExtensionServiceSpec)

TimeoutPolicy configures timeouts that are used for handling network requests.

TimeoutPolicy durations are expressed in the Go Duration format. -Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. -The string “infinity” is also a valid input and specifies no timeout. -A value of “0s” will be treated as if the field were not set, i.e. by using Envoy’s default behavior.

+ Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, + “m”, “h”. + The string “infinity” is also a valid input and specifies no timeout. + A value of “0s” will be treated as if the field were not set, i.e. by using Envoy’s default + behavior.

Example input values: “300ms”, “5s”, “1m”.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-response -
- -string - -		 -(Optional) -

Timeout for receiving a response from the server after processing a request from client. -If not supplied, Envoy’s default value of 15s applies.

-
-idle -
- -string - -		 -(Optional) -

Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). -Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. -If not specified, there is no per-route idle timeout, though a connection manager-wide -stream_idle_timeout default of 5m still applies.

-
-idleConnection -
- -string - -		 -(Optional) -

Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. -If not supplied, Envoy’s default value of 1h applies.

-
FieldDescription
+ response +
+ + string + + 		+ (Optional) +

Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy’s default value of 15s applies.

+
+ idle +
+ + string + + 		+ (Optional) +

Timeout for how long the proxy should wait while there is no activity during single request/response + (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies.

+
+ idleConnection +
+ + string + + 		+ (Optional) +

Timeout for how long connection from the proxy to the upstream service is kept when there are no + active requests. + If not supplied, Envoy’s default value of 1h applies.

+

UpstreamValidation

-(Appears on: -RemoteJWKS, -Service, -ExtensionServiceSpec) + (Appears on: + RemoteJWKS, + Service, + ExtensionServiceSpec)

UpstreamValidation defines how to verify the backend service’s certificate

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-caSecret -
- -string - -		 -

Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. -The secret must contain key named ca.crt. -The name can be optionally prefixed with namespace “namespace/name”. -When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. -Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)

-
-subjectName -
- -string - -		 -

Key which is expected to be present in the ‘subjectAltName’ of the presented certificate. -Deprecated: migrate to using the plural field subjectNames.

-
-subjectNames -
- -[]string - -		 -(Optional) -

List of keys, of which at least one is expected to be present in the ‘subjectAltName of the -presented certificate.

-
FieldDescription
+ caSecret +
+ + string + + 		+

Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the + backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace “namespace/name”. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the + namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)

+
+ subjectName +
+ + string + + 		+

Key which is expected to be present in the ‘subjectAltName’ of the presented certificate. + Deprecated: migrate to using the plural field subjectNames.

+
+ subjectNames +
+ + []string + + 		+ (Optional) +

List of keys, of which at least one is expected to be present in the ‘subjectAltName of the + presented certificate.

+

VirtualHost

-(Appears on: -HTTPProxySpec) + (Appears on: + HTTPProxySpec)

VirtualHost appears at most once. If it is present, the object is considered -to be a “root”.

+ to be a “root”.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-fqdn -
- -string - -		 -

The fully qualified domain name of the root of the ingress tree -all leaves of the DAG rooted at this object relate to the fqdn.

-
-tls -
- - -TLS - - -		 -(Optional) -

If present the fields describes TLS properties of the virtual -host. The SNI names that will be matched on are described in fqdn, -the tls.secretName secret must contain a certificate that itself -contains a name that matches the FQDN.

-
-authorization -
- - -AuthorizationServer - - -		 -(Optional) -

This field configures an extension service to perform -authorization for this virtual host. Authorization can -only be configured on virtual hosts that have TLS enabled. -If the TLS configuration requires client certificate -validation, the client certificate is always included in the -authentication check request.

-
-corsPolicy -
- - -CORSPolicy - - -		 -(Optional) -

Specifies the cross-origin policy to apply to the VirtualHost.

-
-rateLimitPolicy -
- - -RateLimitPolicy - - -		 -(Optional) -

The policy for rate limiting on the virtual host.

-
-jwtProviders -
- - -[]JWTProvider - - -		 -(Optional) -

Providers to use for verifying JSON Web Tokens (JWTs) on the virtual host.

-
-ipAllowPolicy -
- - -[]IPFilterPolicy - - -		 -

IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching -requests should be allowed. All other requests will be denied. -Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. -The rules defined here may be overridden in a Route.

-
-ipDenyPolicy -
- - -[]IPFilterPolicy - - -		 -

IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching -requests should be denied. All other requests will be allowed. -Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. -The rules defined here may be overridden in a Route.

-
FieldDescription
+ fqdn +
+ + string + + 		+

The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn.

+
+ tls +
+ + + TLS + + + 		+ (Optional) +

If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN.

+
+ authorization +
+ + + AuthorizationServer + + + 		+ (Optional) +

This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request.

+
+ corsPolicy +
+ + + CORSPolicy + + + 		+ (Optional) +

Specifies the cross-origin policy to apply to the VirtualHost.

+
+ rateLimitPolicy +
+ + + RateLimitPolicy + + + 		+ (Optional) +

The policy for rate limiting on the virtual host.

+
+ jwtProviders +
+ + + []JWTProvider + + + 		+ (Optional) +

Providers to use for verifying JSON Web Tokens (JWTs) on the virtual host.

+
+ ipAllowPolicy +
+ + + []IPFilterPolicy + + + 		+

IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route.

+
+ ipDenyPolicy +
+ + + []IPFilterPolicy + + + 		+

IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route.

+
-
+

projectcontour.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the projectcontour.io v1alpha1 API group

Resource Types: - +

ContourConfiguration

ContourConfiguration is the schema for a Contour instance.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-apiVersion
-string		 - -projectcontour.io/v1alpha1 - -
-kind
-string -		ContourConfiguration
-metadata -
- - -Kubernetes meta/v1.ObjectMeta - - -		 -Refer to the Kubernetes API documentation for the fields of the -metadata field. -
-spec -
- - -ContourConfigurationSpec - - -		 -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-xdsServer -
- - -XDSServerConfig - - -		 -(Optional) -

XDSServer contains parameters for the xDS server.

-
-ingress -
- - -IngressConfig - - -		 -(Optional) -

Ingress contains parameters for ingress options.

-
-debug -
- - -DebugConfig - - -		 -(Optional) -

Debug contains parameters to enable debug logging -and debug interfaces inside Contour.

-
-health -
- - -HealthConfig - - -		 -(Optional) -

Health defines the endpoints Contour uses to serve health checks.

-

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

-
-envoy -
- - -EnvoyConfig - - -		 -(Optional) -

Envoy contains parameters for Envoy as well -as how to optionally configure a managed Envoy fleet.

-
-gateway -
- - -GatewayConfig - - -		 -(Optional) -

Gateway contains parameters for the gateway-api Gateway that Contour -is configured to serve traffic.

-
-httpproxy -
- - -HTTPProxyConfig - - -		 -(Optional) -

HTTPProxy defines parameters on HTTPProxy.

-
-enableExternalNameService -
- -bool - -		 -(Optional) -

EnableExternalNameService allows processing of ExternalNameServices

-

Contour’s default is false for security reasons.

-
-globalExtAuth -
- - -AuthorizationServer - - -		 -(Optional) -

GlobalExternalAuthorization allows envoys external authorization filter -to be enabled for all virtual hosts.

-
-rateLimitService -
- - -RateLimitServiceConfig - - -		 -(Optional) -

RateLimitService optionally holds properties of the Rate Limit Service -to be used for global rate limiting.

-
-policy -
- - -PolicyConfig - - -		 -(Optional) -

Policy specifies default policy applied if not overridden by the user

-
-metrics -
- - -MetricsConfig - - -		 -(Optional) -

Metrics defines the endpoint Contour uses to serve metrics.

-

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

-
-tracing -
- - -TracingConfig - - -		 -

Tracing defines properties for exporting trace data to OpenTelemetry.

-
-featureFlags -
- - -FeatureFlags - - -		 -

FeatureFlags defines toggle to enable new contour features. -Available toggles are: -useEndpointSlices - configures contour to fetch endpoint data -from k8s endpoint slices. defaults to false and reading endpoint -data from the k8s endpoints.

-
-
-status -
- - -ContourConfigurationStatus - - -		 -(Optional) -
FieldDescription
+ apiVersion
+ string + 		+ + projectcontour.io/v1alpha1 + +
+ kind
+ string + 		ContourConfiguration
+ metadata +
+ + + Kubernetes meta/v1.ObjectMeta + + + 		+ Refer to the Kubernetes API documentation for the fields of the + metadata field. +
+ spec +
+ + + ContourConfigurationSpec + + + 		+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ xdsServer +
+ + + XDSServerConfig + + + 		+ (Optional) +

XDSServer contains parameters for the xDS server.

+
+ ingress +
+ + + IngressConfig + + + 		+ (Optional) +

Ingress contains parameters for ingress options.

+
+ debug +
+ + + DebugConfig + + + 		+ (Optional) +

Debug contains parameters to enable debug logging + and debug interfaces inside Contour.

+
+ health +
+ + + HealthConfig + + + 		+ (Optional) +

Health defines the endpoints Contour uses to serve health checks.

+

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

+
+ envoy +
+ + + EnvoyConfig + + + 		+ (Optional) +

Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet.

+
+ gateway +
+ + + GatewayConfig + + + 		+ (Optional) +

Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic.

+
+ httpproxy +
+ + + HTTPProxyConfig + + + 		+ (Optional) +

HTTPProxy defines parameters on HTTPProxy.

+
+ enableExternalNameService +
+ + bool + + 		+ (Optional) +

EnableExternalNameService allows processing of ExternalNameServices

+

Contour’s default is false for security reasons.

+
+ globalExtAuth +
+ + + AuthorizationServer + + + 		+ (Optional) +

GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts.

+
+ rateLimitService +
+ + + RateLimitServiceConfig + + + 		+ (Optional) +

RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting.

+
+ policy +
+ + + PolicyConfig + + + 		+ (Optional) +

Policy specifies default policy applied if not overridden by the user

+
+ metrics +
+ + + MetricsConfig + + + 		+ (Optional) +

Metrics defines the endpoint Contour uses to serve metrics.

+

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

+
+ tracing +
+ + + TracingConfig + + + 		+

Tracing defines properties for exporting trace data to OpenTelemetry.

+
+ featureFlags +
+ + + FeatureFlags + + + 		+

FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints.

+
+
+ status +
+ + + ContourConfigurationStatus + + + 		+ (Optional) +

ContourDeployment

@@ -5221,3802 +5321,4037 @@

ContourDeployment

ContourDeployment is the schema for a Contour Deployment.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-apiVersion
-string		 - -projectcontour.io/v1alpha1 - -
-kind
-string -		ContourDeployment
-metadata -
- - -Kubernetes meta/v1.ObjectMeta - - -		 -Refer to the Kubernetes API documentation for the fields of the -metadata field. -
-spec -
- - -ContourDeploymentSpec - - -		 -
-
- - - - - - - - - - - - - - - - - -
-contour -
- - -ContourSettings - - -		 -(Optional) -

Contour specifies deployment-time settings for the Contour -part of the installation, i.e. the xDS server/control plane -and associated resources, including things like replica count -for the Deployment, and node placement constraints for the pods.

-
-envoy -
- - -EnvoySettings - - -		 -(Optional) -

Envoy specifies deployment-time settings for the Envoy -part of the installation, i.e. the xDS client/data plane -and associated resources, including things like the workload -type to use (DaemonSet or Deployment), node placement constraints -for the pods, and various options for the Envoy service.

-
-runtimeSettings -
- - -ContourConfigurationSpec - - -		 -(Optional) -

RuntimeSettings is a ContourConfiguration spec to be used when -provisioning a Contour instance that will influence aspects of -the Contour instance’s runtime behavior.

-
-resourceLabels -
- -map[string]string - -		 -(Optional) -

ResourceLabels is a set of labels to add to the provisioned Contour resources.

-

Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be -removed in a future release.

-
-
-status -
- - -ContourDeploymentStatus - - -		 -
FieldDescription
+ apiVersion
+ string + 		+ + projectcontour.io/v1alpha1 + +
+ kind
+ string + 		ContourDeployment
+ metadata +
+ + + Kubernetes meta/v1.ObjectMeta + + + 		+ Refer to the Kubernetes API documentation for the fields of the + metadata field. +
+ spec +
+ + + ContourDeploymentSpec + + + 		+
+
+ + + + + + + + + + + + + + + + + +
+ contour +
+ + + ContourSettings + + + 		+ (Optional) +

Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods.

+
+ envoy +
+ + + EnvoySettings + + + 		+ (Optional) +

Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service.

+
+ runtimeSettings +
+ + + ContourConfigurationSpec + + + 		+ (Optional) +

RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance’s runtime behavior.

+
+ resourceLabels +
+ + map[string]string + + 		+ (Optional) +

ResourceLabels is a set of labels to add to the provisioned Contour resources.

+

Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release.

+
+
+ status +
+ + + ContourDeploymentStatus + + + 		+

ExtensionService

ExtensionService is the schema for the Contour extension services API. -An ExtensionService resource binds a network service to the Contour -API so that Contour API features can be implemented by collaborating -components.

+ An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-apiVersion
-string		 - -projectcontour.io/v1alpha1 - -
-kind
-string -		ExtensionService
-metadata -
- - -Kubernetes meta/v1.ObjectMeta - - -		 -Refer to the Kubernetes API documentation for the fields of the -metadata field. -
-spec -
- - -ExtensionServiceSpec - - -		 -
-
- - - - - - - - - - - - - - - - - - - - - - - - - -
-services -
- - -[]ExtensionServiceTarget - - -		 -

Services specifies the set of Kubernetes Service resources that -receive GRPC extension API requests. -If no weights are specified for any of the entries in -this array, traffic will be spread evenly across all the -services. -Otherwise, traffic is balanced proportionally to the -Weight field in each entry.

-
-validation -
- - -UpstreamValidation - - -		 -(Optional) -

UpstreamValidation defines how to verify the backend service’s certificate

-
-protocol -
- -string - -		 -(Optional) -

Protocol may be used to specify (or override) the protocol used to reach this Service. -Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.

-
-loadBalancerPolicy -
- - -LoadBalancerPolicy - - -		 -(Optional) -

The policy for load balancing GRPC service requests. Note that the -Cookie and RequestHash load balancing strategies cannot be used -here.

-
-timeoutPolicy -
- - -TimeoutPolicy - - -		 -(Optional) -

The timeout policy for requests to the services.

-
-protocolVersion -
- - -ExtensionProtocolVersion - - -		 -(Optional) -

This field sets the version of the GRPC protocol that Envoy uses to -send requests to the extension service. Since Contour always uses the -v3 Envoy API, this is currently fixed at “v3”. However, other -protocol options will be available in future.

-
-
-status -
- - -ExtensionServiceStatus - - -		 -
FieldDescription
+ apiVersion
+ string + 		+ + projectcontour.io/v1alpha1 + +
+ kind
+ string + 		ExtensionService
+ metadata +
+ + + Kubernetes meta/v1.ObjectMeta + + + 		+ Refer to the Kubernetes API documentation for the fields of the + metadata field. +
+ spec +
+ + + ExtensionServiceSpec + + + 		+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ services +
+ + + []ExtensionServiceTarget + + + 		+

Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry.

+
+ validation +
+ + + UpstreamValidation + + + 		+ (Optional) +

UpstreamValidation defines how to verify the backend service’s certificate

+
+ protocol +
+ + string + + 		+ (Optional) +

Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service + annotations.

+
+ loadBalancerPolicy +
+ + + LoadBalancerPolicy + + + 		+ (Optional) +

The policy for load balancing GRPC service requests. Note that the + Cookie and RequestHash load balancing strategies cannot be + used + here. +

+
+ timeoutPolicy +
+ + + TimeoutPolicy + + + 		+ (Optional) +

The timeout policy for requests to the services.

+
+ protocolVersion +
+ + + ExtensionProtocolVersion + + + 		+ (Optional) +

This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at “v3”. However, other + protocol options will be available in future.

+
+
+ status +
+ + + ExtensionServiceStatus + + + 		+

AccessLogFormatString -(string alias)

+ (string alias)

+

AccessLogJSONFields -([]string alias)

+ ([]string alias)

+

-(Appears on: -EnvoyLogging) + (Appears on: + EnvoyLogging)

AccessLogLevel -(string alias)

+ (string alias)

+

-(Appears on: -EnvoyLogging) + (Appears on: + EnvoyLogging)

- - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

"critical"

Log only requests that result in an server error (i.e. 500+) response code.

-

"disabled"

Disable the access log.

-

"error"

Log only requests that result in a non-success (i.e. 300+) response code

-

"info"

Log all requests. This is the default.

-
ValueDescription
+

"critical"

+ 		+

Log only requests that result in an server error (i.e. 500+) response code.

+
+

"disabled"

+ 		+

Disable the access log.

+
+

"error"

+ 		+

Log only requests that result in a non-success (i.e. 300+) response code

+
+

"info"

+ 		+

Log all requests. This is the default.

+

AccessLogType -(string alias)

+ (string alias)

+

-(Appears on: -EnvoyLogging) + (Appears on: + EnvoyLogging)

AccessLogType is the name of a supported access logging mechanism.

- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
ValueDescription

"envoy"

DefaultAccessLogType is the default access log format.

-

"envoy"

Set the Envoy access logging to Envoy’s standard format. -Can be customized using accessLogFormatString.

-

"json"

Set the Envoy access logging to a JSON format. -Can be customized using jsonFields.

-
ValueDescription
+

"envoy"

+ 		+

DefaultAccessLogType is the default access log format.

+
+

"envoy"

+ 		+

Set the Envoy access logging to Envoy’s standard format. + Can be customized using accessLogFormatString.

+
+

"json"

+ 		+

Set the Envoy access logging to a JSON format. + Can be customized using jsonFields.

+

ClusterDNSFamilyType -(string alias)

+ (string alias)

+

-(Appears on: -ClusterParameters) + (Appears on: + ClusterParameters)

ClusterDNSFamilyType is the Ip family to use for resolving DNS -names in an Envoy cluster config.

+ names in an Envoy cluster config.

- - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

"all"

DNS lookups will attempt both v4 and v6 queries.

-

"auto"

DNS lookups will do a v6 lookup first, followed by a v4 if that fails.

-

"v4"

DNS lookups will only attempt v4 queries.

-

"v6"

DNS lookups will only attempt v6 queries.

-
ValueDescription
+

"all"

+ 		+

DNS lookups will attempt both v4 and v6 queries.

+
+

"auto"

+ 		+

DNS lookups will do a v6 lookup first, followed by a v4 if that fails.

+
+

"v4"

+ 		+

DNS lookups will only attempt v4 queries.

+
+

"v6"

+ 		+

DNS lookups will only attempt v6 queries.

+

ClusterParameters

-(Appears on: -EnvoyConfig) + (Appears on: + EnvoyConfig)

ClusterParameters holds various configurable cluster values.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-dnsLookupFamily -
- - -ClusterDNSFamilyType - - -		 -(Optional) -

DNSLookupFamily defines how external names are looked up -When configured as V4, the DNS resolver will only perform a lookup -for addresses in the IPv4 family. If V6 is configured, the DNS resolver -will only perform a lookup for addresses in the IPv6 family. -If AUTO is configured, the DNS resolver will first perform a lookup -for addresses in the IPv6 family and fallback to a lookup for addresses -in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for -both IPv4 and IPv6 families, and return all resolved addresses. -When this is used, Happy Eyeballs will be enabled for upstream connections. -Refer to Happy Eyeballs Support for more information. -Note: This only applies to externalName clusters.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily -for more information.

-

Values: auto (default), v4, v6, all.

-

Other values will produce an error.

-
-maxRequestsPerConnection -
- -uint32 - -		 -(Optional) -

Defines the maximum requests for upstream connections. If not specified, there is no limit. -see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions -for more information.

-
-per-connection-buffer-limit-bytes -
- -uint32 - -		 -(Optional) -

Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. -If unspecified, an implementation defined default is applied (1MiB). -see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes -for more information.

-
-circuitBreakers -
- - -GlobalCircuitBreakerDefaults - - -		 -(Optional) -

GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. -If defined, this will be used as the default for all services.

-
-upstreamTLS -
- - -EnvoyTLS - - -		 -(Optional) -

UpstreamTLS contains the TLS policy parameters for upstream connections

-
FieldDescription
+ dnsLookupFamily +
+ + + ClusterDNSFamilyType + + + 		+ (Optional) +

DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information.

+

Values: auto (default), v4, v6, all.

+

Other values will produce an error.

+
+ maxRequestsPerConnection +
+ + uint32 + + 		+ (Optional) +

Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information.

+
+ per-connection-buffer-limit-bytes +
+ + uint32 + + 		+ (Optional) +

Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + for more information.

+
+ circuitBreakers +
+ + + GlobalCircuitBreakerDefaults + + + 		+ (Optional) +

GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services.

+
+ upstreamTLS +
+ + + EnvoyTLS + + + 		+ (Optional) +

UpstreamTLS contains the TLS policy parameters for upstream connections

+

ContourConfigurationSpec

-(Appears on: -ContourConfiguration, -ContourDeploymentSpec) + (Appears on: + ContourConfiguration, + ContourDeploymentSpec)

ContourConfigurationSpec represents a configuration of a Contour controller. -It contains most of all the options that can be customized, the -other remaining options being command line flags.

+ It contains most of all the options that can be customized, the + other remaining options being command line flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-xdsServer -
- - -XDSServerConfig - - -		 -(Optional) -

XDSServer contains parameters for the xDS server.

-
-ingress -
- - -IngressConfig - - -		 -(Optional) -

Ingress contains parameters for ingress options.

-
-debug -
- - -DebugConfig - - -		 -(Optional) -

Debug contains parameters to enable debug logging -and debug interfaces inside Contour.

-
-health -
- - -HealthConfig - - -		 -(Optional) -

Health defines the endpoints Contour uses to serve health checks.

-

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

-
-envoy -
- - -EnvoyConfig - - -		 -(Optional) -

Envoy contains parameters for Envoy as well -as how to optionally configure a managed Envoy fleet.

-
-gateway -
- - -GatewayConfig - - -		 -(Optional) -

Gateway contains parameters for the gateway-api Gateway that Contour -is configured to serve traffic.

-
-httpproxy -
- - -HTTPProxyConfig - - -		 -(Optional) -

HTTPProxy defines parameters on HTTPProxy.

-
-enableExternalNameService -
- -bool - -		 -(Optional) -

EnableExternalNameService allows processing of ExternalNameServices

-

Contour’s default is false for security reasons.

-
-globalExtAuth -
- - -AuthorizationServer - - -		 -(Optional) -

GlobalExternalAuthorization allows envoys external authorization filter -to be enabled for all virtual hosts.

-
-rateLimitService -
- - -RateLimitServiceConfig - - -		 -(Optional) -

RateLimitService optionally holds properties of the Rate Limit Service -to be used for global rate limiting.

-
-policy -
- - -PolicyConfig - - -		 -(Optional) -

Policy specifies default policy applied if not overridden by the user

-
-metrics -
- - -MetricsConfig - - -		 -(Optional) -

Metrics defines the endpoint Contour uses to serve metrics.

-

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

-
-tracing -
- - -TracingConfig - - -		 -

Tracing defines properties for exporting trace data to OpenTelemetry.

-
-featureFlags -
- - -FeatureFlags - - -		 -

FeatureFlags defines toggle to enable new contour features. -Available toggles are: -useEndpointSlices - configures contour to fetch endpoint data -from k8s endpoint slices. defaults to false and reading endpoint -data from the k8s endpoints.

-
FieldDescription
+ xdsServer +
+ + + XDSServerConfig + + + 		+ (Optional) +

XDSServer contains parameters for the xDS server.

+
+ ingress +
+ + + IngressConfig + + + 		+ (Optional) +

Ingress contains parameters for ingress options.

+
+ debug +
+ + + DebugConfig + + + 		+ (Optional) +

Debug contains parameters to enable debug logging + and debug interfaces inside Contour.

+
+ health +
+ + + HealthConfig + + + 		+ (Optional) +

Health defines the endpoints Contour uses to serve health checks.

+

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

+
+ envoy +
+ + + EnvoyConfig + + + 		+ (Optional) +

Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet.

+
+ gateway +
+ + + GatewayConfig + + + 		+ (Optional) +

Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic.

+
+ httpproxy +
+ + + HTTPProxyConfig + + + 		+ (Optional) +

HTTPProxy defines parameters on HTTPProxy.

+
+ enableExternalNameService +
+ + bool + + 		+ (Optional) +

EnableExternalNameService allows processing of ExternalNameServices

+

Contour’s default is false for security reasons.

+
+ globalExtAuth +
+ + + AuthorizationServer + + + 		+ (Optional) +

GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts.

+
+ rateLimitService +
+ + + RateLimitServiceConfig + + + 		+ (Optional) +

RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting.

+
+ policy +
+ + + PolicyConfig + + + 		+ (Optional) +

Policy specifies default policy applied if not overridden by the user

+
+ metrics +
+ + + MetricsConfig + + + 		+ (Optional) +

Metrics defines the endpoint Contour uses to serve metrics.

+

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

+
+ tracing +
+ + + TracingConfig + + + 		+

Tracing defines properties for exporting trace data to OpenTelemetry.

+
+ featureFlags +
+ + + FeatureFlags + + + 		+

FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints.

+

ContourConfigurationStatus

-(Appears on: -ContourConfiguration) + (Appears on: + ContourConfiguration)

ContourConfigurationStatus defines the observed state of a ContourConfiguration resource.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-conditions -
- - -[]DetailedCondition - - -		 -(Optional) -

Conditions contains the current status of the Contour resource.

-

Contour will update a single condition, Valid, that is in normal-true polarity.

-

Contour will not modify any other Conditions set in this block, -in case some other controller wants to add a Condition.

-
FieldDescription
+ conditions +
+ + + []DetailedCondition + + + 		+ (Optional) +

Conditions contains the current status of the Contour resource.

+

Contour will update a single condition, Valid, that is in normal-true polarity.

+

Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition.

+

ContourDeploymentSpec

-(Appears on: -ContourDeployment) + (Appears on: + ContourDeployment)

ContourDeploymentSpec specifies options for how a Contour -instance should be provisioned.

+ instance should be provisioned.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-contour -
- - -ContourSettings - - -		 -(Optional) -

Contour specifies deployment-time settings for the Contour -part of the installation, i.e. the xDS server/control plane -and associated resources, including things like replica count -for the Deployment, and node placement constraints for the pods.

-
-envoy -
- - -EnvoySettings - - -		 -(Optional) -

Envoy specifies deployment-time settings for the Envoy -part of the installation, i.e. the xDS client/data plane -and associated resources, including things like the workload -type to use (DaemonSet or Deployment), node placement constraints -for the pods, and various options for the Envoy service.

-
-runtimeSettings -
- - -ContourConfigurationSpec - - -		 -(Optional) -

RuntimeSettings is a ContourConfiguration spec to be used when -provisioning a Contour instance that will influence aspects of -the Contour instance’s runtime behavior.

-
-resourceLabels -
- -map[string]string - -		 -(Optional) -

ResourceLabels is a set of labels to add to the provisioned Contour resources.

-

Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be -removed in a future release.

-
FieldDescription
+ contour +
+ + + ContourSettings + + + 		+ (Optional) +

Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods.

+
+ envoy +
+ + + EnvoySettings + + + 		+ (Optional) +

Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service.

+
+ runtimeSettings +
+ + + ContourConfigurationSpec + + + 		+ (Optional) +

RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance’s runtime behavior.

+
+ resourceLabels +
+ + map[string]string + + 		+ (Optional) +

ResourceLabels is a set of labels to add to the provisioned Contour resources.

+

Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release.

+

ContourDeploymentStatus

-(Appears on: -ContourDeployment) + (Appears on: + ContourDeployment)

ContourDeploymentStatus defines the observed state of a ContourDeployment resource.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-conditions -
- - -[]Kubernetes meta/v1.Condition - - -		 -(Optional) -

Conditions describe the current conditions of the ContourDeployment resource.

-
FieldDescription
+ conditions +
+ + + []Kubernetes meta/v1.Condition + + + 		+ (Optional) +

Conditions describe the current conditions of the ContourDeployment resource.

+

ContourSettings

-(Appears on: -ContourDeploymentSpec) + (Appears on: + ContourDeploymentSpec)

ContourSettings contains settings for the Contour part of the installation, -i.e. the xDS server/control plane and associated resources.

+ i.e. the xDS server/control plane and associated resources.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-replicas -
- -int32 - -		 -(Optional) -

Deprecated: Use DeploymentSettings.Replicas instead.

-

Replicas is the desired number of Contour replicas. If if unset, -defaults to 2.

-

if both DeploymentSettings.Replicas and this one is set, use DeploymentSettings.Replicas.

-
-nodePlacement -
- - -NodePlacement - - -		 -(Optional) -

NodePlacement describes node scheduling configuration of Contour pods.

-
-kubernetesLogLevel -
- -byte - -		 -(Optional) -

KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, -defaults to 0.

-
-logLevel -
- - -LogLevel - - -		 -(Optional) -

LogLevel sets the log level for Contour -Allowed values are “info”, “debug”.

-
-resources -
- - -Kubernetes core/v1.ResourceRequirements - - -		 -(Optional) -

Compute Resources required by contour container. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

-
-deployment -
- - -DeploymentSettings - - -		 -(Optional) -

Deployment describes the settings for running contour as a Deployment.

-
-podAnnotations -
- -map[string]string - -		 -(Optional) -

PodAnnotations defines annotations to add to the Contour pods. -the annotations for Prometheus will be appended or overwritten with predefined value.

-
-watchNamespaces -
- - -[]Namespace - - -		 -(Optional) -

WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance -to only watch this subset of namespaces.

-
-disabledFeatures -
- - -[]Feature - - -		 -(Optional) -

DisabledFeatures defines an array of resources that will be ignored by -contour reconciler.

-
FieldDescription
+ replicas +
+ + int32 + + 		+ (Optional) +

Deprecated: Use DeploymentSettings.Replicas instead.

+

Replicas is the desired number of Contour replicas. If if unset, + defaults to 2.

+

if both DeploymentSettings.Replicas and this one is set, use + DeploymentSettings.Replicas. +

+
+ nodePlacement +
+ + + NodePlacement + + + 		+ (Optional) +

NodePlacement describes node scheduling configuration of Contour pods.

+
+ kubernetesLogLevel +
+ + byte + + 		+ (Optional) +

KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0.

+
+ logLevel +
+ + + LogLevel + + + 		+ (Optional) +

LogLevel sets the log level for Contour + Allowed values are “info”, “debug”.

+
+ resources +
+ + + Kubernetes core/v1.ResourceRequirements + + + 		+ (Optional) +

Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +

+
+ deployment +
+ + + DeploymentSettings + + + 		+ (Optional) +

Deployment describes the settings for running contour as a Deployment.

+
+ podAnnotations +
+ + map[string]string + + 		+ (Optional) +

PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value.

+
+ watchNamespaces +
+ + + []Namespace + + + 		+ (Optional) +

WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance + to only watch this subset of namespaces.

+
+ disabledFeatures +
+ + + []Feature + + + 		+ (Optional) +

DisabledFeatures defines an array of resources that will be ignored by + contour reconciler.

+

CustomTag

CustomTag defines custom tags with unique tag name -to create tags for the active span.

+ to create tags for the active span.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-tagName -
- -string - -		 -

TagName is the unique name of the custom tag.

-
-literal -
- -string - -		 -(Optional) -

Literal is a static custom tag value. -Precisely one of Literal, RequestHeaderName must be set.

-
-requestHeaderName -
- -string - -		 -(Optional) -

RequestHeaderName indicates which request header -the label value is obtained from. -Precisely one of Literal, RequestHeaderName must be set.

-
FieldDescription
+ tagName +
+ + string + + 		+

TagName is the unique name of the custom tag.

+
+ literal +
+ + string + + 		+ (Optional) +

Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set.

+
+ requestHeaderName +
+ + string + + 		+ (Optional) +

RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set.

+

DaemonSetSettings

-(Appears on: -EnvoySettings) + (Appears on: + EnvoySettings)

DaemonSetSettings contains settings for DaemonSet resources.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-updateStrategy -
- - -Kubernetes apps/v1.DaemonSetUpdateStrategy - - -		 -(Optional) -

Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods.

-
FieldDescription
+ updateStrategy +
+ + + Kubernetes apps/v1.DaemonSetUpdateStrategy + + + 		+ (Optional) +

Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. +

+

DebugConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

DebugConfig contains Contour specific troubleshooting options.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-address -
- -string - -		 -(Optional) -

Defines the Contour debug address interface.

-

Contour’s default is “127.0.0.1”.

-
-port -
- -int - -		 -(Optional) -

Defines the Contour debug address port.

-

Contour’s default is 6060.

-
FieldDescription
+ address +
+ + string + + 		+ (Optional) +

Defines the Contour debug address interface.

+

Contour’s default is “127.0.0.1”.

+
+ port +
+ + int + + 		+ (Optional) +

Defines the Contour debug address port.

+

Contour’s default is 6060.

+

DeploymentSettings

-(Appears on: -ContourSettings, -EnvoySettings) + (Appears on: + ContourSettings, + EnvoySettings)

DeploymentSettings contains settings for Deployment resources.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-replicas -
- -int32 - -		 -

Replicas is the desired number of replicas.

-
-strategy -
- - -Kubernetes apps/v1.DeploymentStrategy - - -		 -(Optional) -

Strategy describes the deployment strategy to use to replace existing pods with new pods.

-
FieldDescription
+ replicas +
+ + int32 + + 		+

Replicas is the desired number of replicas.

+
+ strategy +
+ + + Kubernetes apps/v1.DeploymentStrategy + + + 		+ (Optional) +

Strategy describes the deployment strategy to use to replace existing pods with new pods.

+

EnvoyConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

EnvoyConfig defines how Envoy is to be Configured from Contour.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-listener -
- - -EnvoyListenerConfig - - -		 -(Optional) -

Listener hold various configurable Envoy listener values.

-
-service -
- - -NamespacedName - - -		 -(Optional) -

Service holds Envoy service parameters for setting Ingress status.

-

Contour’s default is { namespace: “projectcontour”, name: “envoy” }.

-
-http -
- - -EnvoyListener - - -		 -(Optional) -

Defines the HTTP Listener for Envoy.

-

Contour’s default is { address: “0.0.0.0”, port: 8080, accessLog: “/dev/stdout” }.

-
-https -
- - -EnvoyListener - - -		 -(Optional) -

Defines the HTTPS Listener for Envoy.

-

Contour’s default is { address: “0.0.0.0”, port: 8443, accessLog: “/dev/stdout” }.

-
-health -
- - -HealthConfig - - -		 -(Optional) -

Health defines the endpoint Envoy uses to serve health checks.

-

Contour’s default is { address: “0.0.0.0”, port: 8002 }.

-
-metrics -
- - -MetricsConfig - - -		 -(Optional) -

Metrics defines the endpoint Envoy uses to serve metrics.

-

Contour’s default is { address: “0.0.0.0”, port: 8002 }.

-
-clientCertificate -
- - -NamespacedName - - -		 -(Optional) -

ClientCertificate defines the namespace/name of the Kubernetes -secret containing the client certificate and private key -to be used when establishing TLS connection to upstream -cluster.

-
-logging -
- - -EnvoyLogging - - -		 -(Optional) -

Logging defines how Envoy’s logs can be configured.

-
-defaultHTTPVersions -
- - -[]HTTPVersionType - - -		 -(Optional) -

DefaultHTTPVersions defines the default set of HTTPS -versions the proxy should accept. HTTP versions are -strings of the form “HTTP/xx”. Supported versions are -“HTTP/1.1” and “HTTP/2”.

-

Values: HTTP/1.1, HTTP/2 (default: both).

-

Other values will produce an error.

-
-timeouts -
- - -TimeoutParameters - - -		 -(Optional) -

Timeouts holds various configurable timeouts that can -be set in the config file.

-
-cluster -
- - -ClusterParameters - - -		 -(Optional) -

Cluster holds various configurable Envoy cluster values that can -be set in the config file.

-
-network -
- - -NetworkParameters - - -		 -(Optional) -

Network holds various configurable Envoy network values.

-
FieldDescription
+ listener +
+ + + EnvoyListenerConfig + + + 		+ (Optional) +

Listener hold various configurable Envoy listener values.

+
+ service +
+ + + NamespacedName + + + 		+ (Optional) +

Service holds Envoy service parameters for setting Ingress status.

+

Contour’s default is { namespace: “projectcontour”, name: “envoy” }. +

+
+ http +
+ + + EnvoyListener + + + 		+ (Optional) +

Defines the HTTP Listener for Envoy.

+

Contour’s default is { address: “0.0.0.0”, port: 8080, accessLog: + “/dev/stdout” }.

+
+ https +
+ + + EnvoyListener + + + 		+ (Optional) +

Defines the HTTPS Listener for Envoy.

+

Contour’s default is { address: “0.0.0.0”, port: 8443, accessLog: + “/dev/stdout” }.

+
+ health +
+ + + HealthConfig + + + 		+ (Optional) +

Health defines the endpoint Envoy uses to serve health checks.

+

Contour’s default is { address: “0.0.0.0”, port: 8002 }.

+
+ metrics +
+ + + MetricsConfig + + + 		+ (Optional) +

Metrics defines the endpoint Envoy uses to serve metrics.

+

Contour’s default is { address: “0.0.0.0”, port: 8002 }.

+
+ clientCertificate +
+ + + NamespacedName + + + 		+ (Optional) +

ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster.

+
+ logging +
+ + + EnvoyLogging + + + 		+ (Optional) +

Logging defines how Envoy’s logs can be configured.

+
+ defaultHTTPVersions +
+ + + []HTTPVersionType + + + 		+ (Optional) +

DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form “HTTP/xx”. Supported versions are + “HTTP/1.1” and “HTTP/2”.

+

Values: HTTP/1.1, HTTP/2 (default: both).

+

Other values will produce an error.

+
+ timeouts +
+ + + TimeoutParameters + + + 		+ (Optional) +

Timeouts holds various configurable timeouts that can + be set in the config file.

+
+ cluster +
+ + + ClusterParameters + + + 		+ (Optional) +

Cluster holds various configurable Envoy cluster values that can + be set in the config file.

+
+ network +
+ + + NetworkParameters + + + 		+ (Optional) +

Network holds various configurable Envoy network values.

+

EnvoyListener

-(Appears on: -EnvoyConfig) + (Appears on: + EnvoyConfig)

EnvoyListener defines parameters for an Envoy Listener.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-address -
- -string - -		 -(Optional) -

Defines an Envoy Listener Address.

-
-port -
- -int - -		 -(Optional) -

Defines an Envoy listener Port.

-
-accessLog -
- -string - -		 -(Optional) -

AccessLog defines where Envoy logs are outputted for this listener.

-
FieldDescription
+ address +
+ + string + + 		+ (Optional) +

Defines an Envoy Listener Address.

+
+ port +
+ + int + + 		+ (Optional) +

Defines an Envoy listener Port.

+
+ accessLog +
+ + string + + 		+ (Optional) +

AccessLog defines where Envoy logs are outputted for this listener.

+

EnvoyListenerConfig

-(Appears on: -EnvoyConfig) + (Appears on: + EnvoyConfig)

EnvoyListenerConfig hold various configurable Envoy listener values.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-useProxyProtocol -
- -bool - -		 -(Optional) -

Use PROXY protocol for all listeners.

-

Contour’s default is false.

-
-disableAllowChunkedLength -
- -bool - -		 -(Optional) -

DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to -strip the “Content-Length” header if “Transfer-Encoding: chunked” is -also set. This is an emergency off-switch to revert back to Envoy’s -default behavior in case of failures. Please file an issue if failures -are encountered. -See: https://github.com/projectcontour/contour/issues/3221

-

Contour’s default is false.

-
-disableMergeSlashes -
- -bool - -		 -(Optional) -

DisableMergeSlashes disables Envoy’s non-standard merge_slashes path transformation option -which strips duplicate slashes from request URL paths.

-

Contour’s default is false.

-
-serverHeaderTransformation -
- - -ServerHeaderTransformationType - - -		 -(Optional) -

Defines the action to be applied to the Server header on the response path. -When configured as overwrite, overwrites any Server header with “envoy”. -When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to “envoy”. -When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.

-

Values: overwrite (default), append_if_absent, pass_through

-

Other values will produce an error. -Contour’s default is overwrite.

-
-connectionBalancer -
- -string - -		 -(Optional) -

ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer -See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig -for more information.

-

Values: (empty string): use the default ConnectionBalancer, exact: use the Exact ConnectionBalancer.

-

Other values will produce an error.

-
-maxRequestsPerConnection -
- -uint32 - -		 -(Optional) -

Defines the maximum requests for downstream connections. If not specified, there is no limit. -see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions -for more information.

-
-per-connection-buffer-limit-bytes -
- -uint32 - -		 -(Optional) -

Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. -If unspecified, an implementation defined default is applied (1MiB). -see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes -for more information.

-
-tls -
- - -EnvoyTLS - - -		 -(Optional) -

TLS holds various configurable Envoy TLS listener values.

-
-socketOptions -
- - -SocketOptions - - -		 -(Optional) -

SocketOptions defines configurable socket options for the listeners. -Single set of options are applied to all listeners.

-
-maxRequestsPerIOCycle -
- -uint32 - -		 -(Optional) -

Defines the limit on number of HTTP requests that Envoy will process from a single -connection in a single I/O cycle. Requests over this limit are processed in subsequent -I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is -detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default -value when this is not set is no limit.

-
-httpMaxConcurrentStreams -
- -uint32 - -		 -(Optional) -

Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the -SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed -for a peer on a single HTTP/2 connection. It is recommended to not set this lower -than 100 but this field can be used to bound resource usage by HTTP/2 connections -and mitigate attacks like CVE-2023-44487. The default value when this is not set is -unlimited.

-
-maxConnectionsPerListener -
- -uint32 - -		 -(Optional) -

Defines the limit on number of active connections to a listener. The limit is applied -per listener. The default value when this is not set is unlimited.

-
FieldDescription
+ useProxyProtocol +
+ + bool + + 		+ (Optional) +

Use PROXY protocol for all listeners.

+

Contour’s default is false.

+
+ disableAllowChunkedLength +
+ + bool + + 		+ (Optional) +

DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the “Content-Length” header if “Transfer-Encoding: chunked” is + also set. This is an emergency off-switch to revert back to Envoy’s + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 +

+

Contour’s default is false.

+
+ disableMergeSlashes +
+ + bool + + 		+ (Optional) +

DisableMergeSlashes disables Envoy’s non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths.

+

Contour’s default is false.

+
+ serverHeaderTransformation +
+ + + ServerHeaderTransformationType + + + 		+ (Optional) +

Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with “envoy”. + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set + it to “envoy”. + When configured as pass_through, pass through the value of the Server header, and do not append a + header if none is present.

+

Values: overwrite (default), append_if_absent, pass_through +

+

Other values will produce an error. + Contour’s default is overwrite.

+
+ connectionBalancer +
+ + string + + 		+ (Optional) +

ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information.

+

Values: (empty string): use the default ConnectionBalancer, exact: use the Exact + ConnectionBalancer.

+

Other values will produce an error.

+
+ maxRequestsPerConnection +
+ + uint32 + + 		+ (Optional) +

Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + for more information.

+
+ per-connection-buffer-limit-bytes +
+ + uint32 + + 		+ (Optional) +

Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + for more information.

+
+ tls +
+ + + EnvoyTLS + + + 		+ (Optional) +

TLS holds various configurable Envoy TLS listener values.

+
+ socketOptions +
+ + + SocketOptions + + + 		+ (Optional) +

SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners.

+
+ maxRequestsPerIOCycle +
+ + uint32 + + 		+ (Optional) +

Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit.

+
+ httpMaxConcurrentStreams +
+ + uint32 + + 		+ (Optional) +

Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited.

+
+ maxConnectionsPerListener +
+ + uint32 + + 		+ (Optional) +

Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited.

+

EnvoyLogging

-(Appears on: -EnvoyConfig) + (Appears on: + EnvoyConfig)

EnvoyLogging defines how Envoy’s logs can be configured.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-accessLogFormat -
- - -AccessLogType - - -		 -(Optional) -

AccessLogFormat sets the global access log format.

-

Values: envoy (default), json.

-

Other values will produce an error.

-
-accessLogFormatString -
- -string - -		 -(Optional) -

AccessLogFormatString sets the access log format when format is set to envoy. -When empty, Envoy’s default format is used.

-
-accessLogJSONFields -
- - -AccessLogJSONFields - - -		 -(Optional) -

AccessLogJSONFields sets the fields that JSON logging will -output when AccessLogFormat is json.

-
-accessLogLevel -
- - -AccessLogLevel - - -		 -(Optional) -

AccessLogLevel sets the verbosity level of the access log.

-

Values: info (default, all requests are logged), error (all non-success requests, i.e. 300+ response code, are logged), critical (all 5xx requests are logged) and disabled.

-

Other values will produce an error.

-
FieldDescription
+ accessLogFormat +
+ + + AccessLogType + + + 		+ (Optional) +

AccessLogFormat sets the global access log format.

+

Values: envoy (default), json.

+

Other values will produce an error.

+
+ accessLogFormatString +
+ + string + + 		+ (Optional) +

AccessLogFormatString sets the access log format when format is set to envoy. + When empty, Envoy’s default format is used.

+
+ accessLogJSONFields +
+ + + AccessLogJSONFields + + + 		+ (Optional) +

AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json.

+
+ accessLogLevel +
+ + + AccessLogLevel + + + 		+ (Optional) +

AccessLogLevel sets the verbosity level of the access log.

+

Values: info (default, all requests are logged), error (all non-success + requests, i.e. 300+ response code, are logged), critical (all 5xx requests are logged) + and disabled.

+

Other values will produce an error.

+

EnvoySettings

-(Appears on: -ContourDeploymentSpec) + (Appears on: + ContourDeploymentSpec)

EnvoySettings contains settings for the Envoy part of the installation, -i.e. the xDS client/data plane and associated resources.

+ i.e. the xDS client/data plane and associated resources.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-workloadType -
- - -WorkloadType - - -		 -(Optional) -

WorkloadType is the type of workload to install Envoy -as. Choices are DaemonSet and Deployment. If unset, defaults -to DaemonSet.

-
-replicas -
- -int32 - -		 -(Optional) -

Deprecated: Use DeploymentSettings.Replicas instead.

-

Replicas is the desired number of Envoy replicas. If WorkloadType -is not “Deployment”, this field is ignored. Otherwise, if unset, -defaults to 2.

-

if both DeploymentSettings.Replicas and this one is set, use DeploymentSettings.Replicas.

-
-networkPublishing -
- - -NetworkPublishing - - -		 -

NetworkPublishing defines how to expose Envoy to a network.

-
-nodePlacement -
- - -NodePlacement - - -		 -(Optional) -

NodePlacement describes node scheduling configuration of Envoy pods.

-
-extraVolumes -
- - -[]Kubernetes core/v1.Volume - - -		 -(Optional) -

ExtraVolumes holds the extra volumes to add.

-
-extraVolumeMounts -
- - -[]Kubernetes core/v1.VolumeMount - - -		 -(Optional) -

ExtraVolumeMounts holds the extra volume mounts to add (normally used with extraVolumes).

-
-podAnnotations -
- -map[string]string - -		 -(Optional) -

PodAnnotations defines annotations to add to the Envoy pods. -the annotations for Prometheus will be appended or overwritten with predefined value.

-
-resources -
- - -Kubernetes core/v1.ResourceRequirements - - -		 -(Optional) -

Compute Resources required by envoy container. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

-
-logLevel -
- - -LogLevel - - -		 -(Optional) -

LogLevel sets the log level for Envoy. -Allowed values are “trace”, “debug”, “info”, “warn”, “error”, “critical”, “off”.

-
-daemonSet -
- - -DaemonSetSettings - - -		 -(Optional) -

DaemonSet describes the settings for running envoy as a DaemonSet. -if WorkloadType is Deployment,it’s must be nil

-
-deployment -
- - -DeploymentSettings - - -		 -(Optional) -

Deployment describes the settings for running envoy as a Deployment. -if WorkloadType is DaemonSet,it’s must be nil

-
-baseID -
- -int32 - -		 -(Optional) -

The base ID to use when allocating shared memory regions. -if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID -so that the shared memory regions do not conflict. -defaults to 0.

-
-overloadMaxHeapSize -
- -uint64 - -		 -(Optional) -

OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. -When the value is greater than 0, the overload manager is enabled, -and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, -When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. -More info: https://projectcontour.io/docs/main/config/overload-manager/

-
FieldDescription
+ workloadType +
+ + + WorkloadType + + + 		+ (Optional) +

WorkloadType is the type of workload to install Envoy + as. Choices are DaemonSet and Deployment. If unset, defaults + to DaemonSet.

+
+ replicas +
+ + int32 + + 		+ (Optional) +

Deprecated: Use DeploymentSettings.Replicas instead.

+

Replicas is the desired number of Envoy replicas. If WorkloadType + is not “Deployment”, this field is ignored. Otherwise, if unset, + defaults to 2.

+

if both DeploymentSettings.Replicas and this one is set, use + DeploymentSettings.Replicas. +

+
+ networkPublishing +
+ + + NetworkPublishing + + + 		+

NetworkPublishing defines how to expose Envoy to a network.

+
+ nodePlacement +
+ + + NodePlacement + + + 		+ (Optional) +

NodePlacement describes node scheduling configuration of Envoy pods.

+
+ extraVolumes +
+ + + []Kubernetes core/v1.Volume + + + 		+ (Optional) +

ExtraVolumes holds the extra volumes to add.

+
+ extraVolumeMounts +
+ + + []Kubernetes core/v1.VolumeMount + + + 		+ (Optional) +

ExtraVolumeMounts holds the extra volume mounts to add (normally used with extraVolumes).

+
+ podAnnotations +
+ + map[string]string + + 		+ (Optional) +

PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value.

+
+ resources +
+ + + Kubernetes core/v1.ResourceRequirements + + + 		+ (Optional) +

Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +

+
+ logLevel +
+ + + LogLevel + + + 		+ (Optional) +

LogLevel sets the log level for Envoy. + Allowed values are “trace”, “debug”, “info”, “warn”, + “error”, “critical”, “off”.

+
+ daemonSet +
+ + + DaemonSetSettings + + + 		+ (Optional) +

DaemonSet describes the settings for running envoy as a DaemonSet. + if WorkloadType is Deployment,it’s must be nil

+
+ deployment +
+ + + DeploymentSettings + + + 		+ (Optional) +

Deployment describes the settings for running envoy as a Deployment. + if WorkloadType is DaemonSet,it’s must be nil

+
+ baseID +
+ + int32 + + 		+ (Optional) +

The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique + base ID + so that the shared memory regions do not conflict. + defaults to 0.

+
+ overloadMaxHeapSize +
+ + uint64 + + 		+ (Optional) +

OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ +

+

EnvoyTLS

-(Appears on: -ClusterParameters, -EnvoyListenerConfig) + (Appears on: + ClusterParameters, + EnvoyListenerConfig)

EnvoyTLS describes tls parameters for Envoy listneners.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-minimumProtocolVersion -
- -string - -		 -(Optional) -

MinimumProtocolVersion is the minimum TLS version this vhost should -negotiate.

-

Values: 1.2 (default), 1.3.

-

Other values will produce an error.

-
-maximumProtocolVersion -
- -string - -		 -(Optional) -

MaximumProtocolVersion is the maximum TLS version this vhost should -negotiate.

-

Values: 1.2, 1.3(default).

-

Other values will produce an error.

-
-cipherSuites -
- -[]string - -		 -(Optional) -

CipherSuites defines the TLS ciphers to be supported by Envoy TLS -listeners when negotiating TLS 1.2. Ciphers are validated against the -set that Envoy supports by default. This parameter should only be used -by advanced users. Note that these will be ignored when TLS 1.3 is in -use.

-

This field is optional; when it is undefined, a Contour-managed ciphersuite list -will be used, which may be updated to keep it secure.

-

Contour’s default list is: -- “[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]” -- “[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]” -- “ECDHE-ECDSA-AES256-GCM-SHA384” -- “ECDHE-RSA-AES256-GCM-SHA384”

-

Ciphers provided are validated against the following list: -- “[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]” -- “[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]” -- “ECDHE-ECDSA-AES128-GCM-SHA256” -- “ECDHE-RSA-AES128-GCM-SHA256” -- “ECDHE-ECDSA-AES128-SHA” -- “ECDHE-RSA-AES128-SHA” -- “AES128-GCM-SHA256” -- “AES128-SHA” -- “ECDHE-ECDSA-AES256-GCM-SHA384” -- “ECDHE-RSA-AES256-GCM-SHA384” -- “ECDHE-ECDSA-AES256-SHA” -- “ECDHE-RSA-AES256-SHA” -- “AES256-GCM-SHA384” -- “AES256-SHA”

-

Contour recommends leaving this undefined unless you are sure you must.

-

See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters -Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.

-
FieldDescription
+ minimumProtocolVersion +
+ + string + + 		+ (Optional) +

MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate.

+

Values: 1.2 (default), 1.3.

+

Other values will produce an error.

+
+ maximumProtocolVersion +
+ + string + + 		+ (Optional) +

MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate.

+

Values: 1.2, 1.3(default).

+

Other values will produce an error.

+
+ cipherSuites +
+ + []string + + 		+ (Optional) +

CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use.

+

This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure.

+

Contour’s default list is: + - “[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]” + - “[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]” + - “ECDHE-ECDSA-AES256-GCM-SHA384” + - “ECDHE-RSA-AES256-GCM-SHA384”

+

Ciphers provided are validated against the following list: + - “[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]” + - “[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]” + - “ECDHE-ECDSA-AES128-GCM-SHA256” + - “ECDHE-RSA-AES128-GCM-SHA256” + - “ECDHE-ECDSA-AES128-SHA” + - “ECDHE-RSA-AES128-SHA” + - “AES128-GCM-SHA256” + - “AES128-SHA” + - “ECDHE-ECDSA-AES256-GCM-SHA384” + - “ECDHE-RSA-AES256-GCM-SHA384” + - “ECDHE-ECDSA-AES256-SHA” + - “ECDHE-RSA-AES256-SHA” + - “AES256-GCM-SHA384” + - “AES256-SHA”

+

Contour recommends leaving this undefined unless you are sure you must.

+

See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL + FIPS.

+

ExtensionProtocolVersion -(string alias)

+ (string alias)

+

-(Appears on: -ExtensionServiceSpec) + (Appears on: + ExtensionServiceSpec)

ExtensionProtocolVersion is the version of the GRPC protocol used -to access extension services. The only version currently supported -is “v3”.

+ to access extension services. The only version currently supported + is “v3”.

- - - - - - - - - - - + + + + + + + + + + + + + + + +
ValueDescription

"v2"

SupportProtocolVersion2 requests the “v2” support protocol version.

-

Deprecated: this protocol version is no longer supported and the -constant is retained for backwards compatibility only.

-

"v3"

SupportProtocolVersion3 requests the “v3” support protocol version.

-
ValueDescription
+

"v2"

+ 		+

SupportProtocolVersion2 requests the “v2” support protocol version.

+

Deprecated: this protocol version is no longer supported and the + constant is retained for backwards compatibility only.

+
+

"v3"

+ 		+

SupportProtocolVersion3 requests the “v3” support protocol version.

+

ExtensionServiceSpec

-(Appears on: -ExtensionService) + (Appears on: + ExtensionService)

ExtensionServiceSpec defines the desired state of an ExtensionService resource.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-services -
- - -[]ExtensionServiceTarget - - -		 -

Services specifies the set of Kubernetes Service resources that -receive GRPC extension API requests. -If no weights are specified for any of the entries in -this array, traffic will be spread evenly across all the -services. -Otherwise, traffic is balanced proportionally to the -Weight field in each entry.

-
-validation -
- - -UpstreamValidation - - -		 -(Optional) -

UpstreamValidation defines how to verify the backend service’s certificate

-
-protocol -
- -string - -		 -(Optional) -

Protocol may be used to specify (or override) the protocol used to reach this Service. -Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.

-
-loadBalancerPolicy -
- - -LoadBalancerPolicy - - -		 -(Optional) -

The policy for load balancing GRPC service requests. Note that the -Cookie and RequestHash load balancing strategies cannot be used -here.

-
-timeoutPolicy -
- - -TimeoutPolicy - - -		 -(Optional) -

The timeout policy for requests to the services.

-
-protocolVersion -
- - -ExtensionProtocolVersion - - -		 -(Optional) -

This field sets the version of the GRPC protocol that Envoy uses to -send requests to the extension service. Since Contour always uses the -v3 Envoy API, this is currently fixed at “v3”. However, other -protocol options will be available in future.

-
FieldDescription
+ services +
+ + + []ExtensionServiceTarget + + + 		+

Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry.

+
+ validation +
+ + + UpstreamValidation + + + 		+ (Optional) +

UpstreamValidation defines how to verify the backend service’s certificate

+
+ protocol +
+ + string + + 		+ (Optional) +

Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.

+
+ loadBalancerPolicy +
+ + + LoadBalancerPolicy + + + 		+ (Optional) +

The policy for load balancing GRPC service requests. Note that the + Cookie and RequestHash load balancing strategies cannot be used + here. +

+
+ timeoutPolicy +
+ + + TimeoutPolicy + + + 		+ (Optional) +

The timeout policy for requests to the services.

+
+ protocolVersion +
+ + + ExtensionProtocolVersion + + + 		+ (Optional) +

This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at “v3”. However, other + protocol options will be available in future.

+

ExtensionServiceStatus

-(Appears on: -ExtensionService) + (Appears on: + ExtensionService)

ExtensionServiceStatus defines the observed state of an -ExtensionService resource.

+ ExtensionService resource.

- - - - - - - - - - - - + + + + + + + + + + + +
FieldDescription
-conditions -
- - -[]DetailedCondition - - -		 -(Optional) -

Conditions contains the current status of the ExtensionService resource.

-

Contour will update a single condition, Valid, that is in normal-true polarity.

-

Contour will not modify any other Conditions set in this block, -in case some other controller wants to add a Condition.

-
FieldDescription
+ conditions +
+ + + []DetailedCondition + + + 		+ (Optional) +

Conditions contains the current status of the ExtensionService resource.

+

Contour will update a single condition, Valid, that is in normal-true polarity.

+

Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition.

+

ExtensionServiceTarget

-(Appears on: -ExtensionServiceSpec) + (Appears on: + ExtensionServiceSpec)

ExtensionServiceTarget defines an Kubernetes Service to target with -extension service traffic.

+ extension service traffic.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -

Name is the name of Kubernetes service that will accept service -traffic.

-
-port -
- -int - -		 -

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

-
-weight -
- -uint32 - -		 -(Optional) -

Weight defines proportion of traffic to balance to the Kubernetes Service.

-
FieldDescription
+ name +
+ + string + + 		+

Name is the name of Kubernetes service that will accept service + traffic.

+
+ port +
+ + int + + 		+

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

+
+ weight +
+ + uint32 + + 		+ (Optional) +

Weight defines proportion of traffic to balance to the Kubernetes Service.

+

FeatureFlags -([]string alias)

+ ([]string alias)

+

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

FeatureFlags defines the set of feature flags -to toggle new contour features.

+ to toggle new contour features.

GatewayConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

GatewayConfig holds the config for Gateway API controllers.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-controllerName -
- -string - -		 -(Optional) -

ControllerName is used to determine whether Contour should reconcile a -GatewayClass. The string takes the form of “projectcontour.io//contour”. -If unset, the gatewayclass controller will not be started. -Exactly one of ControllerName or GatewayRef must be set.

-

Deprecated: users should use GatewayRef, or the Gateway provisioner, -in place of this field. This field will be removed in a future release.

-
-gatewayRef -
- - -NamespacedName - - -		 -(Optional) -

GatewayRef defines a specific Gateway that this Contour -instance corresponds to. If set, Contour will reconcile -only this gateway, and will not reconcile any gateway -classes. -Exactly one of ControllerName or GatewayRef must be set.

-
FieldDescription
+ controllerName +
+ + string + + 		+ (Optional) +

ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of “projectcontour.io//contour”. + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set.

+

Deprecated: users should use GatewayRef, or the Gateway provisioner, + in place of this field. This field will be removed in a future release.

+
+ gatewayRef +
+ + + NamespacedName + + + 		+ (Optional) +

GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set.

+

GlobalCircuitBreakerDefaults

-(Appears on: -ClusterParameters) + (Appears on: + ClusterParameters)

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-maxConnections -
- -uint32 - -		 -(Optional) -

The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.

-
-maxPendingRequests -
- -uint32 - -		 -(Optional) -

The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.

-
-maxRequests -
- -uint32 - -		 -(Optional) -

The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024

-
-maxRetries -
- -uint32 - -		 -(Optional) -

The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3.

-
FieldDescription
+ maxConnections +
+ + uint32 + + 		+ (Optional) +

The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; + defaults to 1024.

+
+ maxPendingRequests +
+ + uint32 + + 		+ (Optional) +

The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; + defaults to 1024.

+
+ maxRequests +
+ + uint32 + + 		+ (Optional) +

The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to + 1024

+
+ maxRetries +
+ + uint32 + + 		+ (Optional) +

The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; + defaults to 3.

+

HTTPProxyConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

HTTPProxyConfig defines parameters on HTTPProxy.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-disablePermitInsecure -
- -bool - -		 -(Optional) -

DisablePermitInsecure disables the use of the -permitInsecure field in HTTPProxy.

-

Contour’s default is false.

-
-rootNamespaces -
- -[]string - -		 -(Optional) -

Restrict Contour to searching these namespaces for root ingress routes.

-
-fallbackCertificate -
- - -NamespacedName - - -		 -(Optional) -

FallbackCertificate defines the namespace/name of the Kubernetes secret to -use as fallback when a non-SNI request is received.

-
FieldDescription
+ disablePermitInsecure +
+ + bool + + 		+ (Optional) +

DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy.

+

Contour’s default is false.

+
+ rootNamespaces +
+ + []string + + 		+ (Optional) +

Restrict Contour to searching these namespaces for root ingress routes.

+
+ fallbackCertificate +
+ + + NamespacedName + + + 		+ (Optional) +

FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received.

+

HTTPVersionType -(string alias)

+ (string alias)

+

-(Appears on: -EnvoyConfig) + (Appears on: + EnvoyConfig)

HTTPVersionType is the name of a supported HTTP version.

- - - - - - - - - - - + + + + + + + + + + + + + + + +
ValueDescription

"HTTP/1.1"

HTTPVersion1 is the name of the HTTP/1.1 version.

-

"HTTP/2"

HTTPVersion2 is the name of the HTTP/2 version.

-
ValueDescription
+

"HTTP/1.1"

+ 		+

HTTPVersion1 is the name of the HTTP/1.1 version.

+
+

"HTTP/2"

+ 		+

HTTPVersion2 is the name of the HTTP/2 version.

+

HeadersPolicy

-(Appears on: -PolicyConfig) + (Appears on: + PolicyConfig)

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-set -
- -map[string]string - -		 -(Optional) -
-remove -
- -[]string - -		 -(Optional) -
FieldDescription
+ set +
+ + map[string]string + + 		+ (Optional) +
+ remove +
+ + []string + + 		+ (Optional) +

HealthConfig

-(Appears on: -ContourConfigurationSpec, -EnvoyConfig) + (Appears on: + ContourConfigurationSpec, + EnvoyConfig)

HealthConfig defines the endpoints to enable health checks.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-address -
- -string - -		 -(Optional) -

Defines the health address interface.

-
-port -
- -int - -		 -(Optional) -

Defines the health port.

-
FieldDescription
+ address +
+ + string + + 		+ (Optional) +

Defines the health address interface.

+
+ port +
+ + int + + 		+ (Optional) +

Defines the health port.

+

IngressConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

IngressConfig defines ingress specific config items.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-classNames -
- -[]string - -		 -(Optional) -

Ingress Class Names Contour should use.

-
-statusAddress -
- -string - -		 -(Optional) -

Address to set in Ingress object status.

-
FieldDescription
+ classNames +
+ + []string + + 		+ (Optional) +

Ingress Class Names Contour should use.

+
+ statusAddress +
+ + string + + 		+ (Optional) +

Address to set in Ingress object status.

+

LogLevel -(string alias)

+ (string alias)

+

-(Appears on: -ContourSettings, -EnvoySettings) + (Appears on: + ContourSettings, + EnvoySettings)

LogLevel is the logging levels available.

- - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

"critical"

CriticalLog sets the log level for Envoy to critical.

-

"debug"

DebugLog sets the log level for Contour/Envoy to debug.

-

"error"

ErrorLog sets the log level for Envoy to error.

-

"info"

InfoLog sets the log level for Contour/Envoy to info.

-

"off"

OffLog disable logging for Envoy.

-

"trace"

TraceLog sets the log level for Envoy to trace.

-

"warn"

WarnLog sets the log level for Envoy to warn.

-
ValueDescription
+

"critical"

+ 		+

CriticalLog sets the log level for Envoy to critical.

+
+

"debug"

+ 		+

DebugLog sets the log level for Contour/Envoy to debug.

+
+

"error"

+ 		+

ErrorLog sets the log level for Envoy to error.

+
+

"info"

+ 		+

InfoLog sets the log level for Contour/Envoy to info.

+
+

"off"

+ 		+

OffLog disable logging for Envoy.

+
+

"trace"

+ 		+

TraceLog sets the log level for Envoy to trace.

+
+

"warn"

+ 		+

WarnLog sets the log level for Envoy to warn.

+

MetricsConfig

-(Appears on: -ContourConfigurationSpec, -EnvoyConfig) + (Appears on: + ContourConfigurationSpec, + EnvoyConfig)

MetricsConfig defines the metrics endpoint.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-address -
- -string - -		 -(Optional) -

Defines the metrics address interface.

-
-port -
- -int - -		 -(Optional) -

Defines the metrics port.

-
-tls -
- - -MetricsTLS - - -		 -(Optional) -

TLS holds TLS file config details. -Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.

-
FieldDescription
+ address +
+ + string + + 		+ (Optional) +

Defines the metrics address interface.

+
+ port +
+ + int + + 		+ (Optional) +

Defines the metrics port.

+
+ tls +
+ + + MetricsTLS + + + 		+ (Optional) +

TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.

+

MetricsTLS

-(Appears on: -MetricsConfig) + (Appears on: + MetricsConfig)

TLS holds TLS file config details.

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-caFile -
- -string - -		 -(Optional) -

CA filename.

-
-certFile -
- -string - -		 -(Optional) -

Client certificate filename.

-
-keyFile -
- -string - -		 -(Optional) -

Client key filename.

-
FieldDescription
+ caFile +
+ + string + + 		+ (Optional) +

CA filename.

+
+ certFile +
+ + string + + 		+ (Optional) +

Client certificate filename.

+
+ keyFile +
+ + string + + 		+ (Optional) +

Client key filename.

+

NamespacedName

-(Appears on: -EnvoyConfig, -GatewayConfig, -HTTPProxyConfig, -RateLimitServiceConfig, -TracingConfig) + (Appears on: + EnvoyConfig, + GatewayConfig, + HTTPProxyConfig, + RateLimitServiceConfig, + TracingConfig)

NamespacedName defines the namespace/name of the Kubernetes resource referred from the config file. -Used for Contour config YAML file parsing, otherwise we could use K8s types.NamespacedName.

+ Used for Contour config YAML file parsing, otherwise we could use K8s types.NamespacedName.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-name -
- -string - -		 -
-namespace -
- -string - -		 -
FieldDescription
+ name +
+ + string + + 		+
+ namespace +
+ + string + + 		+

NetworkParameters

-(Appears on: -EnvoyConfig) + (Appears on: + EnvoyConfig)

NetworkParameters hold various configurable network values.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-numTrustedHops -
- -uint32 - -		 -(Optional) -

XffNumTrustedHops defines the number of additional ingress proxy hops from the -right side of the x-forwarded-for HTTP header to trust when determining the origin -client’s IP address.

-

See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops -for more information.

-

Contour’s default is 0.

-
-adminPort -
- -int - -		 -(Optional) -

Configure the port used to access the Envoy Admin interface. -If configured to port “0” then the admin interface is disabled.

-

Contour’s default is 9001.

-
FieldDescription
+ numTrustedHops +
+ + uint32 + + 		+ (Optional) +

XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address.

+

See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information.

+

Contour’s default is 0.

+
+ adminPort +
+ + int + + 		+ (Optional) +

Configure the port used to access the Envoy Admin interface. + If configured to port “0” then the admin interface is disabled.

+

Contour’s default is 9001.

+

NetworkPublishing

-(Appears on: -EnvoySettings) + (Appears on: + EnvoySettings)

NetworkPublishing defines the schema for publishing to a network.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-type -
- - -NetworkPublishingType - - -		 -(Optional) -

NetworkPublishingType is the type of publishing strategy to use. Valid values are:

-
    -
  • LoadBalancerService
    • -
-

In this configuration, network endpoints for Envoy use container networking. -A Kubernetes LoadBalancer Service is created to publish Envoy network -endpoints.

-

See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer

-
    -
  • NodePortService
    • -
-

Publishes Envoy network endpoints using a Kubernetes NodePort Service.

-

In this configuration, Envoy network endpoints use container networking. A Kubernetes -NodePort Service is created to publish the network endpoints.

-

See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

-

NOTE: -When provisioning an Envoy NodePortService, use Gateway Listeners’ port numbers to populate -the Service’s node port values, there’s no way to auto-allocate them.

-

See: https://github.com/projectcontour/contour/issues/4499

-
    -
  • ClusterIPService
    • -
-

Publishes Envoy network endpoints using a Kubernetes ClusterIP Service.

-

In this configuration, Envoy network endpoints use container networking. A Kubernetes -ClusterIP Service is created to publish the network endpoints.

-

See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

-

If unset, defaults to LoadBalancerService.

-
-externalTrafficPolicy -
- - -Kubernetes core/v1.ServiceExternalTrafficPolicy - - -		 -(Optional) -

ExternalTrafficPolicy describes how nodes distribute service traffic they -receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, -and LoadBalancer IPs).

-

If unset, defaults to “Local”.

-
-ipFamilyPolicy -
- - -Kubernetes core/v1.IPFamilyPolicy - - -		 -(Optional) -

IPFamilyPolicy represents the dual-stack-ness requested or required by -this Service. If there is no value provided, then this field will be set -to SingleStack. Services can be “SingleStack” (a single IP family), -“PreferDualStack” (two IP families on dual-stack configured clusters or -a single IP family on single-stack clusters), or “RequireDualStack” -(two IP families on dual-stack configured clusters, otherwise fail).

-
-serviceAnnotations -
- -map[string]string - -		 -(Optional) -

ServiceAnnotations is the annotations to add to -the provisioned Envoy service.

-
FieldDescription
+ type +
+ + + NetworkPublishingType + + + 		+ (Optional) +

NetworkPublishingType is the type of publishing strategy to use. Valid values are:

+
    +
  • LoadBalancerService
    • +
+

In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints.

+

See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer +

+
    +
  • NodePortService
    • +
+

Publishes Envoy network endpoints using a Kubernetes NodePort Service.

+

In this configuration, Envoy network endpoints use container networking. A Kubernetes + NodePort Service is created to publish the network endpoints.

+

See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport +

+

NOTE: + When provisioning an Envoy NodePortService, use Gateway Listeners’ port numbers + to populate + the Service’s node port values, there’s no way to auto-allocate them.

+

See: https://github.com/projectcontour/contour/issues/4499 +

+
    +
  • ClusterIPService
    • +
+

Publishes Envoy network endpoints using a Kubernetes ClusterIP Service.

+

In this configuration, Envoy network endpoints use container networking. A Kubernetes + ClusterIP Service is created to publish the network endpoints.

+

See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types +

+

If unset, defaults to LoadBalancerService.

+
+ externalTrafficPolicy +
+ + + Kubernetes core/v1.ServiceExternalTrafficPolicy + + + 		+ (Optional) +

ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service’s “externally-facing” addresses (NodePorts, + ExternalIPs, + and LoadBalancer IPs).

+

If unset, defaults to “Local”.

+
+ ipFamilyPolicy +
+ + + Kubernetes core/v1.IPFamilyPolicy + + + 		+ (Optional) +

IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be “SingleStack” (a single IP family), + “PreferDualStack” (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or “RequireDualStack” + (two IP families on dual-stack configured clusters, otherwise fail).

+
+ serviceAnnotations +
+ + map[string]string + + 		+ (Optional) +

ServiceAnnotations is the annotations to add to + the provisioned Envoy service.

+

NetworkPublishingType -(string alias)

+ (string alias)

+

-(Appears on: -NetworkPublishing) + (Appears on: + NetworkPublishing)

NetworkPublishingType is a way to publish network endpoints.

- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
ValueDescription

"ClusterIPService"

ClusterIPServicePublishingType publishes a network endpoint using a Kubernetes -ClusterIP Service.

-

"LoadBalancerService"

LoadBalancerServicePublishingType publishes a network endpoint using a Kubernetes -LoadBalancer Service.

-

"NodePortService"

NodePortServicePublishingType publishes a network endpoint using a Kubernetes -NodePort Service.

-
ValueDescription
+

"ClusterIPService"

+ 		+

ClusterIPServicePublishingType publishes a network endpoint using a Kubernetes + ClusterIP Service.

+
+

"LoadBalancerService"

+ 		+

LoadBalancerServicePublishingType publishes a network endpoint using a Kubernetes + LoadBalancer Service.

+
+

"NodePortService"

+ 		+

NodePortServicePublishingType publishes a network endpoint using a Kubernetes + NodePort Service.

+

NodePlacement

-(Appears on: -ContourSettings, -EnvoySettings) + (Appears on: + ContourSettings, + EnvoySettings)

NodePlacement describes node scheduling configuration for pods. -If nodeSelector and tolerations are specified, the scheduler will use both to -determine where to place the pod(s).

+ If nodeSelector and tolerations are specified, the scheduler will use both to + determine where to place the pod(s).

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-nodeSelector -
- -map[string]string - -		 -(Optional) -

NodeSelector is the simplest recommended form of node selection constraint -and specifies a map of key-value pairs. For the pod to be eligible -to run on a node, the node must have each of the indicated key-value pairs -as labels (it can have additional labels as well).

-

If unset, the pod(s) will be scheduled to any available node.

-
-tolerations -
- - -[]Kubernetes core/v1.Toleration - - -		 -(Optional) -

Tolerations work with taints to ensure that pods are not scheduled -onto inappropriate nodes. One or more taints are applied to a node; this -marks that the node should not accept any pods that do not tolerate the -taints.

-

The default is an empty list.

-

See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -for additional details.

-
FieldDescription
+ nodeSelector +
+ + map[string]string + + 		+ (Optional) +

NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well).

+

If unset, the pod(s) will be scheduled to any available node.

+
+ tolerations +
+ + + []Kubernetes core/v1.Toleration + + + 		+ (Optional) +

Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints.

+

The default is an empty list.

+

See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details.

+

PolicyConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

PolicyConfig holds default policy used if not explicitly set by the user

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
FieldDescription
-requestHeaders -
- - -HeadersPolicy - - -		 -(Optional) -

RequestHeadersPolicy defines the request headers set/removed on all routes

-
-responseHeaders -
- - -HeadersPolicy - - -		 -(Optional) -

ResponseHeadersPolicy defines the response headers set/removed on all routes

-
-applyToIngress -
- -bool - -		 -(Optional) -

ApplyToIngress determines if the Policies will apply to ingress objects

-

Contour’s default is false.

-
FieldDescription
+ requestHeaders +
+ + + HeadersPolicy + + + 		+ (Optional) +

RequestHeadersPolicy defines the request headers set/removed on all routes

+
+ responseHeaders +
+ + + HeadersPolicy + + + 		+ (Optional) +

ResponseHeadersPolicy defines the response headers set/removed on all routes

+
+ applyToIngress +
+ + bool + + 		+ (Optional) +

ApplyToIngress determines if the Policies will apply to ingress objects

+

Contour’s default is false.

+

RateLimitServiceConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

RateLimitServiceConfig defines properties of a global Rate Limit Service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-extensionService -
- - -NamespacedName - - -		 -

ExtensionService identifies the extension service defining the RLS.

-
-domain -
- -string - -		 -(Optional) -

Domain is passed to the Rate Limit Service.

-
-failOpen -
- -bool - -		 -(Optional) -

FailOpen defines whether to allow requests to proceed when the -Rate Limit Service fails to respond with a valid rate limit -decision within the timeout defined on the extension service.

-
-enableXRateLimitHeaders -
- -bool - -		 -(Optional) -

EnableXRateLimitHeaders defines whether to include the X-RateLimit -headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset -(as defined by the IETF Internet-Draft linked below), on responses -to clients when the Rate Limit Service is consulted for a request.

-

ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html

-
-enableResourceExhaustedCode -
- -bool - -		 -(Optional) -

EnableResourceExhaustedCode enables translating error code 429 to -grpc code RESOURCE_EXHAUSTED. When disabled it’s translated to UNAVAILABLE

-
-defaultGlobalRateLimitPolicy -
- - -GlobalRateLimitPolicy - - -		 -(Optional) -

DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. -HTTPProxy can overwrite this configuration.

-
FieldDescription
+ extensionService +
+ + + NamespacedName + + + 		+

ExtensionService identifies the extension service defining the RLS.

+
+ domain +
+ + string + + 		+ (Optional) +

Domain is passed to the Rate Limit Service.

+
+ failOpen +
+ + bool + + 		+ (Optional) +

FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service.

+
+ enableXRateLimitHeaders +
+ + bool + + 		+ (Optional) +

EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request.

+

ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html +

+
+ enableResourceExhaustedCode +
+ + bool + + 		+ (Optional) +

EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it’s translated to UNAVAILABLE

+
+ defaultGlobalRateLimitPolicy +
+ + + GlobalRateLimitPolicy + + + 		+ (Optional) +

DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration.

+

ServerHeaderTransformationType -(string alias)

+ (string alias)

+

-(Appears on: -EnvoyListenerConfig) + (Appears on: + EnvoyListenerConfig)

ServerHeaderTransformation defines the action to be applied to the Server header on the response path

- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +
ValueDescription

"append_if_absent"

If no Server header is present, set it to “envoy”. -If a Server header is present, pass it through.

-

"overwrite"

Overwrite any Server header with “envoy”. -This is the default value.

-

"pass_through"

Pass through the value of the Server header, and do not append a header -if none is present.

-
ValueDescription
+

"append_if_absent"

+ 		+

If no Server header is present, set it to “envoy”. + If a Server header is present, pass it through.

+
+

"overwrite"

+ 		+

Overwrite any Server header with “envoy”. + This is the default value.

+
+

"pass_through"

+ 		+

Pass through the value of the Server header, and do not append a header + if none is present.

+

SocketOptions

-(Appears on: -EnvoyListenerConfig) + (Appears on: + EnvoyListenerConfig)

SocketOptions defines configurable socket options for Envoy listeners.

- - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
FieldDescription
-tos -
- -int32 - -		 -(Optional) -

Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. -Single value is applied to all listeners. -If listeners are bound to IPv6-only addresses, setting this option will cause an error.

-
-trafficClass -
- -int32 - -		 -(Optional) -

Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. -Single value is applied to all listeners. -If listeners are bound to IPv4-only addresses, setting this option will cause an error.

-
FieldDescription
+ tos +
+ + int32 + + 		+ (Optional) +

Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from + Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error.

+
+ trafficClass +
+ + int32 + + 		+ (Optional) +

Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets + originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error.

+

TLS

-(Appears on: -XDSServerConfig) + (Appears on: + XDSServerConfig)

TLS holds TLS file config details.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-caFile -
- -string - -		 -(Optional) -

CA filename.

-
-certFile -
- -string - -		 -(Optional) -

Client certificate filename.

-
-keyFile -
- -string - -		 -(Optional) -

Client key filename.

-
-insecure -
- -bool - -		 -(Optional) -

Allow serving the xDS gRPC API without TLS.

-
FieldDescription
+ caFile +
+ + string + + 		+ (Optional) +

CA filename.

+
+ certFile +
+ + string + + 		+ (Optional) +

Client certificate filename.

+
+ keyFile +
+ + string + + 		+ (Optional) +

Client key filename.

+
+ insecure +
+ + bool + + 		+ (Optional) +

Allow serving the xDS gRPC API without TLS.

+

TimeoutParameters

-(Appears on: -EnvoyConfig) + (Appears on: + EnvoyConfig)

TimeoutParameters holds various configurable proxy timeout values.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-requestTimeout -
- -string - -		 -(Optional) -

RequestTimeout sets the client request timeout globally for Contour. Note that -this is a timeout for the entire request, not an idle timeout. Omit or set to -“infinity” to disable the timeout entirely.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout -for more information.

-
-connectionIdleTimeout -
- -string - -		 -(Optional) -

ConnectionIdleTimeout defines how long the proxy should wait while there are -no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating -an HTTP connection. Set to “infinity” to disable the timeout entirely.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout -for more information.

-
-streamIdleTimeout -
- -string - -		 -(Optional) -

StreamIdleTimeout defines how long the proxy should wait while there is no -request activity (for HTTP/1.1) or stream activity (for HTTP/2) before -terminating the HTTP request or stream. Set to “infinity” to disable the -timeout entirely.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout -for more information.

-
-maxConnectionDuration -
- -string - -		 -(Optional) -

MaxConnectionDuration defines the maximum period of time after an HTTP connection -has been established from the client to the proxy before it is closed by the proxy, -regardless of whether there has been activity or not. Omit or set to “infinity” for -no max duration.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration -for more information.

-
-delayedCloseTimeout -
- -string - -		 -(Optional) -

DelayedCloseTimeout defines how long envoy will wait, once connection -close processing has been initiated, for the downstream peer to close -the connection before Envoy closes the socket associated with the connection.

-

Setting this timeout to ‘infinity’ will disable it, equivalent to setting it to ‘0’ -in Envoy. Leaving it unset will result in the Envoy default value being used.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout -for more information.

-
-connectionShutdownGracePeriod -
- -string - -		 -(Optional) -

ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an -initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. -During this grace period, the proxy will continue to respond to new streams. After the final -GOAWAY frame has been sent, the proxy will refuse new streams.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout -for more information.

-
-connectTimeout -
- -string - -		 -(Optional) -

ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. -If not set, a default value of 2 seconds will be used.

-

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout -for more information.

-
FieldDescription
+ requestTimeout +
+ + string + + 		+ (Optional) +

RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + “infinity” to disable the timeout entirely.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information.

+
+ connectionIdleTimeout +
+ + string + + 		+ (Optional) +

ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to “infinity” to disable the timeout entirely.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information.

+
+ streamIdleTimeout +
+ + string + + 		+ (Optional) +

StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to “infinity” to disable the + timeout entirely.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information.

+
+ maxConnectionDuration +
+ + string + + 		+ (Optional) +

MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to “infinity” for + no max duration.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information.

+
+ delayedCloseTimeout +
+ + string + + 		+ (Optional) +

DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection.

+

Setting this timeout to ‘infinity’ will disable it, equivalent to setting it to + ‘0’ + in Envoy. Leaving it unset will result in the Envoy default value being used.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information.

+
+ connectionShutdownGracePeriod +
+ + string + + 		+ (Optional) +

ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information.

+
+ connectTimeout +
+ + string + + 		+ (Optional) +

ConnectTimeout defines how long the proxy should wait when establishing connection to upstream + service. + If not set, a default value of 2 seconds will be used.

+

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information.

+

TracingConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

TracingConfig defines properties for exporting trace data to OpenTelemetry.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-includePodDetail -
- -bool - -		 -(Optional) -

IncludePodDetail defines a flag. -If it is true, contour will add the pod name and namespace to the span of the trace. -the default is true. -Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.

-
-serviceName -
- -string - -		 -

ServiceName defines the name for the service. -contour’s default is contour.

-
-overallSampling -
- -string - -		 -(Optional) -

OverallSampling defines the sampling rate of trace data. -contour’s default is 100.

-
-maxPathTagLength -
- -uint32 - -		 -(Optional) -

MaxPathTagLength defines maximum length of the request path -to extract and include in the HttpUrl tag. -contour’s default is 256.

-
-customTags -
- - -[]*github.com/projectcontour/contour/apis/projectcontour/v1alpha1.CustomTag - - -		 -(Optional) -

CustomTags defines a list of custom tags with unique tag name.

-
-extensionService -
- - -NamespacedName - - -		 -

ExtensionService identifies the extension service defining the otel-collector.

-
FieldDescription
+ includePodDetail +
+ + bool + + 		+ (Optional) +

IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this + to work properly.

+
+ serviceName +
+ + string + + 		+

ServiceName defines the name for the service. + contour’s default is contour.

+
+ overallSampling +
+ + string + + 		+ (Optional) +

OverallSampling defines the sampling rate of trace data. + contour’s default is 100.

+
+ maxPathTagLength +
+ + uint32 + + 		+ (Optional) +

MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour’s default is 256.

+
+ customTags +
+ + + []*github.com/projectcontour/contour/apis/projectcontour/v1alpha1.CustomTag + + + 		+ (Optional) +

CustomTags defines a list of custom tags with unique tag name.

+
+ extensionService +
+ + + NamespacedName + + + 		+

ExtensionService identifies the extension service defining the otel-collector.

+

WorkloadType -(string alias)

+ (string alias)

+

-(Appears on: -EnvoySettings) + (Appears on: + EnvoySettings)

WorkloadType is the type of Kubernetes workload to use for a component.

@@ -9024,108 +9359,121 @@

WorkloadType

XDSServerConfig

-(Appears on: -ContourConfigurationSpec) + (Appears on: + ContourConfigurationSpec)

XDSServerConfig holds the config for the Contour xDS server.

- - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
-type -
- - -XDSServerType - - -		 -(Optional) -

Defines the XDSServer to use for contour serve.

-

Values: contour (default), envoy.

-

Other values will produce an error.

-
-address -
- -string - -		 -(Optional) -

Defines the xDS gRPC API address which Contour will serve.

-

Contour’s default is “0.0.0.0”.

-
-port -
- -int - -		 -(Optional) -

Defines the xDS gRPC API port which Contour will serve.

-

Contour’s default is 8001.

-
-tls -
- - -TLS - - -		 -(Optional) -

TLS holds TLS file config details.

-

Contour’s default is { caFile: “/certs/ca.crt”, certFile: “/certs/tls.cert”, keyFile: “/certs/tls.key”, insecure: false }.

-
FieldDescription
+ type +
+ + + XDSServerType + + + 		+ (Optional) +

Defines the XDSServer to use for contour serve.

+

Values: contour (default), envoy.

+

Other values will produce an error.

+
+ address +
+ + string + + 		+ (Optional) +

Defines the xDS gRPC API address which Contour will serve.

+

Contour’s default is “0.0.0.0”.

+
+ port +
+ + int + + 		+ (Optional) +

Defines the xDS gRPC API port which Contour will serve.

+

Contour’s default is 8001.

+
+ tls +
+ + + TLS + + + 		+ (Optional) +

TLS holds TLS file config details.

+

Contour’s default is { caFile: “/certs/ca.crt”, certFile: + “/certs/tls.cert”, keyFile: “/certs/tls.key”, insecure: false }.

+

XDSServerType -(string alias)

+ (string alias)

+

-(Appears on: -XDSServerConfig) + (Appears on: + XDSServerConfig)

XDSServerType is the type of xDS server implementation.

- - - - - - - - - - - + + + + + + + + + + + + + + + +
ValueDescription

"contour"

Use Contour’s xDS server.

-

"envoy"

Use the upstream go-control-plane-based xDS server.

-
ValueDescription
+

"contour"

+ 		+

Use Contour’s xDS server.

+
+

"envoy"

+ 		+

Use the upstream go-control-plane-based xDS server.

+
-
+

-Generated with gen-crd-api-reference-docs. -

+ Generated with gen-crd-api-reference-docs. +

diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index e2f957d50b4..0d12d4073d4 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -6707,6 +6707,23 @@

EnvoyConfig

Network holds various configurable Envoy network values.

+ + +om_enforced_health +
+ + +HealthConfig + + + + +(Optional) +

OMEnforcedHealth defines the endpoint Envoy uses to serve health checks with +the envoy overload manager actions, such as global connection limits, enforced.

+

This is disbled by default

+ +

EnvoyListener diff --git a/test/e2e/bootstrap/bootstrap_test.go b/test/e2e/bootstrap/bootstrap_test.go new file mode 100644 index 00000000000..5fa94cb3ce1 --- /dev/null +++ b/test/e2e/bootstrap/bootstrap_test.go @@ -0,0 +1,106 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build e2e + +package bootstrap + +import ( + "testing" + + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/gexec" + "github.com/projectcontour/contour/pkg/config" + "github.com/projectcontour/contour/test/e2e" + "github.com/stretchr/testify/require" +) + +var ( + f = e2e.NewFramework(false) + + // Functions called after suite to clean up resources. + cleanup []func() +) + +func TestBootstrap(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Bootstrap tests") +} + +var _ = BeforeSuite(func() { + // add overload manager arguments to envoy bootstrap + f.Deployment.ContourBootstrapExtraArgs = []string{ + "--overload-max-heap=987654321", + "--overload-dowstream-max-conn=1000", + } + + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) + +}) + +var _ = AfterSuite(func() { + for _, c := range cleanup { + c() + } + require.NoError(f.T(), f.Deployment.DeleteResourcesForLocalContour()) + gexec.CleanupBuildArtifacts() +}) + +var _ = Describe("Bootstrap", func() { + var ( + contourCmd *gexec.Session + kubectlCmd *gexec.Session + contourConfig *config.Parameters + contourConfiguration *contour_api_v1alpha1.ContourConfiguration + contourConfigFile string + ) + + BeforeEach(func() { + contourConfig = e2e.DefaultContourConfigFileParams() + contourConfiguration = e2e.DefaultContourConfiguration() + }) + + JustBeforeEach(func() { + var err error + contourCmd, contourConfigFile, err = f.Deployment.StartLocalContour(contourConfig, contourConfiguration) + require.NoError(f.T(), err) + + // Wait for Envoy to be healthy. + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) + + kubectlCmd, err = f.Kubectl.StartKubectlPortForward(19001, 9001, "projectcontour", f.Deployment.EnvoyResourceAndName()) + require.NoError(f.T(), err) + }) + + AfterEach(func() { + f.Kubectl.StopKubectlPortForward(kubectlCmd) + require.NoError(f.T(), f.Deployment.StopLocalContour(contourCmd, contourConfigFile)) + }) + + f.Test(func() { + Specify("requests to default ready listener are served", func() { + t := f.T() + + res, ok := f.HTTP.MetricsRequestUntil(&e2e.HTTPRequestOpts{ + Path: "/ready", + Condition: e2e.HasStatusCode(200), + }) + require.NotNil(t, res, "request never succeeded") + require.Truef(t, ok, "expected 200 response code, got %d", res.StatusCode) + }) + }) + +}) diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index 6383c78e8f9..379e2cfa5a3 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -104,6 +104,9 @@ type Deployment struct { EnvoyExtraVolumes []core_v1.Volume EnvoyExtraVolumeMounts []core_v1.VolumeMount + // Optional additional args to pass to the bootstrap subcommand + ContourBootstrapExtraArgs []string + // Ratelimit deployment. RateLimitDeployment *apps_v1.Deployment RateLimitService *core_v1.Service @@ -475,14 +478,20 @@ func (d *Deployment) EnsureResourcesForLocalContour() error { // Generate bootstrap config with Contour local address and plaintext // client config. - bootstrapCmd := exec.Command( // nolint:gosec - d.contourBin, + bootstrapCmdArgs := []string{ "bootstrap", bFile.Name(), - "--xds-address="+d.localContourHost, - "--xds-port="+d.localContourPort, + "--xds-address=" + d.localContourHost, + "--xds-port=" + d.localContourPort, "--xds-resource-version=v3", "--admin-address=/admin/admin.sock", + } + + bootstrapCmdArgs = append(bootstrapCmdArgs, d.ContourBootstrapExtraArgs...) + + bootstrapCmd := exec.Command( // nolint:gosec + d.contourBin, + bootstrapCmdArgs..., ) session, err := gexec.Start(bootstrapCmd, d.cmdOutputWriter, d.cmdOutputWriter)