marco/learning-k8s
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
learning-k8s/contour.yaml

9274 lines
532 KiB
YAML
Raw Permalink Normal View History

working configuration
2024-04-29 09:29:06 +02:00
# This file is generated from the individual YAML files by generate-deployment.sh. Do not
# edit this file directly but instead edit the source files and re-render.
#
# Generated from:
# examples/contour/00-common.yaml
# examples/contour/01-contour-config.yaml
# examples/contour/01-crds.yaml
# examples/contour/02-job-certgen.yaml
# examples/contour/02-rbac.yaml
# examples/contour/02-role-contour.yaml
# examples/contour/02-service-contour.yaml
# examples/contour/02-service-envoy.yaml
# examples/contour/03-contour.yaml
# examples/contour/03-envoy.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: projectcontour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour
namespace: projectcontour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: envoy
namespace: projectcontour
---
apiVersion: v1
kind: ConfigMap
metadata:
name: contour
namespace: projectcontour
data:
contour.yaml: |
#
# server:
# determine which XDS Server implementation to utilize in Contour.
# xds-server-type: contour
#
# Specify the Gateway API configuration.
# gateway:
# controllerName: projectcontour.io/gateway-controller
#
# should contour expect to be running inside a k8s cluster
# incluster: true
#
# path to kubeconfig (if not running inside a k8s cluster)
# kubeconfig: /path/to/.kube/config
#
# Disable RFC-compliant behavior to strip "Content-Length" header if
# "Tranfer-Encoding: chunked" is also set.
# disableAllowChunkedLength: false
#
# Disable Envoy's non-standard merge_slashes path transformation option
# that strips duplicate slashes from request URLs.
# disableMergeSlashes: false
#
# Disable HTTPProxy permitInsecure field
disablePermitInsecure: false
tls:
# minimum TLS version that Contour will negotiate
# minimum-protocol-version: "1.2"
# TLS ciphers to be supported by Envoy TLS listeners when negotiating
# TLS 1.2.
# cipher-suites:
# - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
# - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
# - 'ECDHE-ECDSA-AES256-GCM-SHA384'
# - 'ECDHE-RSA-AES256-GCM-SHA384'
# Defines the Kubernetes name/namespace matching a secret to use
# as the fallback certificate when requests which don't match the
# SNI defined for a vhost.
fallback-certificate:
# name: fallback-secret-name
# namespace: projectcontour
envoy-client-certificate:
# name: envoy-client-cert-secret-name
# namespace: projectcontour
####
# ExternalName Services are disabled by default due to CVE-2021-XXXXX
# You can re-enable them by setting this setting to `true`.
# This is not recommended without understanding the security implications.
# Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details.
# enableExternalNameService: false
##
# Address to be placed in status.loadbalancer field of Ingress objects.
# May be either a literal IP address or a host name.
# The value will be placed directly into the relevant field inside the status.loadBalancer struct.
# ingress-status-address: local.projectcontour.io
### Logging options
# Default setting
accesslog-format: envoy
# The default access log format is defined by Envoy but it can be customized by setting following variable.
# accesslog-format-string: "...\n"
# To enable JSON logging in Envoy
# accesslog-format: json
# accesslog-level: info
# The default fields that will be logged are specified below.
# To customise this list, just add or remove entries.
# The canonical list is available at
# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
# json-fields:
# - "@timestamp"
# - "authority"
# - "bytes_received"
# - "bytes_sent"
# - "downstream_local_address"
# - "downstream_remote_address"
# - "duration"
# - "method"
# - "path"
# - "protocol"
# - "request_id"
# - "requested_server_name"
# - "response_code"
# - "response_flags"
# - "uber_trace_id"
# - "upstream_cluster"
# - "upstream_host"
# - "upstream_local_address"
# - "upstream_service_time"
# - "user_agent"
# - "x_forwarded_for"
# - "grpc_status"
# - "grpc_status_number"
#
# default-http-versions:
# - "HTTP/2"
# - "HTTP/1.1"
#
# The following shows the default proxy timeout settings.
# timeouts:
# request-timeout: infinity
# connection-idle-timeout: 60s
# stream-idle-timeout: 5m
# max-connection-duration: infinity
# delayed-close-timeout: 1s
# connection-shutdown-grace-period: 5s
# connect-timeout: 2s
#
# Envoy cluster settings.
# cluster:
# configure the cluster dns lookup family
# valid options are: auto (default), v4, v6
# dns-lookup-family: auto
#
# Envoy network settings.
# network:
# Configure the number of additional ingress proxy hops from the
# right side of the x-forwarded-for HTTP header to trust.
# num-trusted-hops: 0
# Configure the port used to access the Envoy Admin interface.
# admin-port: 9001
#
# Configure an optional global rate limit service.
# rateLimitService:
# Identifies the extension service defining the rate limit service,
# formatted as <namespace>/<name>.
# extensionService: projectcontour/ratelimit
# Defines the rate limit domain to pass to the rate limit service.
# Acts as a container for a set of rate limit definitions within
# the RLS.
# domain: contour
# Defines whether to allow requests to proceed when the rate limit
# service fails to respond with a valid rate limit decision within
# the timeout defined on the extension service.
# failOpen: false
# Defines whether to include the X-RateLimit headers X-RateLimit-Limit,
# X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF
# Internet-Draft linked below), on responses to clients when the Rate
# Limit Service is consulted for a request.
# ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
# enableXRateLimitHeaders: false
# Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
# instead of the default UNAVAILABLE
# enableResourceExhaustedCode: false
#
# Global Policy settings.
# policy:
# # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself)
# request-headers:
# set:
# # example: the hostname of the Envoy instance that proxied the request
# X-Envoy-Hostname: %HOSTNAME%
# # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for
# l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT%
# # default headers to set on all responses (unless set/removed on the HTTPProxy object itself)
# response-headers:
# set:
# # example: Envoy flags that provide additional details about the response or connection
# X-Envoy-Response-Flags: %RESPONSE_FLAGS%
#
# metrics:
# contour:
# address: 0.0.0.0
# port: 8000
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
# envoy:
# address: 0.0.0.0
# port: 8002
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
#
# listener:
# connection-balancer: exact
# socket-options:
# tos: 64
# traffic-class: 64
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: contourconfigurations.projectcontour.io
spec:
preserveUnknownFields: false
group: projectcontour.io
names:
kind: ContourConfiguration
listKind: ContourConfigurationList
plural: contourconfigurations
shortNames:
- contourconfig
singular: contourconfiguration
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ContourConfiguration is the schema for a Contour instance.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
ContourConfigurationSpec represents a configuration of a Contour controller.
It contains most of all the options that can be customized, the
other remaining options being command line flags.
properties:
debug:
description: |-
Debug contains parameters to enable debug logging
and debug interfaces inside Contour.
properties:
address:
description: |-
Defines the Contour debug address interface.
Contour's default is "127.0.0.1".
type: string
port:
description: |-
Defines the Contour debug address port.
Contour's default is 6060.
type: integer
type: object
enableExternalNameService:
description: |-
EnableExternalNameService allows processing of ExternalNameServices
Contour's default is false for security reasons.
type: boolean
envoy:
description: |-
Envoy contains parameters for Envoy as well
as how to optionally configure a managed Envoy fleet.
properties:
clientCertificate:
description: |-
ClientCertificate defines the namespace/name of the Kubernetes
secret containing the client certificate and private key
to be used when establishing TLS connection to upstream
cluster.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
cluster:
description: |-
Cluster holds various configurable Envoy cluster values that can
be set in the config file.
properties:
circuitBreakers:
description: |-
GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
If defined, this will be used as the default for all services.
properties:
maxConnections:
description: The maximum number of connections that a
single Envoy instance allows to the Kubernetes Service;
defaults to 1024.
format: int32
type: integer
maxPendingRequests:
description: The maximum number of pending requests that
a single Envoy instance allows to the Kubernetes Service;
defaults to 1024.
format: int32
type: integer
maxRequests:
description: The maximum parallel requests a single Envoy
instance allows to the Kubernetes Service; defaults
to 1024
format: int32
type: integer
maxRetries:
description: The maximum number of parallel retries a
single Envoy instance allows to the Kubernetes Service;
defaults to 3.
format: int32
type: integer
type: object
dnsLookupFamily:
description: |-
DNSLookupFamily defines how external names are looked up
When configured as V4, the DNS resolver will only perform a lookup
for addresses in the IPv4 family. If V6 is configured, the DNS resolver
will only perform a lookup for addresses in the IPv6 family.
If AUTO is configured, the DNS resolver will first perform a lookup
for addresses in the IPv6 family and fallback to a lookup for addresses
in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
both IPv4 and IPv6 families, and return all resolved addresses.
When this is used, Happy Eyeballs will be enabled for upstream connections.
Refer to Happy Eyeballs Support for more information.
Note: This only applies to externalName clusters.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
for more information.
Values: `auto` (default), `v4`, `v6`, `all`.
Other values will produce an error.
type: string
maxRequestsPerConnection:
description: |-
Defines the maximum requests for upstream connections. If not specified, there is no limit.
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
for more information.
format: int32
minimum: 1
type: integer
per-connection-buffer-limit-bytes:
description: |-
Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
If unspecified, an implementation defined default is applied (1MiB).
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
for more information.
format: int32
minimum: 1
type: integer
upstreamTLS:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: |-
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
listeners when negotiating TLS 1.2. Ciphers are validated against the
set that Envoy supports by default. This parameter should only be used
by advanced users. Note that these will be ignored when TLS 1.3 is in
use.
This field is optional; when it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
Contour's default list is:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
Ciphers provided are validated against the following list:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES128-SHA"
- "ECDHE-RSA-AES128-SHA"
- "AES128-GCM-SHA256"
- "AES128-SHA"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-AES256-SHA"
- "ECDHE-RSA-AES256-SHA"
- "AES256-GCM-SHA384"
- "AES256-SHA"
Contour recommends leaving this undefined unless you are sure you must.
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
items:
type: string
type: array
maximumProtocolVersion:
description: |-
MaximumProtocolVersion is the maximum TLS version this vhost should
negotiate.
Values: `1.2`, `1.3`(default).
Other values will produce an error.
type: string
minimumProtocolVersion:
description: |-
MinimumProtocolVersion is the minimum TLS version this vhost should
negotiate.
Values: `1.2` (default), `1.3`.
Other values will produce an error.
type: string
type: object
type: object
defaultHTTPVersions:
description: |-
DefaultHTTPVersions defines the default set of HTTPS
versions the proxy should accept. HTTP versions are
strings of the form "HTTP/xx". Supported versions are
"HTTP/1.1" and "HTTP/2".
Values: `HTTP/1.1`, `HTTP/2` (default: both).
Other values will produce an error.
items:
description: HTTPVersionType is the name of a supported HTTP
version.
type: string
type: array
health:
description: |-
Health defines the endpoint Envoy uses to serve health checks.
Contour's default is { address: "0.0.0.0", port: 8002 }.
properties:
address:
description: Defines the health address interface.
minLength: 1
type: string
port:
description: Defines the health port.
type: integer
type: object
http:
description: |-
Defines the HTTP Listener for Envoy.
Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
properties:
accessLog:
description: AccessLog defines where Envoy logs are outputted
for this listener.
type: string
address:
description: Defines an Envoy Listener Address.
minLength: 1
type: string
port:
description: Defines an Envoy listener Port.
type: integer
type: object
https:
description: |-
Defines the HTTPS Listener for Envoy.
Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
properties:
accessLog:
description: AccessLog defines where Envoy logs are outputted
for this listener.
type: string
address:
description: Defines an Envoy Listener Address.
minLength: 1
type: string
port:
description: Defines an Envoy listener Port.
type: integer
type: object
listener:
description: Listener hold various configurable Envoy listener
values.
properties:
connectionBalancer:
description: |-
ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
for more information.
Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
Other values will produce an error.
type: string
disableAllowChunkedLength:
description: |-
DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
strip the "Content-Length" header if "Transfer-Encoding: chunked" is
also set. This is an emergency off-switch to revert back to Envoy's
default behavior in case of failures. Please file an issue if failures
are encountered.
See: https://github.com/projectcontour/contour/issues/3221
Contour's default is false.
type: boolean
disableMergeSlashes:
description: |-
DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
which strips duplicate slashes from request URL paths.
Contour's default is false.
type: boolean
httpMaxConcurrentStreams:
description: |-
Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
for a peer on a single HTTP/2 connection. It is recommended to not set this lower
than 100 but this field can be used to bound resource usage by HTTP/2 connections
and mitigate attacks like CVE-2023-44487. The default value when this is not set is
unlimited.
format: int32
minimum: 1
type: integer
maxConnectionsPerListener:
description: |-
Defines the limit on number of active connections to a listener. The limit is applied
per listener. The default value when this is not set is unlimited.
format: int32
minimum: 1
type: integer
maxRequestsPerConnection:
description: |-
Defines the maximum requests for downstream connections. If not specified, there is no limit.
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
for more information.
format: int32
minimum: 1
type: integer
maxRequestsPerIOCycle:
description: |-
Defines the limit on number of HTTP requests that Envoy will process from a single
connection in a single I/O cycle. Requests over this limit are processed in subsequent
I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
value when this is not set is no limit.
format: int32
minimum: 1
type: integer
per-connection-buffer-limit-bytes:
description: |-
Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
If unspecified, an implementation defined default is applied (1MiB).
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
for more information.
format: int32
minimum: 1
type: integer
serverHeaderTransformation:
description: |-
Defines the action to be applied to the Server header on the response path.
When configured as overwrite, overwrites any Server header with "envoy".
When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
Values: `overwrite` (default), `append_if_absent`, `pass_through`
Other values will produce an error.
Contour's default is overwrite.
type: string
socketOptions:
description: |-
SocketOptions defines configurable socket options for the listeners.
Single set of options are applied to all listeners.
properties:
tos:
description: |-
Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
Single value is applied to all listeners.
If listeners are bound to IPv6-only addresses, setting this option will cause an error.
format: int32
maximum: 255
minimum: 0
type: integer
trafficClass:
description: |-
Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
Single value is applied to all listeners.
If listeners are bound to IPv4-only addresses, setting this option will cause an error.
format: int32
maximum: 255
minimum: 0
type: integer
type: object
tls:
description: TLS holds various configurable Envoy TLS listener
values.
properties:
cipherSuites:
description: |-
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
listeners when negotiating TLS 1.2. Ciphers are validated against the
set that Envoy supports by default. This parameter should only be used
by advanced users. Note that these will be ignored when TLS 1.3 is in
use.
This field is optional; when it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
Contour's default list is:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
Ciphers provided are validated against the following list:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES128-SHA"
- "ECDHE-RSA-AES128-SHA"
- "AES128-GCM-SHA256"
- "AES128-SHA"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-AES256-SHA"
- "ECDHE-RSA-AES256-SHA"
- "AES256-GCM-SHA384"
- "AES256-SHA"
Contour recommends leaving this undefined unless you are sure you must.
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
items:
type: string
type: array
maximumProtocolVersion:
description: |-
MaximumProtocolVersion is the maximum TLS version this vhost should
negotiate.
Values: `1.2`, `1.3`(default).
Other values will produce an error.
type: string
minimumProtocolVersion:
description: |-
MinimumProtocolVersion is the minimum TLS version this vhost should
negotiate.
Values: `1.2` (default), `1.3`.
Other values will produce an error.
type: string
type: object
useProxyProtocol:
description: |-
Use PROXY protocol for all listeners.
Contour's default is false.
type: boolean
type: object
logging:
description: Logging defines how Envoy's logs can be configured.
properties:
accessLogFormat:
description: |-
AccessLogFormat sets the global access log format.
Values: `envoy` (default), `json`.
Other values will produce an error.
type: string
accessLogFormatString:
description: |-
AccessLogFormatString sets the access log format when format is set to `envoy`.
When empty, Envoy's default format is used.
type: string
accessLogJSONFields:
description: |-
AccessLogJSONFields sets the fields that JSON logging will
output when AccessLogFormat is json.
items:
type: string
type: array
accessLogLevel:
description: |-
AccessLogLevel sets the verbosity level of the access log.
Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
Other values will produce an error.
type: string
type: object
metrics:
description: |-
Metrics defines the endpoint Envoy uses to serve metrics.
Contour's default is { address: "0.0.0.0", port: 8002 }.
properties:
address:
description: Defines the metrics address interface.
maxLength: 253
minLength: 1
type: string
port:
description: Defines the metrics port.
type: integer
tls:
description: |-
TLS holds TLS file config details.
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
keyFile:
description: Client key filename.
type: string
type: object
type: object
network:
description: Network holds various configurable Envoy network
values.
properties:
adminPort:
description: |-
Configure the port used to access the Envoy Admin interface.
If configured to port "0" then the admin interface is disabled.
Contour's default is 9001.
type: integer
numTrustedHops:
description: |-
XffNumTrustedHops defines the number of additional ingress proxy hops from the
right side of the x-forwarded-for HTTP header to trust when determining the origin
client’s IP address.
See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
for more information.
Contour's default is 0.
format: int32
type: integer
type: object
service:
description: |-
Service holds Envoy service parameters for setting Ingress status.
Contour's default is { namespace: "projectcontour", name: "envoy" }.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
timeouts:
description: |-
Timeouts holds various configurable timeouts that can
be set in the config file.
properties:
connectTimeout:
description: |-
ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
If not set, a default value of 2 seconds will be used.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
for more information.
type: string
connectionIdleTimeout:
description: |-
ConnectionIdleTimeout defines how long the proxy should wait while there are
no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
an HTTP connection. Set to "infinity" to disable the timeout entirely.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
for more information.
type: string
connectionShutdownGracePeriod:
description: |-
ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
During this grace period, the proxy will continue to respond to new streams. After the final
GOAWAY frame has been sent, the proxy will refuse new streams.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
for more information.
type: string
delayedCloseTimeout:
description: |-
DelayedCloseTimeout defines how long envoy will wait, once connection
close processing has been initiated, for the downstream peer to close
the connection before Envoy closes the socket associated with the connection.
Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
in Envoy. Leaving it unset will result in the Envoy default value being used.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
for more information.
type: string
maxConnectionDuration:
description: |-
MaxConnectionDuration defines the maximum period of time after an HTTP connection
has been established from the client to the proxy before it is closed by the proxy,
regardless of whether there has been activity or not. Omit or set to "infinity" for
no max duration.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
for more information.
type: string
requestTimeout:
description: |-
RequestTimeout sets the client request timeout globally for Contour. Note that
this is a timeout for the entire request, not an idle timeout. Omit or set to
"infinity" to disable the timeout entirely.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
for more information.
type: string
streamIdleTimeout:
description: |-
StreamIdleTimeout defines how long the proxy should wait while there is no
request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
terminating the HTTP request or stream. Set to "infinity" to disable the
timeout entirely.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
for more information.
type: string
type: object
type: object
featureFlags:
description: |-
FeatureFlags defines toggle to enable new contour features.
Available toggles are:
useEndpointSlices - configures contour to fetch endpoint data
from k8s endpoint slices. defaults to false and reading endpoint
data from the k8s endpoints.
items:
type: string
type: array
gateway:
description: |-
Gateway contains parameters for the gateway-api Gateway that Contour
is configured to serve traffic.
properties:
controllerName:
description: |-
ControllerName is used to determine whether Contour should reconcile a
GatewayClass. The string takes the form of "projectcontour.io/<namespace>/contour".
If unset, the gatewayclass controller will not be started.
Exactly one of ControllerName or GatewayRef must be set.
Deprecated: users should use GatewayRef, or the Gateway provisioner,
in place of this field. This field will be removed in a future release.
type: string
gatewayRef:
description: |-
GatewayRef defines a specific Gateway that this Contour
instance corresponds to. If set, Contour will reconcile
only this gateway, and will not reconcile any gateway
classes.
Exactly one of ControllerName or GatewayRef must be set.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
type: object
globalExtAuth:
description: |-
GlobalExternalAuthorization allows envoys external authorization filter
to be enabled for all virtual hosts.
properties:
authPolicy:
description: |-
AuthPolicy sets a default authorization policy for client requests.
This policy will be used unless overridden by individual routes.
properties:
context:
additionalProperties:
type: string
description: |-
Context is a set of key/value pairs that are sent to the
authentication server in the check request. If a context
is provided at an enclosing scope, the entries are merged
such that the inner scope overrides matching keys from the
outer scope.
type: object
disabled:
description: |-
When true, this field disables client request authentication
for the scope of the policy.
type: boolean
type: object
extensionRef:
description: ExtensionServiceRef specifies the extension resource
that will authorize client requests.
properties:
apiVersion:
description: |-
API version of the referent.
If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
minLength: 1
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
minLength: 1
type: string
namespace:
description: |-
Namespace of the referent.
If this field is not specifies, the namespace of the resource that targets the referent will be used.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
minLength: 1
type: string
type: object
failOpen:
description: |-
If FailOpen is true, the client request is forwarded to the upstream service
even if the authorization server fails to respond. This field should not be
set in most cases. It is intended for use only while migrating applications
from internal authorization to Contour external authorization.
type: boolean
responseTimeout:
description: |-
ResponseTimeout configures maximum time to wait for a check response from the authorization server.
Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
The string "infinity" is also a valid input and specifies no timeout.
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
type: string
withRequestBody:
description: WithRequestBody specifies configuration for sending
the client request's body to authorization server.
properties:
allowPartialMessage:
description: If AllowPartialMessage is true, then Envoy will
buffer the body until MaxRequestBytes are reached.
type: boolean
maxRequestBytes:
default: 1024
description: MaxRequestBytes sets the maximum size of message
body ExtAuthz filter will hold in-memory.
format: int32
minimum: 1
type: integer
packAsBytes:
description: If PackAsBytes is true, the body sent to Authorization
Server is in raw bytes.
type: boolean
type: object
type: object
health:
description: |-
Health defines the endpoints Contour uses to serve health checks.
Contour's default is { address: "0.0.0.0", port: 8000 }.
properties:
address:
description: Defines the health address interface.
minLength: 1
type: string
port:
description: Defines the health port.
type: integer
type: object
httpproxy:
description: HTTPProxy defines parameters on HTTPProxy.
properties:
disablePermitInsecure:
description: |-
DisablePermitInsecure disables the use of the
permitInsecure field in HTTPProxy.
Contour's default is false.
type: boolean
fallbackCertificate:
description: |-
FallbackCertificate defines the namespace/name of the Kubernetes secret to
use as fallback when a non-SNI request is received.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
rootNamespaces:
description: Restrict Contour to searching these namespaces for
root ingress routes.
items:
type: string
type: array
type: object
ingress:
description: Ingress contains parameters for ingress options.
properties:
classNames:
description: Ingress Class Names Contour should use.
items:
type: string
type: array
statusAddress:
description: Address to set in Ingress object status.
type: string
type: object
metrics:
description: |-
Metrics defines the endpoint Contour uses to serve metrics.
Contour's default is { address: "0.0.0.0", port: 8000 }.
properties:
address:
description: Defines the metrics address interface.
maxLength: 253
minLength: 1
type: string
port:
description: Defines the metrics port.
type: integer
tls:
description: |-
TLS holds TLS file config details.
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
keyFile:
description: Client key filename.
type: string
type: object
type: object
policy:
description: Policy specifies default policy applied if not overridden
by the user
properties:
applyToIngress:
description: |-
ApplyToIngress determines if the Policies will apply to ingress objects
Contour's default is false.
type: boolean
requestHeaders:
description: RequestHeadersPolicy defines the request headers
set/removed on all routes
properties:
remove:
items:
type: string
type: array
set:
additionalProperties:
type: string
type: object
type: object
responseHeaders:
description: ResponseHeadersPolicy defines the response headers
set/removed on all routes
properties:
remove:
items:
type: string
type: array
set:
additionalProperties:
type: string
type: object
type: object
type: object
rateLimitService:
description: |-
RateLimitService optionally holds properties of the Rate Limit Service
to be used for global rate limiting.
properties:
defaultGlobalRateLimitPolicy:
description: |-
DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
HTTPProxy can overwrite this configuration.
properties:
descriptors:
description: |-
Descriptors defines the list of descriptors that will
be generated and sent to the rate limit service. Each
descriptor contains 1+ key-value pair entries.
items:
description: RateLimitDescriptor defines a list of key-value
pair generators.
properties:
entries:
description: Entries is the list of key-value pair generators.
items:
description: |-
RateLimitDescriptorEntry is a key-value pair generator. Exactly
one field on this struct must be non-nil.
properties:
genericKey:
description: GenericKey defines a descriptor entry
with a static key and value.
properties:
key:
description: |-
Key defines the key of the descriptor entry. If not set, the
key is set to "generic_key".
type: string
value:
description: Value defines the value of the
descriptor entry.
minLength: 1
type: string
type: object
remoteAddress:
description: |-
RemoteAddress defines a descriptor entry with a key of "remote_address"
and a value equal to the client's IP address (from x-forwarded-for).
type: object
requestHeader:
description: |-
RequestHeader defines a descriptor entry that's populated only if
a given header is present on the request. The descriptor key is static,
and the descriptor value is equal to the value of the header.
properties:
descriptorKey:
description: DescriptorKey defines the key
to use on the descriptor entry.
minLength: 1
type: string
headerName:
description: HeaderName defines the name of
the header to look for on the request.
minLength: 1
type: string
type: object
requestHeaderValueMatch:
description: |-
RequestHeaderValueMatch defines a descriptor entry that's populated
if the request's headers match a set of 1+ match criteria. The
descriptor key is "header_match", and the descriptor value is static.
properties:
expectMatch:
default: true
description: |-
ExpectMatch defines whether the request must positively match the match
criteria in order to generate a descriptor entry (i.e. true), or not
match the match criteria in order to generate a descriptor entry (i.e. false).
The default is true.
type: boolean
headers:
description: |-
Headers is a list of 1+ match criteria to apply against the request
to determine whether to populate the descriptor entry or not.
items:
description: |-
HeaderMatchCondition specifies how to conditionally match against HTTP
headers. The Name field is required, only one of Present, NotPresent,
Contains, NotContains, Exact, NotExact and Regex can be set.
For negative matching rules only (e.g. NotContains or NotExact) you can set
TreatMissingAsEmpty.
IgnoreCase has no effect for Regex.
properties:
contains:
description: |-
Contains specifies a substring that must be present in
the header value.
type: string
exact:
description: Exact specifies a string
that the header value must be equal
to.
type: string
ignoreCase:
description: |-
IgnoreCase specifies that string matching should be case insensitive.
Note that this has no effect on the Regex parameter.
type: boolean
name:
description: |-
Name is the name of the header to match against. Name is required.
Header names are case insensitive.
type: string
notcontains:
description: |-
NotContains specifies a substring that must not be present
in the header value.
type: string
notexact:
description: |-
NoExact specifies a string that the header value must not be
equal to. The condition is true if the header has any other value.
type: string
notpresent:
description: |-
NotPresent specifies that condition is true when the named header
is not present. Note that setting NotPresent to false does not
make the condition true if the named header is present.
type: boolean
present:
description: |-
Present specifies that condition is true when the named header
is present, regardless of its value. Note that setting Present
to false does not make the condition true if the named header
is absent.
type: boolean
regex:
description: |-
Regex specifies a regular expression pattern that must match the header
value.
type: string
treatMissingAsEmpty:
description: |-
TreatMissingAsEmpty specifies if the header match rule specified header
does not exist, this header value will be treated as empty. Defaults to false.
Unlike the underlying Envoy implementation this is **only** supported for
negative matches (e.g. NotContains, NotExact).
type: boolean
required:
- name
type: object
minItems: 1
type: array
value:
description: Value defines the value of the
descriptor entry.
minLength: 1
type: string
type: object
type: object
minItems: 1
type: array
type: object
minItems: 1
type: array
disabled:
description: |-
Disabled configures the HTTPProxy to not use
the default global rate limit policy defined by the Contour configuration.
type: boolean
type: object
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: |-
EnableResourceExhaustedCode enables translating error code 429 to
grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: |-
EnableXRateLimitHeaders defines whether to include the X-RateLimit
headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
(as defined by the IETF Internet-Draft linked below), on responses
to clients when the Rate Limit Service is consulted for a request.
ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
type: boolean
extensionService:
description: ExtensionService identifies the extension service
defining the RLS.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
failOpen:
description: |-
FailOpen defines whether to allow requests to proceed when the
Rate Limit Service fails to respond with a valid rate limit
decision within the timeout defined on the extension service.
type: boolean
required:
- extensionService
type: object
tracing:
description: Tracing defines properties for exporting trace data to
OpenTelemetry.
properties:
customTags:
description: CustomTags defines a list of custom tags with unique
tag name.
items:
description: |-
CustomTag defines custom tags with unique tag name
to create tags for the active span.
properties:
literal:
description: |-
Literal is a static custom tag value.
Precisely one of Literal, RequestHeaderName must be set.
type: string
requestHeaderName:
description: |-
RequestHeaderName indicates which request header
the label value is obtained from.
Precisely one of Literal, RequestHeaderName must be set.
type: string
tagName:
description: TagName is the unique name of the custom tag.
type: string
required:
- tagName
type: object
type: array
extensionService:
description: ExtensionService identifies the extension service
defining the otel-collector.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
includePodDetail:
description: |-
IncludePodDetail defines a flag.
If it is true, contour will add the pod name and namespace to the span of the trace.
the default is true.
Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
type: boolean
maxPathTagLength:
description: |-
MaxPathTagLength defines maximum length of the request path
to extract and include in the HttpUrl tag.
contour's default is 256.
format: int32
type: integer
overallSampling:
description: |-
OverallSampling defines the sampling rate of trace data.
contour's default is 100.
type: string
serviceName:
description: |-
ServiceName defines the name for the service.
contour's default is contour.
type: string
required:
- extensionService
type: object
xdsServer:
description: XDSServer contains parameters for the xDS server.
properties:
address:
description: |-
Defines the xDS gRPC API address which Contour will serve.
Contour's default is "0.0.0.0".
minLength: 1
type: string
port:
description: |-
Defines the xDS gRPC API port which Contour will serve.
Contour's default is 8001.
type: integer
tls:
description: |-
TLS holds TLS file config details.
Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
insecure:
description: Allow serving the xDS gRPC API without TLS.
type: boolean
keyFile:
description: Client key filename.
type: string
type: object
type:
description: |-
Defines the XDSServer to use for `contour serve`.
Values: `contour` (default), `envoy`.
Other values will produce an error.
type: string
type: object
type: object
status:
description: ContourConfigurationStatus defines the observed state of
a ContourConfiguration resource.
properties:
conditions:
description: |-
Conditions contains the current status of the Contour resource.
Contour will update a single condition, `Valid`, that is in normal-true polarity.
Contour will not modify any other Conditions set in this block,
in case some other controller wants to add a Condition.
items:
description: |-
DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
of the condition.
`errors` holds information about sub-conditions which are fatal to that condition and render its state False.
`warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
Remember that Conditions have a type, a status, and a reason.
The type is the type of the condition, the most important one in this CRD set is `Valid`.
`Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
`warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
slice in this case.
`Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
slice if `status` is `false`.
For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
In either case, there may be entries in the `warnings` slice.
Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
(if there is one and only one entry in total across both the `errors` and `warnings` slices), or
`MultipleReasons` if there is more than one entry.
properties:
errors:
description: |-
Errors contains a slice of relevant error subconditions for this object.
Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
An empty slice here indicates no errors.
items:
description: |-
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
It contains a subset of the Condition fields.
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
that is, they should be of the form "ErrorPresent: true".
The expected lifecycle for these errors is that they should only be present when the error or warning is,
and should be removed when they are not relevant.
properties:
message:
description: |-
Message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
reason:
description: |-
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
warnings:
description: |-
Warnings contains a slice of relevant warning subconditions for this object.
Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
An empty slice here indicates no warnings.
items:
description: |-
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
It contains a subset of the Condition fields.
It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
that is, they should be of the form "ErrorPresent: true".
The expected lifecycle for these errors is that they should only be present when the error or warning is,
and should be removed when they are not relevant.
properties:
message:
description: |-
Message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
reason:
description: |-
Reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: contourdeployments.projectcontour.io
spec:
preserveUnknownFields: false
group: projectcontour.io
names:
kind: ContourDeployment
listKind: ContourDeploymentList
plural: contourdeployments
shortNames:
- contourdeploy
singular: contourdeployment
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ContourDeployment is the schema for a Contour Deployment.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
ContourDeploymentSpec specifies options for how a Contour
instance should be provisioned.
properties:
contour:
description: |-
Contour specifies deployment-time settings for the Contour
part of the installation, i.e. the xDS server/control plane
and associated resources, including things like replica count
for the Deployment, and node placement constraints for the pods.
properties:
deployment:
description: Deployment describes the settings for running contour
as a `Deployment`.
properties:
replicas:
description: Replicas is the desired number of replicas.
format: int32
minimum: 0
type: integer
strategy:
description: Strategy describes the deployment strategy to
use to replace existing pods with new pods.
properties:
rollingUpdate:
description: |-
Rolling update config params. Present only if DeploymentStrategyType =
RollingUpdate.
---
TODO: Update this to follow our convention for oneOf, whatever we decide it
to be.
properties:
maxSurge:
anyOf:
- type: integer
- type: string
description: |-
The maximum number of pods that can be scheduled above the desired number of
pods.
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
This can not be 0 if MaxUnavailable is 0.
Absolute number is calculated from percentage by rounding up.
Defaults to 25%.
Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
the rolling update starts, such that the total number of old and new pods do not exceed
130% of desired pods. Once old pods have been killed,
new ReplicaSet can be scaled up further, ensuring that total number of pods running
at any time during the update is at most 130% of desired pods.
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: |-
The maximum number of pods that can be unavailable during the update.
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
Absolute number is calculated from percentage by rounding down.
This can not be 0 if MaxSurge is 0.
Defaults to 25%.
Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
that the total number of pods available at all times during the update is at
least 70% of desired pods.
x-kubernetes-int-or-string: true
type: object
type:
description: Type of deployment. Can be "Recreate" or
"RollingUpdate". Default is RollingUpdate.
type: string
type: object
type: object
disabledFeatures:
description: |-
DisabledFeatures defines an array of resources that will be ignored by
contour reconciler.
items:
enum:
- grpcroutes
- tlsroutes
- extensionservices
- backendtlspolicies
type: string
maxItems: 42
minItems: 1
type: array
kubernetesLogLevel:
description: |-
KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset,
defaults to 0.
maximum: 9
minimum: 0
type: integer
logLevel:
description: |-
LogLevel sets the log level for Contour
Allowed values are "info", "debug".
type: string
nodePlacement:
description: NodePlacement describes node scheduling configuration
of Contour pods.
properties:
nodeSelector:
additionalProperties:
type: string
description: |-
NodeSelector is the simplest recommended form of node selection constraint
and specifies a map of key-value pairs. For the pod to be eligible
to run on a node, the node must have each of the indicated key-value pairs
as labels (it can have additional labels as well).
If unset, the pod(s) will be scheduled to any available node.
type: object
tolerations:
description: |-
Tolerations work with taints to ensure that pods are not scheduled
onto inappropriate nodes. One or more taints are applied to a node; this
marks that the node should not accept any pods that do not tolerate the
taints.
The default is an empty list.
See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
for additional details.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
podAnnotations:
additionalProperties:
type: string
description: |-
PodAnnotations defines annotations to add to the Contour pods.
the annotations for Prometheus will be appended or overwritten with predefined value.
type: object
replicas:
description: |-
Deprecated: Use `DeploymentSettings.Replicas` instead.
Replicas is the desired number of Contour replicas. If if unset,
defaults to 2.
if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
format: int32
minimum: 0
type: integer
resources:
description: |-
Compute Resources required by contour container.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
properties:
claims:
description: |-
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: |-
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
watchNamespaces:
description: |-
WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance
to only watch this subset of namespaces.
items:
description: |-
Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.
This validation is based off of the corresponding Kubernetes validation:
https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187
This is used for Namespace name validation here:
https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63
Valid values include:
* "example"
Invalid values include:
* "example.com" - "." is an invalid character
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
maxItems: 42
minItems: 1
type: array
type: object
envoy:
description: |-
Envoy specifies deployment-time settings for the Envoy
part of the installation, i.e. the xDS client/data plane
and associated resources, including things like the workload
type to use (DaemonSet or Deployment), node placement constraints
for the pods, and various options for the Envoy service.
properties:
baseID:
description: |-
The base ID to use when allocating shared memory regions.
if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID
so that the shared memory regions do not conflict.
defaults to 0.
format: int32
minimum: 0
type: integer
daemonSet:
description: |-
DaemonSet describes the settings for running envoy as a `DaemonSet`.
if `WorkloadType` is `Deployment`,it's must be nil
properties:
updateStrategy:
description: Strategy describes the deployment strategy to
use to replace existing DaemonSet pods with new pods.
properties:
rollingUpdate:
description: |-
Rolling update config params. Present only if type = "RollingUpdate".
---
TODO: Update this to follow our convention for oneOf, whatever we decide it
to be. Same as Deployment `strategy.rollingUpdate`.
See https://github.com/kubernetes/kubernetes/issues/35345
properties:
maxSurge:
anyOf:
- type: integer
- type: string
description: |-
The maximum number of nodes with an existing available DaemonSet pod that
can have an updated DaemonSet pod during during an update.
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
This can not be 0 if MaxUnavailable is 0.
Absolute number is calculated from percentage by rounding up to a minimum of 1.
Default value is 0.
Example: when this is set to 30%, at most 30% of the total number of nodes
that should be running the daemon pod (i.e. status.desiredNumberScheduled)
can have their a new pod created before the old pod is marked as deleted.
The update starts by launching new pods on 30% of nodes. Once an updated
pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
on that node is marked deleted. If the old pod becomes unavailable for any
reason (Ready transitions to false, is evicted, or is drained) an updated
pod is immediatedly created on that node without considering surge limits.
Allowing surge implies the possibility that the resources consumed by the
daemonset on any given node can double if the readiness check fails, and
so resource intensive daemonsets should take into account that they may
cause evictions during disruption.
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: |-
The maximum number of DaemonSet pods that can be unavailable during the
update. Value can be an absolute number (ex: 5) or a percentage of total
number of DaemonSet pods at the start of the update (ex: 10%). Absolute
number is calculated from percentage by rounding up.
This cannot be 0 if MaxSurge is 0
Default value is 1.
Example: when this is set to 30%, at most 30% of the total number of nodes
that should be running the daemon pod (i.e. status.desiredNumberScheduled)
can have their pods stopped for an update at any given time. The update
starts by stopping at most 30% of those DaemonSet pods and then brings
up new DaemonSet pods in their place. Once the new pods are available,
it then proceeds onto other DaemonSet pods, thus ensuring that at least
70% of original number of DaemonSet pods are available at all times during
the update.
x-kubernetes-int-or-string: true
type: object
type:
description: Type of daemon set update. Can be "RollingUpdate"
or "OnDelete". Default is RollingUpdate.
type: string
type: object
type: object
deployment:
description: |-
Deployment describes the settings for running envoy as a `Deployment`.
if `WorkloadType` is `DaemonSet`,it's must be nil
properties:
replicas:
description: Replicas is the desired number of replicas.
format: int32
minimum: 0
type: integer
strategy:
description: Strategy describes the deployment strategy to
use to replace existing pods with new pods.
properties:
rollingUpdate:
description: |-
Rolling update config params. Present only if DeploymentStrategyType =
RollingUpdate.
---
TODO: Update this to follow our convention for oneOf, whatever we decide it
to be.
properties:
maxSurge:
anyOf:
- type: integer
- type: string
description: |-
The maximum number of pods that can be scheduled above the desired number of
pods.
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
This can not be 0 if MaxUnavailable is 0.
Absolute number is calculated from percentage by rounding up.
Defaults to 25%.
Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
the rolling update starts, such that the total number of old and new pods do not exceed
130% of desired pods. Once old pods have been killed,
new ReplicaSet can be scaled up further, ensuring that total number of pods running
at any time during the update is at most 130% of desired pods.
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: |-
The maximum number of pods that can be unavailable during the update.
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
Absolute number is calculated from percentage by rounding down.
This can not be 0 if MaxSurge is 0.
Defaults to 25%.
Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
that the total number of pods available at all times during the update is at
least 70% of desired pods.
x-kubernetes-int-or-string: true
type: object
type:
description: Type of deployment. Can be "Recreate" or
"RollingUpdate". Default is RollingUpdate.
type: string
type: object
type: object
extraVolumeMounts:
description: ExtraVolumeMounts holds the extra volume mounts to
add (normally used with extraVolumes).
items:
description: VolumeMount describes a mounting of a Volume within
a container.
properties:
mountPath:
description: |-
Path within the container at which the volume should be mounted. Must
not contain ':'.
type: string
mountPropagation:
description: |-
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
description: |-
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
type: string
subPathExpr:
description: |-
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
type: string
required:
- mountPath
- name
type: object
type: array
extraVolumes:
description: ExtraVolumes holds the extra volumes to add.
items:
description: Volume represents a named volume in a pod that
may be accessed by any container in the pod.
properties:
awsElasticBlockStore:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
description: |-
fsType is the filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
partition is the partition in the volume that you want to mount.
If omitted, the default is to mount by volume name.
Examples: For volume /dev/sda1, you specify the partition as "1".
Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
format: int32
type: integer
readOnly:
description: |-
readOnly value true will force the readOnly setting in VolumeMounts.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: boolean
volumeID:
description: |-
volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: string
required:
- volumeID
type: object
azureDisk:
description: azureDisk represents an Azure Data Disk mount
on the host and bind mount to the pod.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode:
None, Read Only, Read Write.'
type: string
diskName:
description: diskName is the Name of the data disk in
the blob storage
type: string
diskURI:
description: diskURI is the URI of data disk in the
blob storage
type: string
fsType:
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
kind:
description: 'kind expected values are Shared: multiple
blob disks per storage account Dedicated: single
blob disk per storage account Managed: azure managed
data disk (only in managed availability set). defaults
to shared'
type: string
readOnly:
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
required:
- diskName
- diskURI
type: object
azureFile:
description: azureFile represents an Azure File Service
mount on the host and bind mount to the pod.
properties:
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretName:
description: secretName is the name of secret that
contains Azure Storage Account Name and Key
type: string
shareName:
description: shareName is the azure share Name
type: string
required:
- secretName
- shareName
type: object
cephfs:
description: cephFS represents a Ceph FS mount on the host
that shares a pod's lifetime
properties:
monitors:
description: |-
monitors is Required: Monitors is a collection of Ceph monitors
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
items:
type: string
type: array
path:
description: 'path is Optional: Used as the mounted
root, rather than the full Ceph tree, default is /'
type: string
readOnly:
description: |-
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: boolean
secretFile:
description: |-
secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
secretRef:
description: |-
secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
description: |-
user is optional: User is the rados user name, default is admin
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
required:
- monitors
type: object
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: boolean
secretRef:
description: |-
secretRef is optional: points to a secret object containing parameters used to connect
to OpenStack.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
volumeID:
description: |-
volumeID used to identify the volume in cinder.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
required:
- volumeID
type: object
configMap:
description: configMap represents a configMap that should
populate this volume
properties:
defaultMode:
description: |-
defaultMode is optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
description: |-
items if unspecified, each key-value pair in the Data field of the referenced
ConfigMap will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the ConfigMap,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a
volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap
or its keys must be defined
type: boolean
type: object
x-kubernetes-map-type: atomic
csi:
description: csi (Container Storage Interface) represents
ephemeral storage that is handled by certain external
CSI drivers (Beta feature).
properties:
driver:
description: |-
driver is the name of the CSI driver that handles this volume.
Consult with your admin for the correct name as registered in the cluster.
type: string
fsType:
description: |-
fsType to mount. Ex. "ext4", "xfs", "ntfs".
If not provided, the empty value is passed to the associated CSI driver
which will determine the default filesystem to apply.
type: string
nodePublishSecretRef:
description: |-
nodePublishSecretRef is a reference to the secret object containing
sensitive information to pass to the CSI driver to complete the CSI
NodePublishVolume and NodeUnpublishVolume calls.
This field is optional, and may be empty if no secret is required. If the
secret object contains more than one secret, all secret references are passed.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
readOnly:
description: |-
readOnly specifies a read-only configuration for the volume.
Defaults to false (read/write).
type: boolean
volumeAttributes:
additionalProperties:
type: string
description: |-
volumeAttributes stores driver-specific properties that are passed to the CSI
driver. Consult your driver's documentation for supported values.
type: object
required:
- driver
type: object
downwardAPI:
description: downwardAPI represents downward API about the
pod that should populate this volume
properties:
defaultMode:
description: |-
Optional: mode bits to use on created files by default. Must be a
Optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
description: Items is a list of downward API volume
file
items:
description: DownwardAPIVolumeFile represents information
to create the file containing the pod field
properties:
fieldRef:
description: 'Required: Selects a field of the
pod: only annotations, labels, name and namespace
are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in
the specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
mode:
description: |-
Optional: mode bits used to set permissions on this file, must be an octal value
between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: 'Required: Path is the relative
path name of the file to be created. Must not
be absolute or contain the ''..'' path. Must
be utf-8 encoded. The first item of the relative
path must not start with ''..'''
type: string
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container name: required for
volumes, optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of
the exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
required:
- path
type: object
type: array
type: object
emptyDir:
description: |-
emptyDir represents a temporary directory that shares a pod's lifetime.
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
properties:
medium:
description: |-
medium represents what type of storage medium should back this directory.
The default is "" which means to use the node's default medium.
Must be an empty string (default) or Memory.
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
type: string
sizeLimit:
anyOf:
- type: integer
- type: string
description: |-
sizeLimit is the total amount of local storage required for this EmptyDir volume.
The size limit is also applicable for memory medium.
The maximum usage on memory medium EmptyDir would be the minimum value between
the SizeLimit specified here and the sum of memory limits of all containers in a pod.
The default is nil which means that the limit is undefined.
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
ephemeral:
description: |-
ephemeral represents a volume that is handled by a cluster storage driver.
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
tracking are needed,
c) the storage driver is specified through a storage class, and
d) the storage driver supports dynamic volume provisioning through
a PersistentVolumeClaim (see EphemeralVolumeSource for more
information on the connection between this volume type
and PersistentVolumeClaim).
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
volumeClaimTemplate:
description: |-
Will be used to create a stand-alone PVC to provision the volume.
The pod in which this EphemeralVolumeSource is embedded will be the
owner of the PVC, i.e. the PVC will be deleted together with the
pod. The name of the PVC will be `<pod name>-<volume name>` where
`<volume name>` is the name from the `PodSpec.Volumes` array
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
the unrelated PVC is removed. If such a pre-created PVC is
meant to be used by the pod, the PVC has to updated with an
owner reference to the pod once the pod exists. Normally
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
Required, must not be nil.
properties:
metadata:
description: |-
May contain labels and annotations that will be copied into the PVC
when creating it. No other fields are allowed and will be rejected during
validation.
type: object
spec:
description: |-
The specification for the PersistentVolumeClaim. The entire content is
copied unchanged into the PVC that gets created from this
template. The same fields as in a PersistentVolumeClaim
are also valid here.
properties:
accessModes:
description: |-
accessModes contains the desired access modes the volume should have.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
items:
type: string
type: array
dataSource:
description: |-
dataSource field can be used to specify either:
* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
* An existing PVC (PersistentVolumeClaim)
If the provisioner or an external controller can support the specified data source,
it will create a new volume based on the contents of the specified data source.
When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
If the namespace is specified, then dataSourceRef will not be copied to dataSource.
properties:
apiGroup:
description: |-
APIGroup is the group for the resource being referenced.
If APIGroup is not specified, the specified Kind must be in the core API group.
For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource
being referenced
type: string
name:
description: Name is the name of resource
being referenced
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
dataSourceRef:
description: |-
dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
volume is desired. This may be any object from a non-empty API group (non
core object) or a PersistentVolumeClaim object.
When this field is specified, volume binding will only succeed if the type of
the specified object matches some installed volume populator or dynamic
provisioner.
This field will replace the functionality of the dataSource field and as such
if both fields are non-empty, they must have the same value. For backwards
compatibility, when namespace isn't specified in dataSourceRef,
both fields (dataSource and dataSourceRef) will be set to the same
value automatically if one of them is empty and the other is non-empty.
When namespace is specified in dataSourceRef,
dataSource isn't set to the same value and must be empty.
There are three important differences between dataSource and dataSourceRef:
* While dataSource only allows two specific types of objects, dataSourceRef
allows any non-core object, as well as PersistentVolumeClaim objects.
* While dataSource ignores disallowed values (dropping them), dataSourceRef
preserves all values, and generates an error if a disallowed value is
specified.
* While dataSource only allows local objects, dataSourceRef allows objects
in any namespaces.
(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
properties:
apiGroup:
description: |-
APIGroup is the group for the resource being referenced.
If APIGroup is not specified, the specified Kind must be in the core API group.
For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource
being referenced
type: string
name:
description: Name is the name of resource
being referenced
type: string
namespace:
description: |-
Namespace is the namespace of resource being referenced
Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
type: string
required:
- kind
- name
type: object
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
selector:
description: selector is a label query over
volumes to consider for binding.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
storageClassName:
description: |-
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
volumeAttributesClassName:
description: |-
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
will be set by the persistentvolume controller if it exists.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
Value of Filesystem is implied when not included in claim spec.
type: string
volumeName:
description: volumeName is the binding reference
to the PersistentVolume backing this claim.
type: string
type: object
required:
- spec
type: object
type: object
fc:
description: fc represents a Fibre Channel resource that
is attached to a kubelet's host machine and then exposed
to the pod.
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
format: int32
type: integer
readOnly:
description: |-
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
targetWWNs:
description: 'targetWWNs is Optional: FC target worldwide
names (WWNs)'
items:
type: string
type: array
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
items:
type: string
type: array
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
properties:
driver:
description: driver is the name of the driver to use
for this volume.
type: string
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
type: string
options:
additionalProperties:
type: string
description: 'options is Optional: this field holds
extra command options if any.'
type: object
readOnly:
description: |-
readOnly is Optional: defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: |-
secretRef is Optional: secretRef is reference to the secret object containing
sensitive information to pass to the plugin scripts. This may be
empty if no secret object is specified. If the secret object
contains more than one secret, all secrets are passed to the plugin
scripts.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
required:
- driver
type: object
flocker:
description: flocker represents a Flocker volume attached
to a kubelet's host machine. This depends on the Flocker
control service being running
properties:
datasetName:
description: |-
datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
should be considered as deprecated
type: string
datasetUUID:
description: datasetUUID is the UUID of the dataset.
This is unique identifier of a Flocker dataset
type: string
type: object
gcePersistentDisk:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
description: |-
fsType is filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
partition is the partition in the volume that you want to mount.
If omitted, the default is to mount by volume name.
Examples: For volume /dev/sda1, you specify the partition as "1".
Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
format: int32
type: integer
pdName:
description: |-
pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: string
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
Defaults to false.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: boolean
required:
- pdName
type: object
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
directory:
description: |-
directory is the target directory name.
Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
git repository. Otherwise, if specified, the volume will contain the git repository in
the subdirectory with the given name.
type: string
repository:
description: repository is the URL
type: string
revision:
description: revision is the commit hash for the specified
revision.
type: string
required:
- repository
type: object
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
description: |-
endpoints is the endpoint name that details Glusterfs topology.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
path:
description: |-
path is the Glusterfs volume path.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
readOnly:
description: |-
readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
Defaults to false.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: boolean
required:
- endpoints
- path
type: object
hostPath:
description: |-
hostPath represents a pre-existing file or directory on the host
machine that is directly exposed to the container. This is generally
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
---
TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
mount host directories as read/write.
properties:
path:
description: |-
path of the directory on the host.
If the path is a symlink, it will follow the link to the real path.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
type:
description: |-
type for HostPath Volume
Defaults to ""
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
required:
- path
type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://examples.k8s.io/volumes/iscsi/README.md
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support
iSCSI Discovery CHAP authentication
type: boolean
chapAuthSession:
description: chapAuthSession defines whether support
iSCSI Session CHAP authentication
type: boolean
fsType:
description: |-
fsType is the filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
initiatorName is the custom iSCSI Initiator Name.
If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
<target portal>:<volume name> will be created for the connection.
type: string
iqn:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
type: string
lun:
description: lun represents iSCSI Target Lun number.
format: int32
type: integer
portals:
description: |-
portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
is other than default (typically TCP ports 860 and 3260).
items:
type: string
type: array
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
Defaults to false.
type: boolean
secretRef:
description: secretRef is the CHAP Secret for iSCSI
target and initiator authentication
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
targetPortal:
description: |-
targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
is other than default (typically TCP ports 860 and 3260).
type: string
required:
- iqn
- lun
- targetPortal
type: object
name:
description: |-
name of the volume.
Must be a DNS_LABEL and unique within the pod.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
nfs:
description: |-
nfs represents an NFS mount on the host that shares a pod's lifetime
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
properties:
path:
description: |-
path that is exported by the NFS server.
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
readOnly:
description: |-
readOnly here will force the NFS export to be mounted with read-only permissions.
Defaults to false.
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: boolean
server:
description: |-
server is the hostname or IP address of the NFS server.
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
description: |-
persistentVolumeClaimVolumeSource represents a reference to a
PersistentVolumeClaim in the same namespace.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
properties:
claimName:
description: |-
claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
type: string
readOnly:
description: |-
readOnly Will force the ReadOnly setting in VolumeMounts.
Default false.
type: boolean
required:
- claimName
type: object
photonPersistentDisk:
description: photonPersistentDisk represents a PhotonController
persistent disk attached and mounted on kubelets host
machine
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
pdID:
description: pdID is the ID that identifies Photon Controller
persistent disk
type: string
required:
- pdID
type: object
portworxVolume:
description: portworxVolume represents a portworx volume
attached and mounted on kubelets host machine
properties:
fsType:
description: |-
fSType represents the filesystem type to mount
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
volumeID:
description: volumeID uniquely identifies a Portworx
volume
type: string
required:
- volumeID
type: object
projected:
description: projected items for all in one resources secrets,
configmaps, and downward API
properties:
defaultMode:
description: |-
defaultMode are the mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
sources:
description: sources is the list of volume projections
items:
description: Projection that may be projected along
with other supported volume types
properties:
clusterTrustBundle:
description: |-
ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
of ClusterTrustBundle objects in an auto-updating file.
Alpha, gated by the ClusterTrustBundleProjection feature gate.
ClusterTrustBundle objects can either be selected by name, or by the
combination of signer name and a label selector.
Kubelet performs aggressive normalization of the PEM contents written
into the pod filesystem. Esoteric PEM features such as inter-block
comments and block headers are stripped. Certificates are deduplicated.
The ordering of certificates within the file is arbitrary, and Kubelet
may change the order over time.
properties:
labelSelector:
description: |-
Select all ClusterTrustBundles that match this label selector. Only has
effect if signerName is set. Mutually-exclusive with name. If unset,
interpreted as "match nothing". If set but empty, interpreted as "match
everything".
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
name:
description: |-
Select a single ClusterTrustBundle by object name. Mutually-exclusive
with signerName and labelSelector.
type: string
optional:
description: |-
If true, don't block pod startup if the referenced ClusterTrustBundle(s)
aren't available. If using name, then the named ClusterTrustBundle is
allowed not to exist. If using signerName, then the combination of
signerName and labelSelector is allowed to match zero
ClusterTrustBundles.
type: boolean
path:
description: Relative path from the volume
root to write the bundle.
type: string
signerName:
description: |-
Select all ClusterTrustBundles that match this signer name.
Mutually-exclusive with name. The contents of all selected
ClusterTrustBundles will be unified and deduplicated.
type: string
required:
- path
type: object
configMap:
description: configMap information about the configMap
data to project
properties:
items:
description: |-
items if unspecified, each key-value pair in the Data field of the referenced
ConfigMap will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the ConfigMap,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the
ConfigMap or its keys must be defined
type: boolean
type: object
x-kubernetes-map-type: atomic
downwardAPI:
description: downwardAPI information about the
downwardAPI data to project
properties:
items:
description: Items is a list of DownwardAPIVolume
file
items:
description: DownwardAPIVolumeFile represents
information to create the file containing
the pod field
properties:
fieldRef:
description: 'Required: Selects a field
of the pod: only annotations, labels,
name and namespace are supported.'
properties:
apiVersion:
description: Version of the schema
the FieldPath is written in terms
of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to
select in the specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
mode:
description: |-
Optional: mode bits used to set permissions on this file, must be an octal value
between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: 'Required: Path is the
relative path name of the file to
be created. Must not be absolute or
contain the ''..'' path. Must be utf-8
encoded. The first item of the relative
path must not start with ''..'''
type: string
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container name: required
for volumes, optional for env
vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output
format of the exposed resources,
defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource
to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
required:
- path
type: object
type: array
type: object
secret:
description: secret information about the secret
data to project
properties:
items:
description: |-
items if unspecified, each key-value pair in the Data field of the referenced
Secret will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the Secret,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether
the Secret or its key must be defined
type: boolean
type: object
x-kubernetes-map-type: atomic
serviceAccountToken:
description: serviceAccountToken is information
about the serviceAccountToken data to project
properties:
audience:
description: |-
audience is the intended audience of the token. A recipient of a token
must identify itself with an identifier specified in the audience of the
token, and otherwise should reject the token. The audience defaults to the
identifier of the apiserver.
type: string
expirationSeconds:
description: |-
expirationSeconds is the requested duration of validity of the service
account token. As the token approaches expiration, the kubelet volume
plugin will proactively rotate the service account token. The kubelet will
start trying to rotate the token if the token is older than 80 percent of
its time to live or if the token is older than 24 hours.Defaults to 1 hour
and must be at least 10 minutes.
format: int64
type: integer
path:
description: |-
path is the path relative to the mount point of the file to project the
token into.
type: string
required:
- path
type: object
type: object
type: array
type: object
quobyte:
description: quobyte represents a Quobyte mount on the host
that shares a pod's lifetime
properties:
group:
description: |-
group to map volume access to
Default is no group
type: string
readOnly:
description: |-
readOnly here will force the Quobyte volume to be mounted with read-only permissions.
Defaults to false.
type: boolean
registry:
description: |-
registry represents a single or multiple Quobyte Registry services
specified as a string as host:port pair (multiple entries are separated with commas)
which acts as the central registry for volumes
type: string
tenant:
description: |-
tenant owning the given Quobyte volume in the Backend
Used with dynamically provisioned Quobyte volumes, value is set by the plugin
type: string
user:
description: |-
user to map volume access to
Defaults to serivceaccount user
type: string
volume:
description: volume is a string that references an already
created Quobyte volume by name.
type: string
required:
- registry
- volume
type: object
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
fsType is the filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
image is the rados image name.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
monitors:
description: |-
monitors is a collection of Ceph monitors.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
items:
type: string
type: array
pool:
description: |-
pool is the rados pool name.
Default is rbd.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
Defaults to false.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: boolean
secretRef:
description: |-
secretRef is name of the authentication secret for RBDUser. If provided
overrides keyring.
Default is nil.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
description: |-
user is the rados user name.
Default is admin.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
required:
- image
- monitors
type: object
scaleIO:
description: scaleIO represents a ScaleIO persistent volume
attached and mounted on Kubernetes nodes.
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs".
Default is "xfs".
type: string
gateway:
description: gateway is the host address of the ScaleIO
API Gateway.
type: string
protectionDomain:
description: protectionDomain is the name of the ScaleIO
Protection Domain for the configured storage.
type: string
readOnly:
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: |-
secretRef references to the secret for ScaleIO user and other
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
sslEnabled:
description: sslEnabled Flag enable/disable SSL communication
with Gateway, default false
type: boolean
storageMode:
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
type: string
storagePool:
description: storagePool is the ScaleIO Storage Pool
associated with the protection domain.
type: string
system:
description: system is the name of the storage system
as configured in ScaleIO.
type: string
volumeName:
description: |-
volumeName is the name of a volume already created in the ScaleIO system
that is associated with this volume source.
type: string
required:
- gateway
- secretRef
- system
type: object
secret:
description: |-
secret represents a secret that should populate this volume.
More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
properties:
defaultMode:
description: |-
defaultMode is Optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values
for mode bits. Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
description: |-
items If unspecified, each key-value pair in the Data field of the referenced
Secret will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the Secret,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a
volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
optional:
description: optional field specify whether the Secret
or its keys must be defined
type: boolean
secretName:
description: |-
secretName is the name of the secret in the pod's namespace to use.
More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
type: string
type: object
storageos:
description: storageOS represents a StorageOS volume attached
and mounted on Kubernetes nodes.
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: |-
secretRef specifies the secret to use for obtaining the StorageOS API
credentials. If not specified, default values will be attempted.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
volumeName:
description: |-
volumeName is the human-readable name of the StorageOS volume. Volume
names are only unique within a namespace.
type: string
volumeNamespace:
description: |-
volumeNamespace specifies the scope of the volume within StorageOS. If no
namespace is specified then the Pod's namespace will be used. This allows the
Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
Set VolumeName to any name to override the default behaviour.
Set to "default" if you are not using namespaces within StorageOS.
Namespaces that do not pre-exist within StorageOS will be created.
type: string
type: object
vsphereVolume:
description: vsphereVolume represents a vSphere volume attached
and mounted on kubelets host machine
properties:
fsType:
description: |-
fsType is filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
storagePolicyID:
description: storagePolicyID is the storage Policy Based
Management (SPBM) profile ID associated with the StoragePolicyName.
type: string
storagePolicyName:
description: storagePolicyName is the storage Policy
Based Management (SPBM) profile name.
type: string
volumePath:
description: volumePath is the path that identifies
vSphere volume vmdk
type: string
required:
- volumePath
type: object
required:
- name
type: object
type: array
logLevel:
description: |-
LogLevel sets the log level for Envoy.
Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off".
type: string
networkPublishing:
description: NetworkPublishing defines how to expose Envoy to
a network.
properties:
externalTrafficPolicy:
description: |-
ExternalTrafficPolicy describes how nodes distribute service traffic they
receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs,
and LoadBalancer IPs).
If unset, defaults to "Local".
type: string
ipFamilyPolicy:
description: |-
IPFamilyPolicy represents the dual-stack-ness requested or required by
this Service. If there is no value provided, then this field will be set
to SingleStack. Services can be "SingleStack" (a single IP family),
"PreferDualStack" (two IP families on dual-stack configured clusters or
a single IP family on single-stack clusters), or "RequireDualStack"
(two IP families on dual-stack configured clusters, otherwise fail).
type: string
serviceAnnotations:
additionalProperties:
type: string
description: |-
ServiceAnnotations is the annotations to add to
the provisioned Envoy service.
type: object
type:
description: |-
NetworkPublishingType is the type of publishing strategy to use. Valid values are:
* LoadBalancerService
In this configuration, network endpoints for Envoy use container networking.
A Kubernetes LoadBalancer Service is created to publish Envoy network
endpoints.
See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
* NodePortService
Publishes Envoy network endpoints using a Kubernetes NodePort Service.
In this configuration, Envoy network endpoints use container networking. A Kubernetes
NodePort Service is created to publish the network endpoints.
See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
NOTE:
When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate
the Service's node port values, there's no way to auto-allocate them.
See: https://github.com/projectcontour/contour/issues/4499
* ClusterIPService
Publishes Envoy network endpoints using a Kubernetes ClusterIP Service.
In this configuration, Envoy network endpoints use container networking. A Kubernetes
ClusterIP Service is created to publish the network endpoints.
See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
If unset, defaults to LoadBalancerService.
type: string
type: object
nodePlacement:
description: NodePlacement describes node scheduling configuration
of Envoy pods.
properties:
nodeSelector:
additionalProperties:
type: string
description: |-
NodeSelector is the simplest recommended form of node selection constraint
and specifies a map of key-value pairs. For the pod to be eligible
to run on a node, the node must have each of the indicated key-value pairs
as labels (it can have additional labels as well).
If unset, the pod(s) will be scheduled to any available node.
type: object
tolerations:
description: |-
Tolerations work with taints to ensure that pods are not scheduled
onto inappropriate nodes. One or more taints are applied to a node; this
marks that the node should not accept any pods that do not tolerate the
taints.
The default is an empty list.
See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
for additional details.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
overloadMaxHeapSize:
description: |-
OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager.
When the value is greater than 0, the overload manager is enabled,
and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation,
When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests.
More info: https://projectcontour.io/docs/main/config/overload-manager/
format: int64
type: integer
podAnnotations:
additionalProperties:
type: string
description: |-
PodAnnotations defines annotations to add to the Envoy pods.
the annotations for Prometheus will be appended or overwritten with predefined value.
type: object
replicas:
description: |-
Deprecated: Use `DeploymentSettings.Replicas` instead.
Replicas is the desired number of Envoy replicas. If WorkloadType
is not "Deployment", this field is ignored. Otherwise, if unset,
defaults to 2.
if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
format: int32
minimum: 0
type: integer
resources:
description: |-
Compute Resources required by envoy container.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
properties:
claims:
description: |-
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: |-
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
workloadType:
description: |-
WorkloadType is the type of workload to install Envoy
as. Choices are DaemonSet and Deployment. If unset, defaults
to DaemonSet.
type: string
type: object
resourceLabels:
additionalProperties:
type: string
description: |-
ResourceLabels is a set of labels to add to the provisioned Contour resources.
Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be
removed in a future release.
type: object
runtimeSettings:
description: |-
RuntimeSettings is a ContourConfiguration spec to be used when
provisioning a Contour instance that will influence aspects of
the Contour instance's runtime behavior.
properties:
debug:
description: |-
Debug contains parameters to enable debug logging
and debug interfaces inside Contour.
properties:
address:
description: |-
Defines the Contour debug address interface.
Contour's default is "127.0.0.1".
type: string
port:
description: |-
Defines the Contour debug address port.
Contour's default is 6060.
type: integer
type: object
enableExternalNameService:
description: |-
EnableExternalNameService allows processing of ExternalNameServices
Contour's default is false for security reasons.
type: boolean
envoy:
description: |-
Envoy contains parameters for Envoy as well
as how to optionally configure a managed Envoy fleet.
properties:
clientCertificate:
description: |-
ClientCertificate defines the namespace/name of the Kubernetes
secret containing the client certificate and private key
to be used when establishing TLS connection to upstream
cluster.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
cluster:
description: |-
Cluster holds various configurable Envoy cluster values that can
be set in the config file.
properties:
circuitBreakers:
description: |-
GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
If defined, this will be used as the default for all services.
properties:
maxConnections:
description: The maximum number of connections that
a single Envoy instance allows to the Kubernetes
Service; defaults to 1024.
format: int32
type: integer
maxPendingRequests:
description: The maximum number of pending requests
that a single Envoy instance allows to the Kubernetes
Service; defaults to 1024.
format: int32
type: integer
maxRequests:
description: The maximum parallel requests a single
Envoy instance allows to the Kubernetes Service;
defaults to 1024
format: int32
type: integer
maxRetries:
description: The maximum number of parallel retries
a single Envoy instance allows to the Kubernetes
Service; defaults to 3.
format: int32
type: integer
type: object
dnsLookupFamily:
description: |-
DNSLookupFamily defines how external names are looked up
When configured as V4, the DNS resolver will only perform a lookup
for addresses in the IPv4 family. If V6 is configured, the DNS resolver
will only perform a lookup for addresses in the IPv6 family.
If AUTO is configured, the DNS resolver will first perform a lookup
for addresses in the IPv6 family and fallback to a lookup for addresses
in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
both IPv4 and IPv6 families, and return all resolved addresses.
When this is used, Happy Eyeballs will be enabled for upstream connections.
Refer to Happy Eyeballs Support for more information.
Note: This only applies to externalName clusters.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
for more information.
Values: `auto` (default), `v4`, `v6`, `all`.
Other values will produce an error.
type: string
maxRequestsPerConnection:
description: |-
Defines the maximum requests for upstream connections. If not specified, there is no limit.
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
for more information.
format: int32
minimum: 1
type: integer
per-connection-buffer-limit-bytes:
description: |-
Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
If unspecified, an implementation defined default is applied (1MiB).
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
for more information.
format: int32
minimum: 1
type: integer
upstreamTLS:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: |-
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
listeners when negotiating TLS 1.2. Ciphers are validated against the
set that Envoy supports by default. This parameter should only be used
by advanced users. Note that these will be ignored when TLS 1.3 is in
use.
This field is optional; when it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
Contour's default list is:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
Ciphers provided are validated against the following list:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES128-SHA"
- "ECDHE-RSA-AES128-SHA"
- "AES128-GCM-SHA256"
- "AES128-SHA"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-AES256-SHA"
- "ECDHE-RSA-AES256-SHA"
- "AES256-GCM-SHA384"
- "AES256-SHA"
Contour recommends leaving this undefined unless you are sure you must.
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
items:
type: string
type: array
maximumProtocolVersion:
description: |-
MaximumProtocolVersion is the maximum TLS version this vhost should
negotiate.
Values: `1.2`, `1.3`(default).
Other values will produce an error.
type: string
minimumProtocolVersion:
description: |-
MinimumProtocolVersion is the minimum TLS version this vhost should
negotiate.
Values: `1.2` (default), `1.3`.
Other values will produce an error.
type: string
type: object
type: object
defaultHTTPVersions:
description: |-
DefaultHTTPVersions defines the default set of HTTPS
versions the proxy should accept. HTTP versions are
strings of the form "HTTP/xx". Supported versions are
"HTTP/1.1" and "HTTP/2".
Values: `HTTP/1.1`, `HTTP/2` (default: both).
Other values will produce an error.
items:
description: HTTPVersionType is the name of a supported
HTTP version.
type: string
type: array
health:
description: |-
Health defines the endpoint Envoy uses to serve health checks.
Contour's default is { address: "0.0.0.0", port: 8002 }.
properties:
address:
description: Defines the health address interface.
minLength: 1
type: string
port:
description: Defines the health port.
type: integer
type: object
http:
description: |-
Defines the HTTP Listener for Envoy.
Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
properties:
accessLog:
description: AccessLog defines where Envoy logs are outputted
for this listener.
type: string
address:
description: Defines an Envoy Listener Address.
minLength: 1
type: string
port:
description: Defines an Envoy listener Port.
type: integer
type: object
https:
description: |-
Defines the HTTPS Listener for Envoy.
Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
properties:
accessLog:
description: AccessLog defines where Envoy logs are outputted
for this listener.
type: string
address:
description: Defines an Envoy Listener Address.
minLength: 1
type: string
port:
description: Defines an Envoy listener Port.
type: integer
type: object
listener:
description: Listener hold various configurable Envoy listener
values.
properties:
connectionBalancer:
description: |-
ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
for more information.
Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
Other values will produce an error.
type: string
disableAllowChunkedLength:
description: |-
DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
strip the "Content-Length" header if "Transfer-Encoding: chunked" is
also set. This is an emergency off-switch to revert back to Envoy's
default behavior in case of failures. Please file an issue if failures
are encountered.
See: https://github.com/projectcontour/contour/issues/3221
Contour's default is false.
type: boolean
disableMergeSlashes:
description: |-
DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
which strips duplicate slashes from request URL paths.
Contour's default is false.
type: boolean
httpMaxConcurrentStreams:
description: |-
Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
for a peer on a single HTTP/2 connection. It is recommended to not set this lower
than 100 but this field can be used to bound resource usage by HTTP/2 connections
and mitigate attacks like CVE-2023-44487. The default value when this is not set is
unlimited.
format: int32
minimum: 1
type: integer
maxConnectionsPerListener:
description: |-
Defines the limit on number of active connections to a listener. The limit is applied
per listener. The default value when this is not set is unlimited.
format: int32
minimum: 1
type: integer
maxRequestsPerConnection:
description: |-
Defines the maximum requests for downstream connections. If not specified, there is no limit.
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
for more information.
format: int32
minimum: 1
type: integer
maxRequestsPerIOCycle:
description: |-
Defines the limit on number of HTTP requests that Envoy will process from a single
connection in a single I/O cycle. Requests over this limit are processed in subsequent
I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
value when this is not set is no limit.
format: int32
minimum: 1
type: integer
per-connection-buffer-limit-bytes:
description: |-
Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
If unspecified, an implementation defined default is applied (1MiB).
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
for more information.
format: int32
minimum: 1
type: integer
serverHeaderTransformation:
description: |-
Defines the action to be applied to the Server header on the response path.
When configured as overwrite, overwrites any Server header with "envoy".
When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
Values: `overwrite` (default), `append_if_absent`, `pass_through`
Other values will produce an error.
Contour's default is overwrite.
type: string
socketOptions:
description: |-
SocketOptions defines configurable socket options for the listeners.
Single set of options are applied to all listeners.
properties:
tos:
description: |-
Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
Single value is applied to all listeners.
If listeners are bound to IPv6-only addresses, setting this option will cause an error.
format: int32
maximum: 255
minimum: 0
type: integer
trafficClass:
description: |-
Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
Single value is applied to all listeners.
If listeners are bound to IPv4-only addresses, setting this option will cause an error.
format: int32
maximum: 255
minimum: 0
type: integer
type: object
tls:
description: TLS holds various configurable Envoy TLS
listener values.
properties:
cipherSuites:
description: |-
CipherSuites defines the TLS ciphers to be supported by Envoy TLS
listeners when negotiating TLS 1.2. Ciphers are validated against the
set that Envoy supports by default. This parameter should only be used
by advanced users. Note that these will be ignored when TLS 1.3 is in
use.
This field is optional; when it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
Contour's default list is:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
Ciphers provided are validated against the following list:
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES128-SHA"
- "ECDHE-RSA-AES128-SHA"
- "AES128-GCM-SHA256"
- "AES128-SHA"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-AES256-SHA"
- "ECDHE-RSA-AES256-SHA"
- "AES256-GCM-SHA384"
- "AES256-SHA"
Contour recommends leaving this undefined unless you are sure you must.
See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
items:
type: string
type: array
maximumProtocolVersion:
description: |-
MaximumProtocolVersion is the maximum TLS version this vhost should
negotiate.
Values: `1.2`, `1.3`(default).
Other values will produce an error.
type: string
minimumProtocolVersion:
description: |-
MinimumProtocolVersion is the minimum TLS version this vhost should
negotiate.
Values: `1.2` (default), `1.3`.
Other values will produce an error.
type: string
type: object
useProxyProtocol:
description: |-
Use PROXY protocol for all listeners.
Contour's default is false.
type: boolean
type: object
logging:
description: Logging defines how Envoy's logs can be configured.
properties:
accessLogFormat:
description: |-
AccessLogFormat sets the global access log format.
Values: `envoy` (default), `json`.
Other values will produce an error.
type: string
accessLogFormatString:
description: |-
AccessLogFormatString sets the access log format when format is set to `envoy`.
When empty, Envoy's default format is used.
type: string
accessLogJSONFields:
description: |-
AccessLogJSONFields sets the fields that JSON logging will
output when AccessLogFormat is json.
items:
type: string
type: array
accessLogLevel:
description: |-
AccessLogLevel sets the verbosity level of the access log.
Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
Other values will produce an error.
type: string
type: object
metrics:
description: |-
Metrics defines the endpoint Envoy uses to serve metrics.
Contour's default is { address: "0.0.0.0", port: 8002 }.
properties:
address:
description: Defines the metrics address interface.
maxLength: 253
minLength: 1
type: string
port:
description: Defines the metrics port.
type: integer
tls:
description: |-
TLS holds TLS file config details.
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
keyFile:
description: Client key filename.
type: string
type: object
type: object
network:
description: Network holds various configurable Envoy network
values.
properties:
adminPort:
description: |-
Configure the port used to access the Envoy Admin interface.
If configured to port "0" then the admin interface is disabled.
Contour's default is 9001.
type: integer
numTrustedHops:
description: |-
XffNumTrustedHops defines the number of additional ingress proxy hops from the
right side of the x-forwarded-for HTTP header to trust when determining the origin
client’s IP address.
See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
for more information.
Contour's default is 0.
format: int32
type: integer
type: object
service:
description: |-
Service holds Envoy service parameters for setting Ingress status.
Contour's default is { namespace: "projectcontour", name: "envoy" }.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
timeouts:
description: |-
Timeouts holds various configurable timeouts that can
be set in the config file.
properties:
connectTimeout:
description: |-
ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
If not set, a default value of 2 seconds will be used.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
for more information.
type: string
connectionIdleTimeout:
description: |-
ConnectionIdleTimeout defines how long the proxy should wait while there are
no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
an HTTP connection. Set to "infinity" to disable the timeout entirely.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
for more information.
type: string
connectionShutdownGracePeriod:
description: |-
ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
During this grace period, the proxy will continue to respond to new streams. After the final
GOAWAY frame has been sent, the proxy will refuse new streams.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
for more information.
type: string
delayedCloseTimeout:
description: |-
DelayedCloseTimeout defines how long envoy will wait, once connection
close processing has been initiated, for the downstream peer to close
the connection before Envoy closes the socket associated with the connection.
Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
in Envoy. Leaving it unset will result in the Envoy default value being used.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
for more information.
type: string
maxConnectionDuration:
description: |-
MaxConnectionDuration defines the maximum period of time after an HTTP connection
has been established from the client to the proxy before it is closed by the proxy,
regardless of whether there has been activity or not. Omit or set to "infinity" for
no max duration.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
for more information.
type: string
requestTimeout:
description: |-
RequestTimeout sets the client request timeout globally for Contour. Note that
this is a timeout for the entire request, not an idle timeout. Omit or set to
"infinity" to disable the timeout entirely.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
for more information.
type: string
streamIdleTimeout:
description: |-
StreamIdleTimeout defines how long the proxy should wait while there is no
request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
terminating the HTTP request or stream. Set to "infinity" to disable the
timeout entirely.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
for more information.
type: string
type: object
type: object
featureFlags:
description: |-
FeatureFlags defines toggle to enable new contour features.
Available toggles are:
useEndpointSlices - configures contour to fetch endpoint data
from k8s endpoint slices. defaults to false and reading endpoint
data from the k8s endpoints.
items:
type: string
type: array
gateway:
description: |-
Gateway contains parameters for the gateway-api Gateway that Contour
is configured to serve traffic.
properties:
controllerName:
description: |-
ControllerName is used to determine whether Contour should reconcile a
GatewayClass. The string takes the form of "projectcontour.io/<namespace>/contour".
If unset, the gatewayclass controller will not be started.
Exactly one of ControllerName or GatewayRef must be set.
Deprecated: users should use GatewayRef, or the Gateway provisioner,
in place of this field. This field will be removed in a future release.
type: string
gatewayRef:
description: |-
GatewayRef defines a specific Gateway that this Contour
instance corresponds to. If set, Contour will reconcile
only this gateway, and will not reconcile any gateway
classes.
Exactly one of ControllerName or GatewayRef must be set.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
type: object
globalExtAuth:
description: |-
GlobalExternalAuthorization allows envoys external authorization filter
to be enabled for all virtual hosts.
properties:
authPolicy:
description: |-
AuthPolicy sets a default authorization policy for client requests.
This policy will be used unless overridden by individual routes.
properties:
context:
additionalProperties:
type: string
description: |-
Context is a set of key/value pairs that are sent to the
authentication server in the check request. If a context
is provided at an enclosing scope, the entries are merged
such that the inner scope overrides matching keys from the
outer scope.
type: object
disabled:
description: |-
When true, this field disables client request authentication
for the scope of the policy.
type: boolean
type: object
extensionRef:
description: ExtensionServiceRef specifies the extension resource
that will authorize client requests.
properties:
apiVersion:
description: |-
API version of the referent.
If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
minLength: 1
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
minLength: 1
type: string
namespace:
description: |-
Namespace of the referent.
If this field is not specifies, the namespace of the resource that targets the referent will be used.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
minLength: 1
type: string
type: object
failOpen:
description: |-
If FailOpen is true, the client request is forwarded to the upstream service
even if the authorization server fails to respond. This field should not be
set in most cases. It is intended for use only while migrating applications
from internal authorization to Contour external authorization.
type: boolean
responseTimeout:
description: |-
ResponseTimeout configures maximum time to wait for a check response from the authorization server.
Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
The string "infinity" is also a valid input and specifies no timeout.
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
type: string
withRequestBody:
description: WithRequestBody specifies configuration for sending
the client request's body to authorization server.
properties:
allowPartialMessage:
description: If AllowPartialMessage is true, then Envoy
will buffer the body until MaxRequestBytes are reached.
type: boolean
maxRequestBytes:
default: 1024
description: MaxRequestBytes sets the maximum size of
message body ExtAuthz filter will hold in-memory.
format: int32
minimum: 1
type: integer
packAsBytes:
description: If PackAsBytes is true, the body sent to
Authorization Server is in raw bytes.
type: boolean
type: object
type: object
health:
description: |-
Health defines the endpoints Contour uses to serve health checks.
Contour's default is { address: "0.0.0.0", port: 8000 }.
properties:
address:
description: Defines the health address interface.
minLength: 1
type: string
port:
description: Defines the health port.
type: integer
type: object
httpproxy:
description: HTTPProxy defines parameters on HTTPProxy.
properties:
disablePermitInsecure:
description: |-
DisablePermitInsecure disables the use of the
permitInsecure field in HTTPProxy.
Contour's default is false.
type: boolean
fallbackCertificate:
description: |-
FallbackCertificate defines the namespace/name of the Kubernetes secret to
use as fallback when a non-SNI request is received.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
rootNamespaces:
description: Restrict Contour to searching these namespaces
for root ingress routes.
items:
type: string
type: array
type: object
ingress:
description: Ingress contains parameters for ingress options.
properties:
classNames:
description: Ingress Class Names Contour should use.
items:
type: string
type: array
statusAddress:
description: Address to set in Ingress object status.
type: string
type: object
metrics:
description: |-
Metrics defines the endpoint Contour uses to serve metrics.
Contour's default is { address: "0.0.0.0", port: 8000 }.
properties:
address:
description: Defines the metrics address interface.
maxLength: 253
minLength: 1
type: string
port:
description: Defines the metrics port.
type: integer
tls:
description: |-
TLS holds TLS file config details.
Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
keyFile:
description: Client key filename.
type: string
type: object
type: object
policy:
description: Policy specifies default policy applied if not overridden
by the user
properties:
applyToIngress:
description: |-
ApplyToIngress determines if the Policies will apply to ingress objects
Contour's default is false.
type: boolean
requestHeaders:
description: RequestHeadersPolicy defines the request headers
set/removed on all routes
properties:
remove:
items:
type: string
type: array
set:
additionalProperties:
type: string
type: object
type: object
responseHeaders:
description: ResponseHeadersPolicy defines the response headers
set/removed on all routes
properties:
remove:
items:
type: string
type: array
set:
additionalProperties:
type: string
type: object
type: object
type: object
rateLimitService:
description: |-
RateLimitService optionally holds properties of the Rate Limit Service
to be used for global rate limiting.
properties:
defaultGlobalRateLimitPolicy:
description: |-
DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
HTTPProxy can overwrite this configuration.
properties:
descriptors:
description: |-
Descriptors defines the list of descriptors that will
be generated and sent to the rate limit service. Each
descriptor contains 1+ key-value pair entries.
items:
description: RateLimitDescriptor defines a list of key-value
pair generators.
properties:
entries:
description: Entries is the list of key-value pair
generators.
items:
description: |-
RateLimitDescriptorEntry is a key-value pair generator. Exactly
one field on this struct must be non-nil.
properties:
genericKey:
description: GenericKey defines a descriptor
entry with a static key and value.
properties:
key:
description: |-
Key defines the key of the descriptor entry. If not set, the
key is set to "generic_key".
type: string
value:
description: Value defines the value of
the descriptor entry.
minLength: 1
type: string
type: object
remoteAddress:
description: |-
RemoteAddress defines a descriptor entry with a key of "remote_address"
and a value equal to the client's IP address (from x-forwarded-for).
type: object
requestHeader:
description: |-
RequestHeader defines a descriptor entry that's populated only if
a given header is present on the request. The descriptor key is static,
and the descriptor value is equal to the value of the header.
properties:
descriptorKey:
description: DescriptorKey defines the
key to use on the descriptor entry.
minLength: 1
type: string
headerName:
description: HeaderName defines the name
of the header to look for on the request.
minLength: 1
type: string
type: object
requestHeaderValueMatch:
description: |-
RequestHeaderValueMatch defines a descriptor entry that's populated
if the request's headers match a set of 1+ match criteria. The
descriptor key is "header_match", and the descriptor value is static.
properties:
expectMatch:
default: true
description: |-
ExpectMatch defines whether the request must positively match the match
criteria in order to generate a descriptor entry (i.e. true), or not
match the match criteria in order to generate a descriptor entry (i.e. false).
The default is true.
type: boolean
headers:
description: |-
Headers is a list of 1+ match criteria to apply against the request
to determine whether to populate the descriptor entry or not.
items:
description: |-
HeaderMatchCondition specifies how to conditionally match against HTTP
headers. The Name field is required, only one of Present, NotPresent,
Contains, NotContains, Exact, NotExact and Regex can be set.
For negative matching rules only (e.g. NotContains or NotExact) you can set
TreatMissingAsEmpty.
IgnoreCase has no effect for Regex.
properties:
contains:
description: |-
Contains specifies a substring that must be present in
the header value.
type: string
exact:
description: Exact specifies a string
that the header value must be
equal to.
type: string
ignoreCase:
description: |-
IgnoreCase specifies that string matching should be case insensitive.
Note that this has no effect on the Regex parameter.
type: boolean
name:
description: |-
Name is the name of the header to match against. Name is required.
Header names are case insensitive.
type: string
notcontains:
description: |-
NotContains specifies a substring that must not be present
in the header value.
type: string
notexact:
description: |-
NoExact specifies a string that the header value must not be
equal to. The condition is true if the header has any other value.
type: string
notpresent:
description: |-
NotPresent specifies that condition is true when the named header
is not present. Note that setting NotPresent to false does not
make the condition true if the named header is present.
type: boolean
present:
description: |-
Present specifies that condition is true when the named header
is present, regardless of its value. Note that setting Present
to false does not make the condition true if the named header
is absent.
type: boolean
regex:
description: |-
Regex specifies a regular expression pattern that must match the header
value.
type: string
treatMissingAsEmpty:
description: |-
TreatMissingAsEmpty specifies if the header match rule specified header
does not exist, this header value will be treated as empty. Defaults to false.
Unlike the underlying Envoy implementation this is **only** supported for
negative matches (e.g. NotContains, NotExact).
type: boolean
required:
- name
type: object
minItems: 1
type: array
value:
description: Value defines the value of
the descriptor entry.
minLength: 1
type: string
type: object
type: object
minItems: 1
type: array
type: object
minItems: 1
type: array
disabled:
description: |-
Disabled configures the HTTPProxy to not use
the default global rate limit policy defined by the Contour configuration.
type: boolean
type: object
domain:
description: Domain is passed to the Rate Limit Service.
type: string
enableResourceExhaustedCode:
description: |-
EnableResourceExhaustedCode enables translating error code 429 to
grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
type: boolean
enableXRateLimitHeaders:
description: |-
EnableXRateLimitHeaders defines whether to include the X-RateLimit
headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
(as defined by the IETF Internet-Draft linked below), on responses
to clients when the Rate Limit Service is consulted for a request.
ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
type: boolean
extensionService:
description: ExtensionService identifies the extension service
defining the RLS.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
failOpen:
description: |-
FailOpen defines whether to allow requests to proceed when the
Rate Limit Service fails to respond with a valid rate limit
decision within the timeout defined on the extension service.
type: boolean
required:
- extensionService
type: object
tracing:
description: Tracing defines properties for exporting trace data
to OpenTelemetry.
properties:
customTags:
description: CustomTags defines a list of custom tags with
unique tag name.
items:
description: |-
CustomTag defines custom tags with unique tag name
to create tags for the active span.
properties:
literal:
description: |-
Literal is a static custom tag value.
Precisely one of Literal, RequestHeaderName must be set.
type: string
requestHeaderName:
description: |-
RequestHeaderName indicates which request header
the label value is obtained from.
Precisely one of Literal, RequestHeaderName must be set.
type: string
tagName:
description: TagName is the unique name of the custom
tag.
type: string
required:
- tagName
type: object
type: array
extensionService:
description: ExtensionService identifies the extension service
defining the otel-collector.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
includePodDetail:
description: |-
IncludePodDetail defines a flag.
If it is true, contour will add the pod name and namespace to the span of the trace.
the default is true.
Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
type: boolean
maxPathTagLength:
description: |-
MaxPathTagLength defines maximum length of the request path
to extract and include in the HttpUrl tag.
contour's default is 256.
format: int32
type: integer
overallSampling:
description: |-
OverallSampling defines the sampling rate of trace data.
contour's default is 100.
type: string
serviceName:
description: |-
ServiceName defines the name for the service.
contour's default is contour.
type: string
required:
- extensionService
type: object
xdsServer:
description: XDSServer contains parameters for the xDS server.
properties:
address:
description: |-
Defines the xDS gRPC API address which Contour will serve.
Contour's default is "0.0.0.0".
minLength: 1
type: string
port:
description: |-
Defines the xDS gRPC API port which Contour will serve.
Contour's default is 8001.
type: integer
tls:
description: |-
TLS holds TLS file config details.
Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
insecure:
description: Allow serving the xDS gRPC API without TLS.
type: boolean
keyFile:
description: Client key filename.
type: string
type: object
type:
description: |-
Defines the XDSServer to use for `contour serve`.
Values: `contour` (default), `envoy`.
Other values will produce an error.
type: string
type: object
type: object
type: object
status:
description: ContourDeploymentStatus defines the observed state of a ContourDeployment
resource.
properties:
conditions:
description: Conditions describe the current conditions of the ContourDeployment
resource.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: extensionservices.projectcontour.io
spec:
preserveUnknownFields: false
group: projectcontour.io
names:
kind: ExtensionService
listKind: ExtensionServiceList
plural: extensionservices
shortNames:
- extensionservice
- extensionservices
singular: extensionservice
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ExtensionService is the schema for the Contour extension services API.
An ExtensionService resource binds a network service to the Contour
API so that Contour API features can be implemented by collaborating
components.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ExtensionServiceSpec defines the desired state of an ExtensionService
resource.
properties:
loadBalancerPolicy:
description: |-
The policy for load balancing GRPC service requests. Note that the
`Cookie` and `RequestHash` load balancing strategies cannot be used
here.
properties:
requestHashPolicies:
description: |-
RequestHashPolicies contains a list of hash policies to apply when the
`RequestHash` load balancing strategy is chosen. If an element of the
supplied list of hash policies is invalid, it will be ignored. If the
list of hash policies is empty after validation, the load balancing
strategy will fall back to the default `RoundRobin`.
items:
description: |-
RequestHashPolicy contains configuration for an individual hash policy
on a request attribute.
properties:
hashSourceIP:
description: |-
HashSourceIP should be set to true when request source IP hash based
load balancing is desired. It must be the only hash option field set,
otherwise this request hash policy object will be ignored.
type: boolean
headerHashOptions:
description: |-
HeaderHashOptions should be set when request header hash based load
balancing is desired. It must be the only hash option field set,
otherwise this request hash policy object will be ignored.
properties:
headerName:
description: |-
HeaderName is the name of the HTTP request header that will be used to
calculate the hash key. If the header specified is not present on a
request, no hash will be produced.
minLength: 1
type: string
type: object
queryParameterHashOptions:
description: |-
QueryParameterHashOptions should be set when request query parameter hash based load
balancing is desired. It must be the only hash option field set,
otherwise this request hash policy object will be ignored.
properties:
parameterName:
description: |-
ParameterName is the name of the HTTP request query parameter that will be used to
calculate the hash key. If the query parameter specified is not present on a
request, no hash will be produced.
minLength: 1
type: string
type: object
terminal:
description: |-
Terminal is a flag that allows for short-circuiting computing of a hash
for a given request. If set to true, and the request attribute specified
in the attribute hash options is present, no further hash policies will
be used to calculate a hash for the request.
type: boolean
type: object
type: array
strategy:
description: |-
Strategy specifies the policy used to balance requests
across the pool of backend pods. Valid policy names are
`Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
and `RequestHash`. If an unknown strategy name is specified
or no policy is supplied, the default `RoundRobin` policy
is used.
type: string
type: object
protocol: