From 71b786cc4bff9ea6c4b14a297b188e8c7fda4036 Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Wed, 20 Oct 2021 14:16:21 -0400 Subject: [PATCH 01/13] Update scripts to generate an Envoy deployment style deployment Signed-off-by: Steve Sloka --- Makefile | 3 +- examples/contour/03-envoy-deployment.yaml | 154 + examples/render/contour-deployment.yaml | 5226 +++++++++++++++++++++ examples/render/contour-gateway.yaml | 1 - examples/render/contour.yaml | 1 - hack/generate-deployment.sh | 38 +- hack/generate-gateway-deployment.sh | 14 +- 7 files changed, 5427 insertions(+), 10 deletions(-) create mode 100644 examples/contour/03-envoy-deployment.yaml create mode 100644 examples/render/contour-deployment.yaml diff --git a/Makefile b/Makefile index 6a6bb565d35..ade11226514 100644 --- a/Makefile +++ b/Makefile @@ -220,7 +220,8 @@ generate-crd-deepcopy: .PHONY: generate-deployment generate-deployment: @echo Generating example deployment files ... - @./hack/generate-deployment.sh + @./hack/generate-deployment.sh deployment + @./hack/generate-deployment.sh daemonset @./hack/generate-gateway-deployment.sh .PHONY: generate-crd-yaml diff --git a/examples/contour/03-envoy-deployment.yaml b/examples/contour/03-envoy-deployment.yaml new file mode 100644 index 00000000000..fcbbe9c16e0 --- /dev/null +++ b/examples/contour/03-envoy-deployment.yaml @@ -0,0 +1,154 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - envoy + topologyKey: "kubernetes.io/hostname" + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: ghcr.io/projectcontour/contour:main + imagePullPolicy: Always + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + livenessProbe: + httpGet: + path: /healthz + port: 8090 + initialDelaySeconds: 3 + periodSeconds: 10 + name: shutdown-manager + volumeMounts: + - name: envoy-admin + mountPath: /admin + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.19.1 + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + - name: envoy-admin + mountPath: /admin + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: ghcr.io/projectcontour/contour:main + imagePullPolicy: Always + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-admin + emptyDir: {} + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml new file mode 100644 index 00000000000..d677905862a --- /dev/null +++ b/examples/render/contour-deployment.yaml @@ -0,0 +1,5226 @@ +# This file is generated from the individual YAML files by generate-deployment.sh. Do not +# edit this file directly but instead edit the source files and re-render. +# +# Generated from: +# examples/contour/00-common.yaml +# examples/contour/01-contour-config.yaml +# examples/contour/01-crds.yaml +# examples/contour/02-job-certgen.yaml +# examples/contour/02-rbac.yaml +# examples/contour/02-role-contour.yaml +# examples/contour/02-service-contour.yaml +# examples/contour/02-service-envoy.yaml +# examples/contour/03-contour.yaml +# examples/contour/03-envoy-deployment.yaml + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour + namespace: projectcontour +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy + namespace: projectcontour + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: contour + namespace: projectcontour +data: + contour.yaml: | + # + # server: + # determine which XDS Server implementation to utilize in Contour. + # xds-server-type: contour + # + # Specify the Gateway API configuration. + # gateway: + # controllerName: projectcontour.io/projectcontour/contour + # + # should contour expect to be running inside a k8s cluster + # incluster: true + # + # path to kubeconfig (if not running inside a k8s cluster) + # kubeconfig: /path/to/.kube/config + # + # Disable RFC-compliant behavior to strip "Content-Length" header if + # "Tranfer-Encoding: chunked" is also set. + # disableAllowChunkedLength: false + # Disable HTTPProxy permitInsecure field + disablePermitInsecure: false + tls: + # minimum TLS version that Contour will negotiate + # minimum-protocol-version: "1.2" + # TLS ciphers to be supported by Envoy TLS listeners when negotiating + # TLS 1.2. + # cipher-suites: + # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + # - 'ECDHE-ECDSA-AES256-GCM-SHA384' + # - 'ECDHE-RSA-AES256-GCM-SHA384' + # Defines the Kubernetes name/namespace matching a secret to use + # as the fallback certificate when requests which don't match the + # SNI defined for a vhost. + fallback-certificate: + # name: fallback-secret-name + # namespace: projectcontour + envoy-client-certificate: + # name: envoy-client-cert-secret-name + # namespace: projectcontour + # The following config shows the defaults for the leader election. + # leaderelection: + # configmap-name: leader-elect + # configmap-namespace: projectcontour + #### + # ExternalName Services are disabled by default due to CVE-2021-XXXXX + # You can re-enable them by setting this setting to `true`. + # This is not recommended without understanding the security implications. + # Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. + # enableExternalNameService: false + ## + # Address to be placed in status.loadbalancer field of Ingress objects. + # May be either a literal IP address or a host name. + # The value will be placed directly into the relevant field inside the status.loadBalancer struct. + # ingress-status-address: local.projectcontour.io + ### Logging options + # Default setting + accesslog-format: envoy + # The default access log format is defined by Envoy but it can be customized by setting following variable. + # accesslog-format-string: "...\n" + # To enable JSON logging in Envoy + # accesslog-format: json + # The default fields that will be logged are specified below. + # To customise this list, just add or remove entries. + # The canonical list is available at + # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields + # json-fields: + # - "@timestamp" + # - "authority" + # - "bytes_received" + # - "bytes_sent" + # - "downstream_local_address" + # - "downstream_remote_address" + # - "duration" + # - "method" + # - "path" + # - "protocol" + # - "request_id" + # - "requested_server_name" + # - "response_code" + # - "response_flags" + # - "uber_trace_id" + # - "upstream_cluster" + # - "upstream_host" + # - "upstream_local_address" + # - "upstream_service_time" + # - "user_agent" + # - "x_forwarded_for" + # + # default-http-versions: + # - "HTTP/2" + # - "HTTP/1.1" + # + # The following shows the default proxy timeout settings. + # timeouts: + # request-timeout: infinity + # connection-idle-timeout: 60s + # stream-idle-timeout: 5m + # max-connection-duration: infinity + # delayed-close-timeout: 1s + # connection-shutdown-grace-period: 5s + # + # Envoy cluster settings. + # cluster: + # configure the cluster dns lookup family + # valid options are: auto (default), v4, v6 + # dns-lookup-family: auto + # + # Envoy network settings. + # network: + # Configure the number of additional ingress proxy hops from the + # right side of the x-forwarded-for HTTP header to trust. + # num-trusted-hops: 0 + # Configure the port used to access the Envoy Admin interface. + # admin-port: 9001 + # + # Configure an optional global rate limit service. + # rateLimitService: + # Identifies the extension service defining the rate limit service, + # formatted as /. + # extensionService: projectcontour/ratelimit + # Defines the rate limit domain to pass to the rate limit service. + # Acts as a container for a set of rate limit definitions within + # the RLS. + # domain: contour + # Defines whether to allow requests to proceed when the rate limit + # service fails to respond with a valid rate limit decision within + # the timeout defined on the extension service. + # failOpen: false + # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, + # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF + # Internet-Draft linked below), on responses to clients when the Rate + # Limit Service is consulted for a request. + # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html + # enableXRateLimitHeaders: false + # + # Global Policy settings. + # policy: + # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) + # request-headers: + # set: + # # example: the hostname of the Envoy instance that proxied the request + # X-Envoy-Hostname: %HOSTNAME% + # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for + # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% + # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) + # response-headers: + # set: + # # example: Envoy flags that provide additional details about the response or connection + # X-Envoy-Response-Flags: %RESPONSE_FLAGS% + # + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: contourconfigurations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourConfiguration + listKind: ContourConfigurationList + plural: contourconfigurations + shortNames: + - contourconfig + singular: contourconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourConfiguration is the schema for a Contour instance. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ContourConfigurationSpec represents a configuration of a + Contour controller. It contains most of all the options that can be + customized, the other remaining options being command line flags. + properties: + debug: + default: + kubernetesLogLevel: 0 + logLevel: info + description: Debug contains parameters to enable debug logging and + debug interfaces inside Contour. + properties: + address: + description: Defines the Contour debug address interface. + type: string + kubernetesLogLevel: + default: 0 + description: "KubernetesDebugLogLevel defines the log level which + Contour will use when outputting Kubernetes specific log information. + \n Details: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md" + maximum: 9 + minimum: 0 + type: integer + logLevel: + description: DebugLogLevel defines the log level which Contour + will use when outputting log information. + enum: + - info + - debug + type: string + port: + description: Defines the Contour debug address port. + type: integer + required: + - logLevel + type: object + enableExternalNameService: + default: false + description: EnableExternalNameService allows processing of ExternalNameServices + Defaults to disabled for security reasons. + type: boolean + envoy: + default: + cluster: + dnsLookupFamily: auto + defaultHTTPVersions: + - HTTP/1.1 + - HTTP/2 + http: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8080 + https: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8443 + listener: + connectionBalancer: "" + disableAllowChunkedLength: false + tls: + cipherSuites: + - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + minimumProtocolVersion: "1.2" + useProxyProtocol: false + logging: + accessLogFormat: envoy + metrics: + address: 0.0.0.0 + port: 8002 + network: + adminPort: 9001 + service: + name: envoy + namespace: projectcontour + description: Envoy contains parameters for Envoy as well as how to + optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: ClientCertificate defines the namespace/name of the + Kubernetes secret containing the client certificate and private + key to be used when establishing TLS connection to upstream + cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: Cluster holds various configurable Envoy cluster + values that can be set in the config file. + properties: + dnsLookupFamily: + default: auto + description: "DNSLookupFamily defines how external names are + looked up When configured as V4, the DNS resolver will only + perform a lookup for addresses in the IPv4 family. If V6 + is configured, the DNS resolver will only perform a lookup + for addresses in the IPv6 family. If AUTO is configured, + the DNS resolver will first perform a lookup for addresses + in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. Note: This only applies to externalName + clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information." + enum: + - auto + - v4 + - v6 + type: string + required: + - dnsLookupFamily + type: object + defaultHTTPVersions: + description: DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are strings + of the form "HTTP/xx". Supported versions are "HTTP/1.1" and + "HTTP/2". + items: + description: HTTPVersionType is the name of a supported HTTP + version. + enum: + - HTTP/1.1 + - HTTP/2 + type: string + type: array + http: + default: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8080 + description: Defines the HTTP Listener for Envoy. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + required: + - accessLog + - address + - port + type: object + https: + default: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8443 + description: Defines the HTTP Listener for Envoy. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + required: + - accessLog + - address + - port + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: ConnectionBalancer. If the value is exact, the + listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + enum: + - "" + - exact + type: string + disableAllowChunkedLength: + description: 'DisableAllowChunkedLength disables the RFC-compliant + Envoy behavior to strip the "Content-Length" header if "Transfer-Encoding: + chunked" is also set. This is an emergency off-switch to + revert back to Envoy''s default behavior in case of failures. + Please file an issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221' + type: boolean + tls: + description: TLS holds various configurable Envoy TLS listener + values. + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + enum: + - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - AES128-GCM-SHA256 + - AES128-SHA + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - AES256-GCM-SHA384 + - AES256-SHA + type: string + type: array + minimumProtocolVersion: + description: MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. Valid options are + `1.2` (default) and `1.3`. + enum: + - "1.2" + - "1.3" + type: string + required: + - cipherSuites + - minimumProtocolVersion + type: object + useProxyProtocol: + description: Use PROXY protocol for all listeners. + type: boolean + required: + - connectionBalancer + - disableAllowChunkedLength + - tls + - useProxyProtocol + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: AccessLogFormat sets the global access log format. + Valid options are 'envoy' or 'json' + enum: + - envoy + - json + type: string + accessLogFormatString: + description: AccessLogFormatString sets the access log format + when format is set to `envoy`. When empty, Envoy's default + format is used. + type: string + jsonFields: + description: AccessLogFields sets the fields that JSON logging + will output when AccessLogFormat is json. + items: + type: string + type: array + required: + - accessLogFormat + type: object + metrics: + default: + address: 0.0.0.0 + port: 8002 + description: Metrics defines the endpoints Envoy use to serve + to metrics. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + required: + - address + - port + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + default: 9001 + description: Configure the port used to access the Envoy Admin + interface. If configured to port "0" then the admin interface + is disabled. + type: integer + numTrustedHops: + description: "XffNumTrustedHops defines the number of additional + ingress proxy hops from the right side of the x-forwarded-for + HTTP header to trust when determining the origin client’s + IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information." + format: int32 + type: integer + required: + - adminPort + type: object + service: + default: + name: envoy + namespace: projectcontour + description: Service holds Envoy service parameters for setting + Ingress status. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: Timeouts holds various configurable timeouts that + can be set in the config file. + properties: + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the proxy + should wait while there are no active requests (for HTTP/1.1) + or streams (for HTTP/2) before terminating an HTTP connection. + Set to \"infinity\" to disable the timeout entirely. \n + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information." + type: string + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how long + the proxy will wait between sending an initial GOAWAY frame + and a second, final GOAWAY frame when terminating an HTTP/2 + connection. During this grace period, the proxy will continue + to respond to new streams. After the final GOAWAY frame + has been sent, the proxy will refuse new streams. \n See + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information." + type: string + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy will + wait, once connection close processing has been initiated, + for the downstream peer to close the connection before Envoy + closes the socket associated with the connection. \n Setting + this timeout to 'infinity' will disable it, equivalent to + setting it to '0' in Envoy. Leaving it unset will result + in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information." + type: string + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum period + of time after an HTTP connection has been established from + the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit + or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information." + type: string + requestTimeout: + description: "RequestTimeout sets the client request timeout + globally for Contour. Note that this is a timeout for the + entire request, not an idle timeout. Omit or set to \"infinity\" + to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information." + type: string + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy + should wait while there is no request activity (for HTTP/1.1) + or stream activity (for HTTP/2) before terminating the HTTP + request or stream. Set to \"infinity\" to disable the timeout + entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information." + type: string + type: object + required: + - cluster + - defaultHTTPVersions + - http + - https + - listener + - logging + - metrics + - network + - service + type: object + gateway: + description: Gateway contains parameters for the gateway-api Gateway + that Contour is configured to serve traffic. + properties: + controllerName: + default: projectcontour.io/projectcontour/contour + description: ControllerName is used to determine whether Contour + should reconcile a GatewayClass. The string takes the form of + "projectcontour.io//contour". If unset, the gatewayclass + controller will not be started. + type: string + required: + - controllerName + type: object + health: + default: + address: 0.0.0.0 + port: 8000 + description: Health contains parameters to configure endpoints which + Contour exposes to respond to Kubernetes health checks. + properties: + address: + description: Defines the Contour health address interface. + minLength: 1 + type: string + port: + description: Defines the Contour health port. + type: integer + required: + - address + - port + type: object + httpproxy: + default: + disablePermitInsecure: false + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: DisablePermitInsecure disables the use of the permitInsecure + field in HTTPProxy. + type: boolean + fallbackCertificate: + description: FallbackCertificate defines the namespace/name of + the Kubernetes secret to use as fallback when a non-SNI request + is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces for + root ingress routes. + items: + type: string + type: array + required: + - disablePermitInsecure + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + className: + description: Ingress Class Name Contour should use. + type: string + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + leaderElection: + default: + configmap: + name: leader-elect + namespace: projectcontour + disableLeaderElection: false + leaseDuration: 15s + renewDeadline: 10s + retryPeriod: 2s + description: LeaderElection contains leader election parameters. + properties: + configmap: + description: NamespacedName defines the namespace/name of the + Kubernetes resource referred from the config file. Used for + Contour config YAML file parsing, otherwise we could use K8s + types.NamespacedName. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + disableLeaderElection: + type: boolean + leaseDuration: + type: string + renewDeadline: + type: string + retryPeriod: + type: string + required: + - disableLeaderElection + type: object + metrics: + default: + address: 0.0.0.0 + port: 8000 + description: Metrics defines the endpoints Contour uses to serve to + metrics. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + required: + - address + - port + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: ApplyToIngress determines if the Policies will apply + to ingress objects + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: RateLimitService optionally holds properties of the Rate + Limit Service to be used for global rate limiting. + properties: + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include + the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, + and X-RateLimit-Reset (as defined by the IETF Internet-Draft + linked below), on responses to clients when the Rate Limit Service + is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: FailOpen defines whether to allow requests to proceed + when the Rate Limit Service fails to respond with a valid rate + limit decision within the timeout defined on the extension service. + type: boolean + required: + - domain + - enableXRateLimitHeaders + - failOpen + type: object + xdsServer: + default: + address: 0.0.0.0 + port: 8001 + tls: + caFile: /certs/ca.crt + certFile: /certs/tls.crt + insecure: false + keyFile: /certs/tls.key + type: contour + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: Defines the xDS gRPC API address which Contour will + serve. + minLength: 1 + type: string + port: + description: Defines the xDS gRPC API port which Contour will + serve. + type: integer + tls: + description: TLS holds TLS file config details. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + required: + - insecure + type: object + type: + description: Defines the XDSServer to use for `contour serve`. + enum: + - contour + - envoy + type: string + required: + - address + - port + - type + type: object + type: object + status: + description: ContourConfigurationStatus defines the observed state of + a ContourConfiguration resource. + properties: + conditions: + description: "Conditions contains the current status of the Contour + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: contourdeployments.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ContourDeployment + listKind: ContourDeploymentList + plural: contourdeployments + shortNames: + - contourdeploy + singular: contourdeployment + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContourDeployment is the schema for a Contour Deployment. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ContourDeploymentSpec defines the parameters of how a Contour + instance should be configured. + properties: + config: + description: Config is the config that the instances of Contour are + to utilize. + properties: + debug: + default: + kubernetesLogLevel: 0 + logLevel: info + description: Debug contains parameters to enable debug logging + and debug interfaces inside Contour. + properties: + address: + description: Defines the Contour debug address interface. + type: string + kubernetesLogLevel: + default: 0 + description: "KubernetesDebugLogLevel defines the log level + which Contour will use when outputting Kubernetes specific + log information. \n Details: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md" + maximum: 9 + minimum: 0 + type: integer + logLevel: + description: DebugLogLevel defines the log level which Contour + will use when outputting log information. + enum: + - info + - debug + type: string + port: + description: Defines the Contour debug address port. + type: integer + required: + - logLevel + type: object + enableExternalNameService: + default: false + description: EnableExternalNameService allows processing of ExternalNameServices + Defaults to disabled for security reasons. + type: boolean + envoy: + default: + cluster: + dnsLookupFamily: auto + defaultHTTPVersions: + - HTTP/1.1 + - HTTP/2 + http: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8080 + https: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8443 + listener: + connectionBalancer: "" + disableAllowChunkedLength: false + tls: + cipherSuites: + - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + minimumProtocolVersion: "1.2" + useProxyProtocol: false + logging: + accessLogFormat: envoy + metrics: + address: 0.0.0.0 + port: 8002 + network: + adminPort: 9001 + service: + name: envoy + namespace: projectcontour + description: Envoy contains parameters for Envoy as well as how + to optionally configure a managed Envoy fleet. + properties: + clientCertificate: + description: ClientCertificate defines the namespace/name + of the Kubernetes secret containing the client certificate + and private key to be used when establishing TLS connection + to upstream cluster. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + cluster: + description: Cluster holds various configurable Envoy cluster + values that can be set in the config file. + properties: + dnsLookupFamily: + default: auto + description: "DNSLookupFamily defines how external names + are looked up When configured as V4, the DNS resolver + will only perform a lookup for addresses in the IPv4 + family. If V6 is configured, the DNS resolver will only + perform a lookup for addresses in the IPv6 family. If + AUTO is configured, the DNS resolver will first perform + a lookup for addresses in the IPv6 family and fallback + to a lookup for addresses in the IPv4 family. Note: + This only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information." + enum: + - auto + - v4 + - v6 + type: string + required: + - dnsLookupFamily + type: object + defaultHTTPVersions: + description: DefaultHTTPVersions defines the default set of + HTTPS versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are "HTTP/1.1" + and "HTTP/2". + items: + description: HTTPVersionType is the name of a supported + HTTP version. + enum: + - HTTP/1.1 + - HTTP/2 + type: string + type: array + http: + default: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8080 + description: Defines the HTTP Listener for Envoy. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + required: + - accessLog + - address + - port + type: object + https: + default: + accessLog: /dev/stdout + address: 0.0.0.0 + port: 8443 + description: Defines the HTTP Listener for Envoy. + properties: + accessLog: + description: AccessLog defines where Envoy logs are outputted + for this listener. + type: string + address: + description: Defines an Envoy Listener Address. + minLength: 1 + type: string + port: + description: Defines an Envoy listener Port. + type: integer + required: + - accessLog + - address + - port + type: object + listener: + description: Listener hold various configurable Envoy listener + values. + properties: + connectionBalancer: + description: ConnectionBalancer. If the value is exact, + the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + enum: + - "" + - exact + type: string + disableAllowChunkedLength: + description: 'DisableAllowChunkedLength disables the RFC-compliant + Envoy behavior to strip the "Content-Length" header + if "Transfer-Encoding: chunked" is also set. This is + an emergency off-switch to revert back to Envoy''s default + behavior in case of failures. Please file an issue if + failures are encountered. See: https://github.com/projectcontour/contour/issues/3221' + type: boolean + tls: + description: TLS holds various configurable Envoy TLS + listener values. + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n See: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + enum: + - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' + - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - AES128-GCM-SHA256 + - AES128-SHA + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - AES256-GCM-SHA384 + - AES256-SHA + type: string + type: array + minimumProtocolVersion: + description: MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. Valid options + are `1.2` (default) and `1.3`. + enum: + - "1.2" + - "1.3" + type: string + required: + - cipherSuites + - minimumProtocolVersion + type: object + useProxyProtocol: + description: Use PROXY protocol for all listeners. + type: boolean + required: + - connectionBalancer + - disableAllowChunkedLength + - tls + - useProxyProtocol + type: object + logging: + description: Logging defines how Envoy's logs can be configured. + properties: + accessLogFormat: + description: AccessLogFormat sets the global access log + format. Valid options are 'envoy' or 'json' + enum: + - envoy + - json + type: string + accessLogFormatString: + description: AccessLogFormatString sets the access log + format when format is set to `envoy`. When empty, Envoy's + default format is used. + type: string + jsonFields: + description: AccessLogFields sets the fields that JSON + logging will output when AccessLogFormat is json. + items: + type: string + type: array + required: + - accessLogFormat + type: object + metrics: + default: + address: 0.0.0.0 + port: 8002 + description: Metrics defines the endpoints Envoy use to serve + to metrics. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + required: + - address + - port + type: object + network: + description: Network holds various configurable Envoy network + values. + properties: + adminPort: + default: 9001 + description: Configure the port used to access the Envoy + Admin interface. If configured to port "0" then the + admin interface is disabled. + type: integer + numTrustedHops: + description: "XffNumTrustedHops defines the number of + additional ingress proxy hops from the right side of + the x-forwarded-for HTTP header to trust when determining + the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information." + format: int32 + type: integer + required: + - adminPort + type: object + service: + default: + name: envoy + namespace: projectcontour + description: Service holds Envoy service parameters for setting + Ingress status. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + timeouts: + description: Timeouts holds various configurable timeouts + that can be set in the config file. + properties: + connectionIdleTimeout: + description: "ConnectionIdleTimeout defines how long the + proxy should wait while there are no active requests + (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to \"infinity\" to disable the + timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information." + type: string + connectionShutdownGracePeriod: + description: "ConnectionShutdownGracePeriod defines how + long the proxy will wait between sending an initial + GOAWAY frame and a second, final GOAWAY frame when terminating + an HTTP/2 connection. During this grace period, the + proxy will continue to respond to new streams. After + the final GOAWAY frame has been sent, the proxy will + refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information." + type: string + delayedCloseTimeout: + description: "DelayedCloseTimeout defines how long envoy + will wait, once connection close processing has been + initiated, for the downstream peer to close the connection + before Envoy closes the socket associated with the connection. + \n Setting this timeout to 'infinity' will disable it, + equivalent to setting it to '0' in Envoy. Leaving it + unset will result in the Envoy default value being used. + \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information." + type: string + maxConnectionDuration: + description: "MaxConnectionDuration defines the maximum + period of time after an HTTP connection has been established + from the client to the proxy before it is closed by + the proxy, regardless of whether there has been activity + or not. Omit or set to \"infinity\" for no max duration. + \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information." + type: string + requestTimeout: + description: "RequestTimeout sets the client request timeout + globally for Contour. Note that this is a timeout for + the entire request, not an idle timeout. Omit or set + to \"infinity\" to disable the timeout entirely. \n + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information." + type: string + streamIdleTimeout: + description: "StreamIdleTimeout defines how long the proxy + should wait while there is no request activity (for + HTTP/1.1) or stream activity (for HTTP/2) before terminating + the HTTP request or stream. Set to \"infinity\" to disable + the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information." + type: string + type: object + required: + - cluster + - defaultHTTPVersions + - http + - https + - listener + - logging + - metrics + - network + - service + type: object + gateway: + description: Gateway contains parameters for the gateway-api Gateway + that Contour is configured to serve traffic. + properties: + controllerName: + default: projectcontour.io/projectcontour/contour + description: ControllerName is used to determine whether Contour + should reconcile a GatewayClass. The string takes the form + of "projectcontour.io//contour". If unset, the + gatewayclass controller will not be started. + type: string + required: + - controllerName + type: object + health: + default: + address: 0.0.0.0 + port: 8000 + description: Health contains parameters to configure endpoints + which Contour exposes to respond to Kubernetes health checks. + properties: + address: + description: Defines the Contour health address interface. + minLength: 1 + type: string + port: + description: Defines the Contour health port. + type: integer + required: + - address + - port + type: object + httpproxy: + default: + disablePermitInsecure: false + description: HTTPProxy defines parameters on HTTPProxy. + properties: + disablePermitInsecure: + description: DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + type: boolean + fallbackCertificate: + description: FallbackCertificate defines the namespace/name + of the Kubernetes secret to use as fallback when a non-SNI + request is received. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + rootNamespaces: + description: Restrict Contour to searching these namespaces + for root ingress routes. + items: + type: string + type: array + required: + - disablePermitInsecure + type: object + ingress: + description: Ingress contains parameters for ingress options. + properties: + className: + description: Ingress Class Name Contour should use. + type: string + statusAddress: + description: Address to set in Ingress object status. + type: string + type: object + leaderElection: + default: + configmap: + name: leader-elect + namespace: projectcontour + disableLeaderElection: false + leaseDuration: 15s + renewDeadline: 10s + retryPeriod: 2s + description: LeaderElection contains leader election parameters. + properties: + configmap: + description: NamespacedName defines the namespace/name of + the Kubernetes resource referred from the config file. Used + for Contour config YAML file parsing, otherwise we could + use K8s types.NamespacedName. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + disableLeaderElection: + type: boolean + leaseDuration: + type: string + renewDeadline: + type: string + retryPeriod: + type: string + required: + - disableLeaderElection + type: object + metrics: + default: + address: 0.0.0.0 + port: 8000 + description: Metrics defines the endpoints Contour uses to serve + to metrics. + properties: + address: + description: Defines the metrics address interface. + maxLength: 253 + minLength: 1 + type: string + port: + description: Defines the metrics port. + type: integer + required: + - address + - port + type: object + policy: + description: Policy specifies default policy applied if not overridden + by the user + properties: + applyToIngress: + description: ApplyToIngress determines if the Policies will + apply to ingress objects + type: boolean + requestHeaders: + description: RequestHeadersPolicy defines the request headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + responseHeaders: + description: ResponseHeadersPolicy defines the response headers + set/removed on all routes + properties: + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + rateLimitService: + description: RateLimitService optionally holds properties of the + Rate Limit Service to be used for global rate limiting. + properties: + domain: + description: Domain is passed to the Rate Limit Service. + type: string + enableXRateLimitHeaders: + description: "EnableXRateLimitHeaders defines whether to include + the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, + and X-RateLimit-Reset (as defined by the IETF Internet-Draft + linked below), on responses to clients when the Rate Limit + Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + type: boolean + extensionService: + description: ExtensionService identifies the extension service + defining the RLS. + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + failOpen: + description: FailOpen defines whether to allow requests to + proceed when the Rate Limit Service fails to respond with + a valid rate limit decision within the timeout defined on + the extension service. + type: boolean + required: + - domain + - enableXRateLimitHeaders + - failOpen + type: object + xdsServer: + default: + address: 0.0.0.0 + port: 8001 + tls: + caFile: /certs/ca.crt + certFile: /certs/tls.crt + insecure: false + keyFile: /certs/tls.key + type: contour + description: XDSServer contains parameters for the xDS server. + properties: + address: + description: Defines the xDS gRPC API address which Contour + will serve. + minLength: 1 + type: string + port: + description: Defines the xDS gRPC API port which Contour will + serve. + type: integer + tls: + description: TLS holds TLS file config details. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + insecure: + description: Allow serving the xDS gRPC API without TLS. + type: boolean + keyFile: + description: Client key filename. + type: string + required: + - insecure + type: object + type: + description: Defines the XDSServer to use for `contour serve`. + enum: + - contour + - envoy + type: string + required: + - address + - port + - type + type: object + type: object + replicas: + default: 2 + description: Replicas is the desired number of Contour replicas. If + unset, defaults to 2. + format: int32 + minimum: 0 + type: integer + required: + - config + type: object + status: + description: ContourDeploymentStatus defines the observed state of a ContourDeployment + resource. + properties: + conditions: + description: "Conditions contains the current status of the Contour + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: extensionservices.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: ExtensionService + listKind: ExtensionServiceList + plural: extensionservices + shortNames: + - extensionservice + - extensionservices + singular: extensionservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExtensionService is the schema for the Contour extension services + API. An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating components. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExtensionServiceSpec defines the desired state of an ExtensionService + resource. + properties: + loadBalancerPolicy: + description: The policy for load balancing GRPC service requests. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy is chosen. + If an element of the supplied list of hash policies is invalid, + it will be ignored. If the list of hash policies is empty after + validation, the load balancing strategy will fall back the the + default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for an + individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must be + the only hash option field set, otherwise this request + hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP request + header that will be used to calculate the hash key. + If the header specified is not present on a request, + no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to true, + and the request attribute specified in the attribute hash + options is present, no further hash policies will be used + to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are `Random`, + `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. + If an unknown strategy name is specified or no policy is supplied, + the default `RoundRobin` policy is used. + type: string + type: object + protocol: + description: Protocol may be used to specify (or override) the protocol + used to reach this Service. Values may be h2 or h2c. If omitted, + protocol-selection falls back on Service annotations. + enum: + - h2 + - h2c + type: string + protocolVersion: + description: This field sets the version of the GRPC protocol that + Envoy uses to send requests to the extension service. Since Contour + always uses the v3 Envoy API, this is currently fixed at "v3". However, + other protocol options will be available in future. + enum: + - v3 + type: string + services: + description: Services specifies the set of Kubernetes Service resources + that receive GRPC extension API requests. If no weights are specified + for any of the entries in this array, traffic will be spread evenly + across all the services. Otherwise, traffic is balanced proportionally + to the Weight field in each entry. + items: + description: ExtensionServiceTarget defines an Kubernetes Service + to target with extension service traffic. + properties: + name: + description: Name is the name of Kubernetes service that will + accept service traffic. + type: string + port: + description: Port (defined as Integer) to proxy traffic to since + a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + weight: + description: Weight defines proportion of traffic to balance + to the Kubernetes Service. + format: int32 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for requests to the services. + properties: + idle: + description: Timeout for how long the proxy should wait while + there is no activity during single request/response (for HTTP/1.1) + or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 + connection is idle between two consecutive requests. If not + specified, there is no per-route idle timeout, though a connection + manager-wide stream_idle_timeout default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, Envoy's + default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + validation: + description: UpstreamValidation defines how to verify the backend + service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes secret + used to validate the certificate presented by the backend + type: string + subjectName: + description: Key which is expected to be present in the 'subjectAltName' + of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + required: + - services + type: object + status: + description: ExtensionServiceStatus defines the observed state of an ExtensionService + resource. + properties: + conditions: + description: "Conditions contains the current status of the ExtensionService + resource. \n Contour will update a single condition, `Valid`, that + is in normal-true polarity. \n Contour will not modify any other + Conditions set in this block, in case some other controller wants + to add a Condition." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: httpproxies.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: HTTPProxy + listKind: HTTPProxyList + plural: httpproxies + shortNames: + - proxy + - proxies + singular: httpproxy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Fully qualified domain name + jsonPath: .spec.virtualhost.fqdn + name: FQDN + type: string + - description: Secret with TLS credentials + jsonPath: .spec.virtualhost.tls.secretName + name: TLS Secret + type: string + - description: The current status of the HTTPProxy + jsonPath: .status.currentStatus + name: Status + type: string + - description: Description of the current status + jsonPath: .status.description + name: Status Description + type: string + name: v1 + schema: + openAPIV3Schema: + description: HTTPProxy is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HTTPProxySpec defines the spec of the CRD. + properties: + includes: + description: Includes allow for specific routing configuration to + be included from another HTTPProxy, possibly in another namespace. + items: + description: Include describes a set of policies that can be applied + to an HTTPProxy in a namespace. + properties: + conditions: + description: 'Conditions are a set of rules that are applied + to included HTTPProxies. In effect, they are added onto the + Conditions of included HTTPProxy Route structs. When applied, + they are merged using AND, with one exception: There can be + only one Prefix MatchCondition per Conditions slice. More + than one Prefix, or contradictory Conditions, will make the + include invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + name: + description: Name of the HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + type: array + ingressClassName: + description: IngressClassName optionally specifies the ingress class + to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is + set, it is given precedence over this field. + type: string + routes: + description: Routes are the ingress routes. If TCPProxy is present, + Routes is ignored. + items: + description: Route contains the set of routes for a virtual host. + properties: + authPolicy: + description: AuthPolicy updates the authorization policy that + was set on the root HTTPProxy object for client requests that + match this route. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that are + sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the entries + are merged such that the inner scope overrides matching + keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + conditions: + description: 'Conditions are a set of rules that are applied + to a Route. When applied, they are merged using AND, with + one exception: There can be only one Prefix MatchCondition + per Conditions slice. More than one Prefix, or contradictory + Conditions, will make the route invalid.' + items: + description: MatchCondition are a general holder for matching + rules for HTTPProxies. One of Prefix or Header must be provided. + properties: + header: + description: Header specifies the header condition to + match. + properties: + contains: + description: Contains specifies a substring that must + be present in the header value. + type: string + exact: + description: Exact specifies a string that the header + value must be equal to. + type: string + name: + description: Name is the name of the header to match + against. Name is required. Header names are case + insensitive. + type: string + notcontains: + description: NotContains specifies a substring that + must not be present in the header value. + type: string + notexact: + description: NoExact specifies a string that the header + value must not be equal to. The condition is true + if the header has any other value. + type: string + notpresent: + description: NotPresent specifies that condition is + true when the named header is not present. Note + that setting NotPresent to false does not make the + condition true if the named header is present. + type: boolean + present: + description: Present specifies that condition is true + when the named header is present, regardless of + its value. Note that setting Present to false does + not make the condition true if the named header + is absent. + type: boolean + required: + - name + type: object + prefix: + description: Prefix defines a prefix match for a request. + type: string + type: object + type: array + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header attributes. + Note that rewritten cookie names must be unique in this list. + Order rewrite policies are specified in does not matter. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the Set-Cookie + Domain element. If not set, Domain will not be rewritten. + properties: + value: + description: Value is the value to rewrite the Domain + attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the Path + attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute will + not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie Secure + element. If not set, Secure attribute will not be rewritten. + type: boolean + required: + - name + type: object + type: array + enableWebsockets: + description: Enables websocket support for the route. + type: boolean + healthCheckPolicy: + description: The health check policy for this route. + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int64 + minimum: 0 + type: integer + host: + description: The value of the host header in the HTTP health + check request. If left empty (default value), the name + "contour-envoy-healthcheck" will be used. + type: string + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + path: + description: HTTP endpoint used to perform health checks + on upstream service + type: string + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int64 + minimum: 0 + type: integer + required: + - path + type: object + loadBalancerPolicy: + description: The load balancing policy for this route. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash + policies to apply when the `RequestHash` load balancing + strategy is chosen. If an element of the supplied list + of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load + balancing strategy will fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration + for an individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when + request header hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not + present on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set + to true, and the request attribute specified in + the attribute hash options is present, no further + hash policies will be used to calculate a hash for + the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy + names are `Random`, `RoundRobin`, `WeightedLeastRequest`, + `Cookie`, and `RequestHash`. If an unknown strategy name + is specified or no policy is supplied, the default `RoundRobin` + policy is used. + type: string + type: object + pathRewritePolicy: + description: The policy for rewriting the path of the request + URL after the request has been routed to a Service. + properties: + replacePrefix: + description: ReplacePrefix describes how the path prefix + should be replaced. + items: + description: ReplacePrefix describes a path prefix replacement. + properties: + prefix: + description: "Prefix specifies the URL path prefix + to be replaced. \n If Prefix is specified, it must + exactly match the MatchCondition prefix that is + rendered by the chain of including HTTPProxies and + only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through + multiple roots to only replace specific path prefixes, + leaving others unmodified. \n If Prefix is not specified, + all routing prefixes rendered by the include chain + will be replaced." + minLength: 1 + type: string + replacement: + description: Replacement is the string that the routing + path prefix will be replaced with. This must not + be empty. + minLength: 1 + type: string + required: + - replacement + type: object + type: array + type: object + permitInsecure: + description: Allow this path to respond to insecure requests + over HTTP which are normally not permitted when a `virtualhost.tls` + block is present. + type: boolean + rateLimitPolicy: + description: The policy for rate limiting on the route. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to + an external rate limit service (RLS) for a rate limit + decision on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit + service. Each descriptor contains 1+ key-value pair + entries. + items: + description: RateLimitDescriptor defines a list of + key-value pair generators. + properties: + entries: + description: Entries is the list of key-value + pair generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this + struct must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of + the descriptor entry. If not set, + the key is set to "generic_key". + type: string + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given + header is present on the request. The + descriptor key is static, and the descriptor + value is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the + name of the header to look for on + the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if + the request's headers match a set of 1+ + match criteria. The descriptor key is + "header_match", and the descriptor value + is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match + the match criteria in order to generate + a descriptor entry (i.e. true), or + not match the match criteria in order + to generate a descriptor entry (i.e. + false). The default is true. + type: boolean + headers: + description: Headers is a list of 1+ + match criteria to apply against the + request to determine whether to populate + the descriptor entry or not. + items: + description: HeaderMatchCondition + specifies how to conditionally match + against HTTP headers. The Name field + is required, but only one of the + remaining fields should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a + string that the header value + must be equal to. + type: string + name: + description: Name is the name + of the header to match against. + Name is required. Header names + are case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be + present in the header value. + type: string + notexact: + description: NoExact specifies + a string that the header value + must not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when + the named header is not present. + Note that setting NotPresent + to false does not make the condition + true if the named header is + present. + type: boolean + present: + description: Present specifies + that condition is true when + the named header is present, + regardless of its value. Note + that setting Present to false + does not make the condition + true if the named header is + absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value + of the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per + unit of time should be allowed before rate limiting + occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within + which requests over the limit will be rate limited. + Valid values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header names + to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header does + not exist it will be added, otherwise it will be overwritten + with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + retryPolicy: + description: The retry policy for this route. + properties: + count: + description: NumRetries is maximum allowed number of retries. + If not supplied, the number of retries is one. + format: int64 + minimum: 0 + type: integer + perTryTimeout: + description: PerTryTimeout specifies the timeout per retry + attempt. Ignored if NumRetries is not supplied. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + retriableStatusCodes: + description: "RetriableStatusCodes specifies the HTTP status + codes that should be retried. \n This field is only respected + when you include `retriable-status-codes` in the `RetryOn` + field." + items: + format: int32 + type: integer + type: array + retryOn: + description: "RetryOn specifies the conditions on which + to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + \n - `5xx` - `gateway-error` - `reset` - `connect-failure` + - `retriable-4xx` - `refused-stream` - `retriable-status-codes` + - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + \n - `cancelled` - `deadline-exceeded` - `internal` - + `resource-exhausted` - `unavailable`" + items: + description: RetryOn is a string type alias with validation + to ensure that the value is valid. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - retriable-headers + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + services: + description: Services are the services to proxy traffic. + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the + Set-Cookie Domain element. If not set, Domain + will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Domain attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for + which attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Path attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute + will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie + Secure element. If not set, Secure attribute will + not be rewritten. + type: boolean + required: + - name + type: object + type: array + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to + proxy traffic. Names defined here will be used to look + up corresponding endpoints which contain the ips to + route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may + be tls, h2, h2c. If omitted, protocol-selection falls + back on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers + during proxying. Rewriting the 'Host' header is not + supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a + header specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify + the backend service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes + secret used to validate the certificate presented + by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + minItems: 1 + type: array + timeoutPolicy: + description: The timeout policy for this route. + properties: + idle: + description: Timeout for how long the proxy should wait + while there is no activity during single request/response + (for HTTP/1.1) or stream (for HTTP/2). Timeout will not + trigger while HTTP/1.1 connection is idle between two + consecutive requests. If not specified, there is no per-route + idle timeout, though a connection manager-wide stream_idle_timeout + default of 5m still applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + response: + description: Timeout for receiving a response from the server + after processing a request from client. If not supplied, + Envoy's default value of 15s applies. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + type: object + required: + - services + type: object + type: array + tcpproxy: + description: TCPProxy holds TCP proxy information. + properties: + healthCheckPolicy: + description: The health check policy for this tcp proxy + properties: + healthyThresholdCount: + description: The number of healthy health checks required + before a host is marked healthy + format: int32 + type: integer + intervalSeconds: + description: The interval (seconds) between health checks + format: int64 + type: integer + timeoutSeconds: + description: The time to wait (seconds) for a health check + response + format: int64 + type: integer + unhealthyThresholdCount: + description: The number of unhealthy health checks required + before a host is marked unhealthy + format: int32 + type: integer + type: object + include: + description: Include specifies that this tcpproxy should be delegated + to another HTTPProxy. + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + includes: + description: "IncludesDeprecated allow for specific routing configuration + to be appended to another HTTPProxy in another namespace. \n + Exists due to a mistake when developing HTTPProxy and the field + was marked plural when it should have been singular. This field + should stay to not break backwards compatibility to v1 users." + properties: + name: + description: Name of the child HTTPProxy + type: string + namespace: + description: Namespace of the HTTPProxy to include. Defaults + to the current namespace if not supplied. + type: string + required: + - name + type: object + loadBalancerPolicy: + description: The load balancing policy for the backend services. + Note that the `Cookie` and `RequestHash` load balancing strategies + cannot be used here. + properties: + requestHashPolicies: + description: RequestHashPolicies contains a list of hash policies + to apply when the `RequestHash` load balancing strategy + is chosen. If an element of the supplied list of hash policies + is invalid, it will be ignored. If the list of hash policies + is empty after validation, the load balancing strategy will + fall back the the default `RoundRobin`. + items: + description: RequestHashPolicy contains configuration for + an individual hash policy on a request attribute. + properties: + headerHashOptions: + description: HeaderHashOptions should be set when request + header hash based load balancing is desired. It must + be the only hash option field set, otherwise this + request hash policy object will be ignored. + properties: + headerName: + description: HeaderName is the name of the HTTP + request header that will be used to calculate + the hash key. If the header specified is not present + on a request, no hash will be produced. + minLength: 1 + type: string + type: object + terminal: + description: Terminal is a flag that allows for short-circuiting + computing of a hash for a given request. If set to + true, and the request attribute specified in the attribute + hash options is present, no further hash policies + will be used to calculate a hash for the request. + type: boolean + type: object + type: array + strategy: + description: Strategy specifies the policy used to balance + requests across the pool of backend pods. Valid policy names + are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. + type: string + type: object + services: + description: Services are the services to proxy traffic + items: + description: Service defines an Kubernetes Service to proxy + traffic. + properties: + cookieRewritePolicies: + description: The policies for rewriting Set-Cookie header + attributes. + items: + properties: + domainRewrite: + description: DomainRewrite enables rewriting the Set-Cookie + Domain element. If not set, Domain will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Domain attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - value + type: object + name: + description: Name is the name of the cookie for which + attributes will be rewritten. + maxLength: 4096 + minLength: 1 + pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + pathRewrite: + description: PathRewrite enables rewriting the Set-Cookie + Path element. If not set, Path will not be rewritten. + properties: + value: + description: Value is the value to rewrite the + Path attribute to. For now this is required. + maxLength: 4096 + minLength: 1 + pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ + type: string + required: + - value + type: object + sameSite: + description: SameSite enables rewriting the Set-Cookie + SameSite element. If not set, SameSite attribute + will not be rewritten. + enum: + - Strict + - Lax + - None + type: string + secure: + description: Secure enables rewriting the Set-Cookie + Secure element. If not set, Secure attribute will + not be rewritten. + type: boolean + required: + - name + type: object + type: array + mirror: + description: If Mirror is true the Service will receive + a read only mirror of the traffic for this route. + type: boolean + name: + description: Name is the name of Kubernetes service to proxy + traffic. Names defined here will be used to look up corresponding + endpoints which contain the ips to route. + type: string + port: + description: Port (defined as Integer) to proxy traffic + to since a service can have multiple defined. + exclusiveMaximum: true + maximum: 65536 + minimum: 1 + type: integer + protocol: + description: Protocol may be used to specify (or override) + the protocol used to reach this Service. Values may be + tls, h2, h2c. If omitted, protocol-selection falls back + on Service annotations. + enum: + - h2 + - h2c + - tls + type: string + requestHeadersPolicy: + description: The policy for managing request headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + responseHeadersPolicy: + description: The policy for managing response headers during + proxying. Rewriting the 'Host' header is not supported. + properties: + remove: + description: Remove specifies a list of HTTP header + names to remove. + items: + type: string + type: array + set: + description: Set specifies a list of HTTP header values + that will be set in the HTTP header. If the header + does not exist it will be added, otherwise it will + be overwritten with the new value. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + type: object + validation: + description: UpstreamValidation defines how to verify the + backend service's certificate + properties: + caSecret: + description: Name or namespaced name of the Kubernetes + secret used to validate the certificate presented + by the backend + type: string + subjectName: + description: Key which is expected to be present in + the 'subjectAltName' of the presented certificate + type: string + required: + - caSecret + - subjectName + type: object + weight: + description: Weight defines percentage of traffic to balance + traffic + format: int64 + minimum: 0 + type: integer + required: + - name + - port + type: object + type: array + type: object + virtualhost: + description: Virtualhost appears at most once. If it is present, the + object is considered to be a "root" HTTPProxy. + properties: + authorization: + description: This field configures an extension service to perform + authorization for this virtual host. Authorization can only + be configured on virtual hosts that have TLS enabled. If the + TLS configuration requires client certificate validation, the + client certificate is always included in the authentication + check request. + properties: + authPolicy: + description: AuthPolicy sets a default authorization policy + for client requests. This policy will be used unless overridden + by individual routes. + properties: + context: + additionalProperties: + type: string + description: Context is a set of key/value pairs that + are sent to the authentication server in the check request. + If a context is provided at an enclosing scope, the + entries are merged such that the inner scope overrides + matching keys from the outer scope. + type: object + disabled: + description: When true, this field disables client request + authentication for the scope of the policy. + type: boolean + type: object + extensionRef: + description: ExtensionServiceRef specifies the extension resource + that will authorize client requests. + properties: + apiVersion: + description: API version of the referent. If this field + is not specified, the default "projectcontour.io/v1alpha1" + will be used + minLength: 1 + type: string + name: + description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + minLength: 1 + type: string + namespace: + description: "Namespace of the referent. If this field + is not specifies, the namespace of the resource that + targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + minLength: 1 + type: string + type: object + failOpen: + description: If FailOpen is true, the client request is forwarded + to the upstream service even if the authorization server + fails to respond. This field should not be set in most cases. + It is intended for use only while migrating applications + from internal authorization to Contour external authorization. + type: boolean + responseTimeout: + description: ResponseTimeout configures maximum time to wait + for a check response from the authorization server. Timeout + durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". The string "infinity" is also a valid input and specifies + no timeout. + pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ + type: string + required: + - extensionRef + type: object + corsPolicy: + description: Specifies the cross-origin policy to apply to the + VirtualHost. + properties: + allowCredentials: + description: Specifies whether the resource allows credentials. + type: boolean + allowHeaders: + description: AllowHeaders specifies the content for the *access-control-allow-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowMethods: + description: AllowMethods specifies the content for the *access-control-allow-methods* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + allowOrigin: + description: AllowOrigin specifies the origins that will be + allowed to do CORS requests. "*" means allow any origin. + items: + type: string + type: array + exposeHeaders: + description: ExposeHeaders Specifies the content for the *access-control-expose-headers* + header. + items: + description: CORSHeaderValue specifies the value of the + string headers returned by a cross-domain request. + pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$ + type: string + type: array + maxAge: + description: MaxAge indicates for how long the results of + a preflight request can be cached. MaxAge durations are + expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", + "h". Only positive values are allowed while 0 disables the + cache requiring a preflight OPTIONS check for all cross-origin + requests. + type: string + required: + - allowMethods + - allowOrigin + type: object + fqdn: + description: The fully qualified domain name of the root of the + ingress tree all leaves of the DAG rooted at this object relate + to the fqdn. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + rateLimitPolicy: + description: The policy for rate limiting on the virtual host. + properties: + global: + description: Global defines global rate limiting parameters, + i.e. parameters defining descriptors that are sent to an + external rate limit service (RLS) for a rate limit decision + on each request. + properties: + descriptors: + description: Descriptors defines the list of descriptors + that will be generated and sent to the rate limit service. + Each descriptor contains 1+ key-value pair entries. + items: + description: RateLimitDescriptor defines a list of key-value + pair generators. + properties: + entries: + description: Entries is the list of key-value pair + generators. + items: + description: RateLimitDescriptorEntry is a key-value + pair generator. Exactly one field on this struct + must be non-nil. + properties: + genericKey: + description: GenericKey defines a descriptor + entry with a static key and value. + properties: + key: + description: Key defines the key of the + descriptor entry. If not set, the key + is set to "generic_key". + type: string + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + remoteAddress: + description: RemoteAddress defines a descriptor + entry with a key of "remote_address" and + a value equal to the client's IP address + (from x-forwarded-for). + type: object + requestHeader: + description: RequestHeader defines a descriptor + entry that's populated only if a given header + is present on the request. The descriptor + key is static, and the descriptor value + is equal to the value of the header. + properties: + descriptorKey: + description: DescriptorKey defines the + key to use on the descriptor entry. + minLength: 1 + type: string + headerName: + description: HeaderName defines the name + of the header to look for on the request. + minLength: 1 + type: string + type: object + requestHeaderValueMatch: + description: RequestHeaderValueMatch defines + a descriptor entry that's populated if the + request's headers match a set of 1+ match + criteria. The descriptor key is "header_match", + and the descriptor value is static. + properties: + expectMatch: + default: true + description: ExpectMatch defines whether + the request must positively match the + match criteria in order to generate + a descriptor entry (i.e. true), or not + match the match criteria in order to + generate a descriptor entry (i.e. false). + The default is true. + type: boolean + headers: + description: Headers is a list of 1+ match + criteria to apply against the request + to determine whether to populate the + descriptor entry or not. + items: + description: HeaderMatchCondition specifies + how to conditionally match against + HTTP headers. The Name field is required, + but only one of the remaining fields + should be be provided. + properties: + contains: + description: Contains specifies + a substring that must be present + in the header value. + type: string + exact: + description: Exact specifies a string + that the header value must be + equal to. + type: string + name: + description: Name is the name of + the header to match against. Name + is required. Header names are + case insensitive. + type: string + notcontains: + description: NotContains specifies + a substring that must not be present + in the header value. + type: string + notexact: + description: NoExact specifies a + string that the header value must + not be equal to. The condition + is true if the header has any + other value. + type: string + notpresent: + description: NotPresent specifies + that condition is true when the + named header is not present. Note + that setting NotPresent to false + does not make the condition true + if the named header is present. + type: boolean + present: + description: Present specifies that + condition is true when the named + header is present, regardless + of its value. Note that setting + Present to false does not make + the condition true if the named + header is absent. + type: boolean + required: + - name + type: object + minItems: 1 + type: array + value: + description: Value defines the value of + the descriptor entry. + minLength: 1 + type: string + type: object + type: object + minItems: 1 + type: array + type: object + minItems: 1 + type: array + type: object + local: + description: Local defines local rate limiting parameters, + i.e. parameters for rate limiting that occurs within each + Envoy pod as requests are handled. + properties: + burst: + description: Burst defines the number of requests above + the requests per unit that should be allowed within + a short period of time. + format: int32 + type: integer + requests: + description: Requests defines how many requests per unit + of time should be allowed before rate limiting occurs. + format: int32 + minimum: 1 + type: integer + responseHeadersToAdd: + description: ResponseHeadersToAdd is an optional list + of response headers to set when a request is rate-limited. + items: + description: HeaderValue represents a header name/value + pair + properties: + name: + description: Name represents a key of a header + minLength: 1 + type: string + value: + description: Value represents the value of a header + specified by a key + minLength: 1 + type: string + required: + - name + - value + type: object + type: array + responseStatusCode: + description: ResponseStatusCode is the HTTP status code + to use for responses to rate-limited requests. Codes + must be in the 400-599 range (inclusive). If not specified, + the Envoy default of 429 (Too Many Requests) is used. + format: int32 + maximum: 599 + minimum: 400 + type: integer + unit: + description: Unit defines the period of time within which + requests over the limit will be rate limited. Valid + values are "second", "minute" and "hour". + enum: + - second + - minute + - hour + type: string + required: + - requests + - unit + type: object + type: object + tls: + description: If present the fields describes TLS properties of + the virtual host. The SNI names that will be matched on are + described in fqdn, the tls.secretName secret must contain a + certificate that itself contains a name that matches the FQDN. + properties: + clientValidation: + description: "ClientValidation defines how to verify the client + certificate when an external client establishes a TLS connection + to Envoy. \n This setting: \n 1. Enables TLS client certificate + validation. 2. Specifies how the client certificate will + be validated (i.e. validation required or skipped). \n + Note: Setting client certificate validation to be skipped + should be only used in conjunction with an external authorization + server that performs client validation as Contour will ensure + client certificates are passed along." + properties: + caSecret: + description: Name of a Kubernetes secret that contains + a CA certificate bundle. The client certificate must + validate against the certificates in the bundle. If + specified and SkipClientCertValidation is true, client + certificates will be required on requests. + minLength: 1 + type: string + skipClientCertValidation: + description: SkipClientCertValidation disables downstream + client certificate validation. Defaults to false. This + field is intended to be used in conjunction with external + authorization in order to enable the external authorization + server to validate client certificates. When this field + is set to true, client certificates are requested but + not verified by Envoy. If CACertificate is specified, + client certificates are required on requests, but not + verified. If external authorization is in use, they + are presented to the external authorization server. + type: boolean + type: object + enableFallbackCertificate: + description: EnableFallbackCertificate defines if the vhost + should allow a default certificate to be applied which handles + all requests which don't match the SNI defined in this vhost. + type: boolean + minimumProtocolVersion: + description: MinimumProtocolVersion is the minimum TLS version + this vhost should negotiate. Valid options are `1.2` (default) + and `1.3`. Any other value defaults to TLS 1.2. + type: string + passthrough: + description: Passthrough defines whether the encrypted TLS + handshake will be passed through to the backing cluster. + Either Passthrough or SecretName must be specified, but + not both. + type: boolean + secretName: + description: SecretName is the name of a TLS secret in the + current namespace. Either SecretName or Passthrough must + be specified, but not both. If specified, the named secret + must contain a matching certificate for the virtual host's + FQDN. + type: string + type: object + required: + - fqdn + type: object + type: object + status: + description: Status is a container for computed information about the + HTTPProxy. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com/ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentStatus: + type: string + description: + type: string + loadBalancer: + description: LoadBalancer contains the current status of the load + balancer. + properties: + ingress: + description: Ingress is a list containing ingress points for the + load-balancer. Traffic intended for the service should be sent + to these ingress points. + items: + description: 'LoadBalancerIngress represents the status of a + load-balancer ingress point: traffic intended for the service + should be sent to an ingress point.' + properties: + hostname: + description: Hostname is set for load-balancer ingress points + that are DNS based (typically AWS load-balancers) + type: string + ip: + description: IP is set for load-balancer ingress points + that are IP based (typically GCE or OpenStack load-balancers) + type: string + ports: + description: Ports is a list of records of service ports + If used, every port defined in the service should have + an entry in it + items: + properties: + error: + description: 'Error is to record the problem with + the service port The format of the error shall comply + with the following rules: - built-in error values + shall be specified in this file and those shall + use CamelCase names - cloud provider specific + error values must have names that comply with the format + foo.example.com/CamelCase. --- The regex it matches + is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + default: TCP + description: 'Protocol is the protocol of the service + port of which status is recorded here The supported + values are: "TCP", "UDP", "SCTP"' + type: string + required: + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlscertificatedelegations.projectcontour.io +spec: + preserveUnknownFields: false + group: projectcontour.io + names: + kind: TLSCertificateDelegation + listKind: TLSCertificateDelegationList + plural: tlscertificatedelegations + shortNames: + - tlscerts + singular: tlscertificatedelegation + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: TLSCertificateDelegation is an TLS Certificate Delegation CRD + specification. See design/tls-certificate-delegation.md for details. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSCertificateDelegationSpec defines the spec of the CRD + properties: + delegations: + items: + description: CertificateDelegation maps the authority to reference + a secret in the current namespace to a set of namespaces. + properties: + secretName: + description: required, the name of a secret in the current namespace. + type: string + targetNamespaces: + description: required, the namespaces the authority to reference + the the secret will be delegated to. If TargetNamespaces is + nil or empty, the CertificateDelegation' is ignored. If the + TargetNamespace list contains the character, "*" the secret + will be delegated to all namespaces. + items: + type: string + type: array + required: + - secretName + - targetNamespaces + type: object + type: array + required: + - delegations + type: object + status: + description: TLSCertificateDelegationStatus allows for the status of the + delegation to be presented to the user. + properties: + conditions: + description: "Conditions contains information about the current status + of the HTTPProxy, in an upstream-friendly container. \n Contour + will update a single condition, `Valid`, that is in normal-true + polarity. That is, when `currentStatus` is `valid`, the `Valid` + condition will be `status: true`, and vice versa. \n Contour will + leave untouched any other Conditions set in this block, in case + some other controller wants to add a Condition. \n If you are another + controller owner and wish to add a condition, you *should* namespace + your condition with a label, like `controller.domain.com\\ConditionName`." + items: + description: "DetailedCondition is an extension of the normal Kubernetes + conditions, with two extra fields to hold sub-conditions, which + provide more detailed reasons for the state (True or False) of + the condition. \n `errors` holds information about sub-conditions + which are fatal to that condition and render its state False. + \n `warnings` holds information about sub-conditions which are + not fatal to that condition and do not force the state to be False. + \n Remember that Conditions have a type, a status, and a reason. + \n The type is the type of the condition, the most important one + in this CRD set is `Valid`. `Valid` is a positive-polarity condition: + when it is `status: true` there are no problems. \n In more detail, + `status: true` means that the object is has been ingested into + Contour with no errors. `warnings` may still be present, and will + be indicated in the Reason field. There must be zero entries in + the `errors` slice in this case. \n `Valid`, `status: false` means + that the object has had one or more fatal errors during processing + into Contour. The details of the errors will be present under + the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. \n For DetailedConditions of types + other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must + be at least one entry in the `errors` Subcondition slice. When + they have `status` `false`, there are no serious errors, and there + must be zero entries in the `errors` slice. In either case, there + may be entries in the `warnings` slice. \n Regardless of the polarity, + the `reason` and `message` fields must be updated with either + the detail of the reason (if there is one and only one entry in + total across both the `errors` and `warnings` slices), or `MultipleReasons` + if there is more than one entry." + properties: + errors: + description: "Errors contains a slice of relevant error subconditions + for this object. \n Subconditions are expected to appear when + relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + warnings: + description: "Warnings contains a slice of relevant warning + subconditions for this object. \n Subconditions are expected + to appear when relevant (when there is a warning), and disappear + when not relevant. An empty slice here indicates no warnings." + items: + description: "SubCondition is a Condition-like type intended + for use as a subcondition inside a DetailedCondition. \n + It contains a subset of the Condition fields. \n It is intended + for warnings and errors, so `type` names should use abnormal-true + polarity, that is, they should be of the form \"ErrorPresent: + true\". \n The expected lifecycle for these errors is that + they should only be present when the error or warning is, + and should be removed when they are not relevant." + properties: + message: + description: "Message is a human readable message indicating + details about the transition. \n This may be an empty + string." + maxLength: 32768 + type: string + reason: + description: "Reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. \n The value + should be a CamelCase string. \n This field may not + be empty." + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + \n This must be in abnormal-true polarity, that is, + `ErrorFound` or `controller.io/ErrorFound`. \n The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: contour + namespace: projectcontour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: contour-certgen +subjects: +- kind: ServiceAccount + name: contour-certgen + namespace: projectcontour +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: contour-certgen + namespace: projectcontour +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: contour-certgen-main + namespace: projectcontour +spec: + ttlSecondsAfterFinished: 0 + template: + metadata: + labels: + app: "contour-certgen" + spec: + containers: + - name: contour + image: ghcr.io/projectcontour/contour:main + imagePullPolicy: Always + command: + - contour + - certgen + - --kube + - --incluster + - --overwrite + - --secrets-format=compact + - --namespace=$(CONTOUR_NAMESPACE) + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + serviceAccountName: contour-certgen + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + parallelism: 1 + completions: 1 + backoffLimit: 1 + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour +subjects: +- kind: ServiceAccount + name: contour + namespace: projectcontour + +# The following ClusterRole is generated from kubebuilder RBAC tags by +# generate-rbac.sh. Do not edit this file directly but instead edit the source +# files and re-render. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: contour +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - tlsroutes + - udproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - contourconfigurations/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - extensionservices + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - extensionservices/status + verbs: + - create + - get + - update +- apiGroups: + - projectcontour.io + resources: + - httpproxies + - tlscertificatedelegations + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - httpproxies/status + verbs: + - create + - get + - update + +--- +apiVersion: v1 +kind: Service +metadata: + name: contour + namespace: projectcontour +spec: + ports: + - port: 8001 + name: xds + protocol: TCP + targetPort: 8001 + selector: + app: contour + type: ClusterIP + +--- +apiVersion: v1 +kind: Service +metadata: + name: envoy + namespace: projectcontour + annotations: + # This annotation puts the AWS ELB into "TCP" mode so that it does not + # do HTTP negotiation for HTTPS connections at the ELB edge. + # The downside of this is the remote IP address of all connections will + # appear to be the internal address of the ELB. See docs/proxy-proto.md + # for information about enabling the PROXY protocol on the ELB to recover + # the original remote IP address. + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp +spec: + externalTrafficPolicy: Local + ports: + - port: 80 + name: http + protocol: TCP + targetPort: 8080 + - port: 443 + name: https + protocol: TCP + targetPort: 8443 + selector: + app: envoy + type: LoadBalancer + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: contour + name: contour + namespace: projectcontour +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 50% + selector: + matchLabels: + app: contour + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + labels: + app: contour + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: contour + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - serve + - --incluster + - --xds-address=0.0.0.0 + - --xds-port=8001 + - --contour-cafile=/certs/ca.crt + - --contour-cert-file=/certs/tls.crt + - --contour-key-file=/certs/tls.key + - --config-path=/config/contour.yaml + command: ["contour"] + image: ghcr.io/projectcontour/contour:main + imagePullPolicy: IfNotPresent + name: contour + ports: + - containerPort: 8001 + name: xds + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + - containerPort: 6060 + name: debug + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8000 + readinessProbe: + tcpSocket: + port: 8001 + initialDelaySeconds: 15 + periodSeconds: 10 + volumeMounts: + - name: contourcert + mountPath: /certs + readOnly: true + - name: contour-config + mountPath: /config + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + dnsPolicy: ClusterFirst + serviceAccountName: contour + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumes: + - name: contourcert + secret: + secretName: contourcert + - name: contour-config + configMap: + name: contour + defaultMode: 0644 + items: + - key: contour.yaml + path: contour.yaml + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: envoy + name: envoy + namespace: projectcontour +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + # This value of maxSurge means that during a rolling update + # the new ReplicaSet will be created first. + maxSurge: 10% + selector: + matchLabels: + app: envoy + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8002" + prometheus.io/path: "/stats/prometheus" + labels: + app: envoy + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - envoy + topologyKey: "kubernetes.io/hostname" + containers: + - command: + - /bin/contour + args: + - envoy + - shutdown-manager + image: ghcr.io/projectcontour/contour:main + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/contour + - envoy + - shutdown + livenessProbe: + httpGet: + path: /healthz + port: 8090 + initialDelaySeconds: 3 + periodSeconds: 10 + name: shutdown-manager + volumeMounts: + - name: envoy-admin + mountPath: /admin + - args: + - -c + - /config/envoy.json + - --service-cluster $(CONTOUR_NAMESPACE) + - --service-node $(ENVOY_POD_NAME) + - --log-level info + command: + - envoy + image: docker.io/envoyproxy/envoy:v1.19.1 + imagePullPolicy: IfNotPresent + name: envoy + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + ports: + - containerPort: 8080 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8002 + initialDelaySeconds: 3 + periodSeconds: 4 + volumeMounts: + - name: envoy-config + mountPath: /config + readOnly: true + - name: envoycert + mountPath: /certs + readOnly: true + - name: envoy-admin + mountPath: /admin + lifecycle: + preStop: + httpGet: + path: /shutdown + port: 8090 + scheme: HTTP + initContainers: + - args: + - bootstrap + - /config/envoy.json + - --xds-address=contour + - --xds-port=8001 + - --xds-resource-version=v3 + - --resources-dir=/config/resources + - --envoy-cafile=/certs/ca.crt + - --envoy-cert-file=/certs/tls.crt + - --envoy-key-file=/certs/tls.key + command: + - contour + image: ghcr.io/projectcontour/contour:main + imagePullPolicy: IfNotPresent + name: envoy-initconfig + volumeMounts: + - name: envoy-config + mountPath: /config + - name: envoycert + mountPath: /certs + readOnly: true + env: + - name: CONTOUR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + automountServiceAccountToken: false + serviceAccountName: envoy + terminationGracePeriodSeconds: 300 + volumes: + - name: envoy-admin + emptyDir: {} + - name: envoy-config + emptyDir: {} + - name: envoycert + secret: + secretName: envoycert + restartPolicy: Always diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index 5d225e8bd4f..7a03422b264 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -15,7 +15,6 @@ # examples/gateway/00-crds.yaml # examples/gateway/01-gatewayclass.yaml # examples/gateway/02-gateway.yaml -# --- apiVersion: v1 diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 34efef15dea..220a8a49172 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -12,7 +12,6 @@ # examples/contour/02-service-envoy.yaml # examples/contour/03-contour.yaml # examples/contour/03-envoy.yaml -# --- apiVersion: v1 diff --git a/hack/generate-deployment.sh b/hack/generate-deployment.sh index 8b8a4df840a..94f87991b74 100755 --- a/hack/generate-deployment.sh +++ b/hack/generate-deployment.sh @@ -8,8 +8,26 @@ readonly HERE=$(cd "$(dirname "$0")" && pwd) readonly REPO=$(cd "${HERE}"/.. && pwd) readonly PROGNAME=$(basename "$0") +# Target defines the file which the rendered file will be outputted. +TARGET="" +SKIP_FILE="" -readonly TARGET="${REPO}/examples/render/contour.yaml" +# MODE should be "deployment" or "daemonset" +readonly MODE="$1" + +case $MODE in + deployment) + TARGET="${REPO}/examples/render/contour-deployment.yaml" + SKIP_FILE="*/03-envoy.yaml" + ;; + daemonset) + TARGET="${REPO}/examples/render/contour.yaml" + SKIP_FILE="*/03-envoy-deployment.yaml" + ;; +esac + +# Files defines the set of source files to render together. +readonly FILES=("examples/contour/*.yaml") exec > >(git stripspace >"$TARGET") @@ -20,20 +38,30 @@ cat < Date: Wed, 20 Oct 2021 20:23:39 +0000 Subject: [PATCH 02/13] enable running e2e tests against envoy deployment style manifests Signed-off-by: Steve Sloka --- test/e2e/framework.go | 17 +++++++++++++++++ test/e2e/gateway/gateway_test.go | 4 ++-- .../multiple_gateways_and_classes_test.go | 2 +- test/e2e/httpproxy/httpproxy_test.go | 4 ++-- test/e2e/ingress/ingress_test.go | 4 ++-- 5 files changed, 24 insertions(+), 7 deletions(-) diff --git a/test/e2e/framework.go b/test/e2e/framework.go index 1be27b8ae6b..f061c1d34a6 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -19,6 +19,7 @@ package e2e import ( "context" "encoding/json" + "fmt" "net/http" "os" "path/filepath" @@ -458,6 +459,22 @@ func UsingContourConfigCRD() bool { return found && useContourConfiguration == "true" } +// UseEnvoyDaemonsetDeploymentModel determines if Envoy should be deployed as a Daemonset or a Deployment +// when running E2E tests. It looks for the env var "USE_ENVOY_DEPLOYMENT". If it exists and is valid, then +// that value is returned, otherwise true is returned to indicate that the default daemonset model is to be used. +func UseEnvoyDaemonsetDeploymentModel() bool { + + if useEnvoyDeployment, found := os.LookupEnv("USE_ENVOY_DEPLOYMENT"); found { + got, err := strconv.ParseBool(useEnvoyDeployment) + if err != nil { + fmt.Printf("error trying to parse \"USE_ENVOY_DEPLOYMENT\" env var, defaulting to use Daemonset: %v\n", err) + return true + } + return !got + } + return true +} + // HTTPProxyValid returns true if the proxy has a .status.currentStatus // of "valid". func HTTPProxyValid(proxy *contourv1.HTTPProxy) bool { diff --git a/test/e2e/gateway/gateway_test.go b/test/e2e/gateway/gateway_test.go index 66115c63a22..15c7dc40217 100644 --- a/test/e2e/gateway/gateway_test.go +++ b/test/e2e/gateway/gateway_test.go @@ -43,7 +43,7 @@ func TestGatewayAPI(t *testing.T) { } var _ = BeforeSuite(func() { - require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour(e2e.UseEnvoyDaemonsetDeploymentModel())) }) var _ = AfterSuite(func() { @@ -121,7 +121,7 @@ var _ = Describe("Gateway API", func() { require.NoError(f.T(), err) // Wait for Envoy to be healthy. - require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetUpdated()) + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) f.CreateGatewayClassAndWaitFor(contourGatewayClass, gatewayClassValid) f.CreateGatewayAndWaitFor(contourGateway, gatewayValid) diff --git a/test/e2e/gateway/multiple_gateways_and_classes_test.go b/test/e2e/gateway/multiple_gateways_and_classes_test.go index 03d676f57d8..66d3e2826eb 100644 --- a/test/e2e/gateway/multiple_gateways_and_classes_test.go +++ b/test/e2e/gateway/multiple_gateways_and_classes_test.go @@ -75,7 +75,7 @@ var _ = Describe("GatewayClass/Gateway admission tests", func() { require.NoError(f.T(), err) // Wait for Envoy to be healthy. - require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetUpdated()) + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) }) AfterEach(func() { diff --git a/test/e2e/httpproxy/httpproxy_test.go b/test/e2e/httpproxy/httpproxy_test.go index d5265593730..733eead1da7 100644 --- a/test/e2e/httpproxy/httpproxy_test.go +++ b/test/e2e/httpproxy/httpproxy_test.go @@ -42,7 +42,7 @@ func TestHTTPProxy(t *testing.T) { } var _ = BeforeSuite(func() { - require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour(e2e.UseEnvoyDaemonsetDeploymentModel())) }) var _ = AfterSuite(func() { @@ -97,7 +97,7 @@ var _ = Describe("HTTPProxy", func() { require.NoError(f.T(), err) // Wait for Envoy to be healthy. - require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetUpdated()) + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) }) AfterEach(func() { diff --git a/test/e2e/ingress/ingress_test.go b/test/e2e/ingress/ingress_test.go index a51488dcae2..e89ca394d86 100644 --- a/test/e2e/ingress/ingress_test.go +++ b/test/e2e/ingress/ingress_test.go @@ -41,7 +41,7 @@ func TestIngress(t *testing.T) { } var _ = BeforeSuite(func() { - require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour(e2e.UseEnvoyDaemonsetDeploymentModel())) }) var _ = AfterSuite(func() { @@ -83,7 +83,7 @@ var _ = Describe("Ingress", func() { require.NoError(f.T(), err) // Wait for Envoy to be healthy. - require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetUpdated()) + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) }) AfterEach(func() { From 5d1b64181bbabb438e56b794615417bda795408e Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Wed, 20 Oct 2021 20:28:47 +0000 Subject: [PATCH 03/13] add envoy deployment tests to pr ci builds Signed-off-by: Steve Sloka --- .github/workflows/prbuild.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index d8cdf2ae9fb..10c1adb2642 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -115,6 +115,8 @@ jobs: kubernetes_version: ["kubernetes:latest", "kubernetes:n-1", "kubernetes:n-2"] # run tests using the configuration crd as well as without config_type: ["ConfigmapConfiguration", "ContourConfiguration"] + # run tests against the daemonset or deployment model. + envoy_deployment_type: ["Daemonset", "Deployment"] # include defines an additional variable (the specific node # image to use) for each kubernetes_version value. include: @@ -128,6 +130,10 @@ jobs: use_config_crd: "false" - config_type: "ContourConfiguration" use_config_crd: "true" + - envoy_deployment_type: "Daemonset" + use_envoy_deployment: "true" + - envoy_deployment_type: "Deployment" + use_envoy_deployment: "false" steps: - uses: actions/checkout@v2 @@ -158,6 +164,7 @@ jobs: NODEIMAGE: ${{ matrix.node_image }} LOAD_PREBUILT_IMAGE: "true" USE_CONTOUR_CONFIGURATION_CRD: ${{ matrix.use_config_crd }} + USE_ENVOY_DEPLOYMENT: ${{matrix.use_envoy_deployment}} run: | export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*-(.*).tar/\1/')" make e2e From 43dff442769f924f0efebdbfc1ed3bb65467c23d Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Wed, 20 Oct 2021 20:52:49 +0000 Subject: [PATCH 04/13] add release note Signed-off-by: Steve Sloka --- changelogs/unreleased/4126-stevesloka-minor.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changelogs/unreleased/4126-stevesloka-minor.md diff --git a/changelogs/unreleased/4126-stevesloka-minor.md b/changelogs/unreleased/4126-stevesloka-minor.md new file mode 100644 index 00000000000..120bb2d74e0 --- /dev/null +++ b/changelogs/unreleased/4126-stevesloka-minor.md @@ -0,0 +1,4 @@ +### Add Envoy Deployment Example + +The examples now include a way to deploy Envoy as a Deployment vs a Daemonset. +This can assist in allowing Envoy to drain connections cleanly when the Kubernetes cluster size is scaled down. \ No newline at end of file From 20a8c4490dc6a0e087ba886fb7461f1f65240b5c Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Fri, 5 Nov 2021 14:17:56 -0400 Subject: [PATCH 05/13] add e2e tests for deployment style envoy Signed-off-by: Steve Sloka --- .github/workflows/prbuild.yaml | 55 ++-- apis/projectcontour/v1alpha1/helpers.go | 1 - .../03-envoy-deployment.yaml | 0 examples/render/contour-deployment.yaml | 295 +++++++++--------- hack/generate-deployment.sh | 4 +- test/e2e/deployment.go | 149 ++++++++- test/e2e/deployment/admin_test.go | 57 ++++ test/e2e/deployment/deployment_test.go | 153 +++++++++ test/e2e/deployment/metrics_test.go | 111 +++++++ test/e2e/framework.go | 17 +- test/e2e/gateway/gateway_test.go | 4 +- test/e2e/httpproxy/httpproxy_test.go | 4 +- test/e2e/infra/infra_test.go | 4 +- test/e2e/ingress/ingress_test.go | 4 +- test/e2e/upgrade/upgrade_test.go | 4 +- 15 files changed, 647 insertions(+), 215 deletions(-) rename examples/{contour => deployment}/03-envoy-deployment.yaml (100%) create mode 100644 test/e2e/deployment/admin_test.go create mode 100644 test/e2e/deployment/deployment_test.go create mode 100644 test/e2e/deployment/metrics_test.go diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index 10c1adb2642..df68d2cec50 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -1,7 +1,7 @@ name: Build and Test Pull Request # Trigger the workflow on push or pull request -on: +on: push: pull_request: types: [opened, synchronize] @@ -74,7 +74,7 @@ jobs: status: ${{ job.status }} steps: ${{ toJson(steps) }} channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + if: ${{ failure() && github.ref == 'refs/heads/main' }} build-image: needs: - lint @@ -82,27 +82,27 @@ jobs: - codegen runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - - name: Build image - env: - TAG_LATEST: "false" - run: | - make multiarch-build - - name: Upload image - uses: actions/upload-artifact@v2 - with: - name: image - path: image/contour-*.tar - - uses: act10ns/slack@v1 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + with: + version: latest + - name: Build image + env: + TAG_LATEST: "false" + run: | + make multiarch-build + - name: Upload image + uses: actions/upload-artifact@v2 + with: + name: image + path: image/contour-*.tar + - uses: act10ns/slack@v1 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} e2e: runs-on: ubuntu-latest needs: [build-image] @@ -115,8 +115,6 @@ jobs: kubernetes_version: ["kubernetes:latest", "kubernetes:n-1", "kubernetes:n-2"] # run tests using the configuration crd as well as without config_type: ["ConfigmapConfiguration", "ContourConfiguration"] - # run tests against the daemonset or deployment model. - envoy_deployment_type: ["Daemonset", "Deployment"] # include defines an additional variable (the specific node # image to use) for each kubernetes_version value. include: @@ -130,10 +128,6 @@ jobs: use_config_crd: "false" - config_type: "ContourConfiguration" use_config_crd: "true" - - envoy_deployment_type: "Daemonset" - use_envoy_deployment: "true" - - envoy_deployment_type: "Deployment" - use_envoy_deployment: "false" steps: - uses: actions/checkout@v2 @@ -164,7 +158,6 @@ jobs: NODEIMAGE: ${{ matrix.node_image }} LOAD_PREBUILT_IMAGE: "true" USE_CONTOUR_CONFIGURATION_CRD: ${{ matrix.use_config_crd }} - USE_ENVOY_DEPLOYMENT: ${{matrix.use_envoy_deployment}} run: | export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*-(.*).tar/\1/')" make e2e @@ -320,4 +313,4 @@ jobs: status: ${{ job.status }} steps: ${{ toJson(steps) }} channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + if: ${{ failure() && github.ref == 'refs/heads/main' }} \ No newline at end of file diff --git a/apis/projectcontour/v1alpha1/helpers.go b/apis/projectcontour/v1alpha1/helpers.go index f65bf56114e..ca2652451a4 100644 --- a/apis/projectcontour/v1alpha1/helpers.go +++ b/apis/projectcontour/v1alpha1/helpers.go @@ -36,7 +36,6 @@ func (c *ContourConfigurationSpec) Validate() error { if err := endpointsInConfict(c.Health, c.Metrics); err != nil { return fmt.Errorf("invalid contour configuration: %v", err) } - return c.Envoy.Validate() } diff --git a/examples/contour/03-envoy-deployment.yaml b/examples/deployment/03-envoy-deployment.yaml similarity index 100% rename from examples/contour/03-envoy-deployment.yaml rename to examples/deployment/03-envoy-deployment.yaml diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index d677905862a..c485e06a69e 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -11,7 +11,7 @@ # examples/contour/02-service-contour.yaml # examples/contour/02-service-envoy.yaml # examples/contour/03-contour.yaml -# examples/contour/03-envoy-deployment.yaml +# examples/deployment/03-envoy-deployment.yaml --- apiVersion: v1 @@ -275,6 +275,9 @@ spec: defaultHTTPVersions: - HTTP/1.1 - HTTP/2 + health: + address: 0.0.0.0 + port: 8002 http: accessLog: /dev/stdout address: 0.0.0.0 @@ -358,6 +361,24 @@ spec: - HTTP/2 type: string type: array + health: + default: + address: 0.0.0.0 + port: 8002 + description: Health defines the endpoint Envoy uses to serve health + checks. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + required: + - address + - port + type: object http: default: accessLog: /dev/stdout @@ -503,8 +524,8 @@ spec: default: address: 0.0.0.0 port: 8002 - description: Metrics defines the endpoints Envoy use to serve - to metrics. + description: Metrics defines the endpoint Envoy uses to serve + metrics. properties: address: description: Defines the metrics address interface. @@ -514,6 +535,21 @@ spec: port: description: Defines the metrics port. type: integer + tls: + description: TLS holds TLS file config details. Metrics and + health endpoints cannot have same port number when metrics + is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object required: - address - port @@ -639,15 +675,15 @@ spec: default: address: 0.0.0.0 port: 8000 - description: Health contains parameters to configure endpoints which - Contour exposes to respond to Kubernetes health checks. + description: Health defines the endpoints Contour uses to serve health + checks. properties: address: - description: Defines the Contour health address interface. + description: Defines the health address interface. minLength: 1 type: string port: - description: Defines the Contour health port. + description: Defines the health port. type: integer required: - address @@ -694,48 +730,11 @@ spec: description: Address to set in Ingress object status. type: string type: object - leaderElection: - default: - configmap: - name: leader-elect - namespace: projectcontour - disableLeaderElection: false - leaseDuration: 15s - renewDeadline: 10s - retryPeriod: 2s - description: LeaderElection contains leader election parameters. - properties: - configmap: - description: NamespacedName defines the namespace/name of the - Kubernetes resource referred from the config file. Used for - Contour config YAML file parsing, otherwise we could use K8s - types.NamespacedName. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - disableLeaderElection: - type: boolean - leaseDuration: - type: string - renewDeadline: - type: string - retryPeriod: - type: string - required: - - disableLeaderElection - type: object metrics: default: address: 0.0.0.0 port: 8000 - description: Metrics defines the endpoints Contour uses to serve to - metrics. + description: Metrics defines the endpoint Contour uses to serve metrics. properties: address: description: Defines the metrics address interface. @@ -745,6 +744,21 @@ spec: port: description: Defines the metrics port. type: integer + tls: + description: TLS holds TLS file config details. Metrics and health + endpoints cannot have same port number when metrics is served + over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object required: - address - port @@ -1185,6 +1199,9 @@ spec: defaultHTTPVersions: - HTTP/1.1 - HTTP/2 + health: + address: 0.0.0.0 + port: 8002 http: accessLog: /dev/stdout address: 0.0.0.0 @@ -1268,6 +1285,24 @@ spec: - HTTP/2 type: string type: array + health: + default: + address: 0.0.0.0 + port: 8002 + description: Health defines the endpoint Envoy uses to serve + health checks. + properties: + address: + description: Defines the health address interface. + minLength: 1 + type: string + port: + description: Defines the health port. + type: integer + required: + - address + - port + type: object http: default: accessLog: /dev/stdout @@ -1416,8 +1451,8 @@ spec: default: address: 0.0.0.0 port: 8002 - description: Metrics defines the endpoints Envoy use to serve - to metrics. + description: Metrics defines the endpoint Envoy uses to serve + metrics. properties: address: description: Defines the metrics address interface. @@ -1427,6 +1462,21 @@ spec: port: description: Defines the metrics port. type: integer + tls: + description: TLS holds TLS file config details. Metrics + and health endpoints cannot have same port number when + metrics is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object required: - address - port @@ -1555,15 +1605,15 @@ spec: default: address: 0.0.0.0 port: 8000 - description: Health contains parameters to configure endpoints - which Contour exposes to respond to Kubernetes health checks. + description: Health defines the endpoints Contour uses to serve + health checks. properties: address: - description: Defines the Contour health address interface. + description: Defines the health address interface. minLength: 1 type: string port: - description: Defines the Contour health port. + description: Defines the health port. type: integer required: - address @@ -1610,48 +1660,12 @@ spec: description: Address to set in Ingress object status. type: string type: object - leaderElection: - default: - configmap: - name: leader-elect - namespace: projectcontour - disableLeaderElection: false - leaseDuration: 15s - renewDeadline: 10s - retryPeriod: 2s - description: LeaderElection contains leader election parameters. - properties: - configmap: - description: NamespacedName defines the namespace/name of - the Kubernetes resource referred from the config file. Used - for Contour config YAML file parsing, otherwise we could - use K8s types.NamespacedName. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - disableLeaderElection: - type: boolean - leaseDuration: - type: string - renewDeadline: - type: string - retryPeriod: - type: string - required: - - disableLeaderElection - type: object metrics: default: address: 0.0.0.0 port: 8000 - description: Metrics defines the endpoints Contour uses to serve - to metrics. + description: Metrics defines the endpoint Contour uses to serve + metrics. properties: address: description: Defines the metrics address interface. @@ -1661,6 +1675,21 @@ spec: port: description: Defines the metrics port. type: integer + tls: + description: TLS holds TLS file config details. Metrics and + health endpoints cannot have same port number when metrics + is served over HTTPS. + properties: + caFile: + description: CA filename. + type: string + certFile: + description: Client certificate filename. + type: string + keyFile: + description: Client key filename. + type: string + type: object required: - address - port @@ -2082,6 +2111,12 @@ spec: description: RequestHashPolicy contains configuration for an individual hash policy on a request attribute. properties: + hashSourceIP: + description: HashSourceIP should be set to true when request + source IP hash based load balancing is desired. It must + be the only hash option field set, otherwise this request + hash policy object will be ignored. + type: boolean headerHashOptions: description: HeaderHashOptions should be set when request header hash based load balancing is desired. It must be @@ -2757,6 +2792,12 @@ spec: description: RequestHashPolicy contains configuration for an individual hash policy on a request attribute. properties: + hashSourceIP: + description: HashSourceIP should be set to true when + request source IP hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + type: boolean headerHashOptions: description: HeaderHashOptions should be set when request header hash based load balancing is desired. @@ -3124,10 +3165,13 @@ spec: description: The retry policy for this route. properties: count: + default: 1 description: NumRetries is maximum allowed number of retries. - If not supplied, the number of retries is one. + If set to -1, then retries are disabled. If set to 0 or + not supplied, the value is set to the Envoy default of + 1. format: int64 - minimum: 0 + minimum: -1 type: integer perTryTimeout: description: PerTryTimeout specifies the timeout per retry @@ -3458,6 +3502,12 @@ spec: description: RequestHashPolicy contains configuration for an individual hash policy on a request attribute. properties: + hashSourceIP: + description: HashSourceIP should be set to true when + request source IP hash based load balancing is desired. + It must be the only hash option field set, otherwise + this request hash policy object will be ignored. + type: boolean headerHashOptions: description: HeaderHashOptions should be set when request header hash based load balancing is desired. It must @@ -3805,7 +3855,7 @@ spec: description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string rateLimitPolicy: description: The policy for rate limiting on the virtual host. @@ -4091,6 +4141,9 @@ spec: type: object type: object status: + default: + currentStatus: NotReconciled + description: Waiting for controller description: Status is a container for computed information about the HTTPProxy. properties: @@ -4794,29 +4847,8 @@ rules: - "" resources: - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - services verbs: - get @@ -4828,9 +4860,8 @@ rules: - gatewayclasses - gateways - httproutes - - tcproutes + - referencepolicies - tlsroutes - - udproutes verbs: - get - list @@ -4841,9 +4872,7 @@ rules: - gatewayclasses/status - gateways/status - httproutes/status - - tcproutes/status - tlsroutes/status - - udproutes/status verbs: - update - apiGroups: @@ -4874,37 +4903,7 @@ rules: - projectcontour.io resources: - contourconfigurations - verbs: - - get - - list - - watch -- apiGroups: - - projectcontour.io - resources: - - contourconfigurations/status - verbs: - - create - - get - - update -- apiGroups: - - projectcontour.io - resources: - extensionservices - verbs: - - get - - list - - watch -- apiGroups: - - projectcontour.io - resources: - - extensionservices/status - verbs: - - create - - get - - update -- apiGroups: - - projectcontour.io - resources: - httpproxies - tlscertificatedelegations verbs: @@ -4914,6 +4913,8 @@ rules: - apiGroups: - projectcontour.io resources: + - contourconfigurations/status + - extensionservices/status - httpproxies/status verbs: - create diff --git a/hack/generate-deployment.sh b/hack/generate-deployment.sh index 94f87991b74..f0fcb20de3e 100755 --- a/hack/generate-deployment.sh +++ b/hack/generate-deployment.sh @@ -27,7 +27,8 @@ case $MODE in esac # Files defines the set of source files to render together. -readonly FILES=("examples/contour/*.yaml") +readonly FILES="examples/contour/*.yaml +examples/deployment/03-envoy-deployment.yaml" exec > >(git stripspace >"$TARGET") @@ -39,6 +40,7 @@ cat < 0 && + tempDeploy.Status.ReadyReplicas == tempDeploy.Status.Replicas && + tempDeploy.Status.UpdatedReplicas == tempDeploy.Status.Replicas, nil + } + return wait.PollImmediate(time.Millisecond*50, time.Minute*3, deploymentUpdated) +} + func (d *Deployment) EnsureRateLimitResources(namespace string, configContents string) error { setNamespace := d.Namespace.Name if len(namespace) > 0 { @@ -490,8 +547,56 @@ func (d *Deployment) EnsureResourcesForLocalContour() error { return err } + if d.EnvoyDeploymentMode == DaemonsetMode { + + // Add bootstrap ConfigMap as volume and add envoy admin volume on Envoy pods (also removes cert volume). + d.EnvoyDaemonSet.Spec.Template.Spec.Volumes = []v1.Volume{{ + Name: "envoy-config", + VolumeSource: v1.VolumeSource{ + ConfigMap: &v1.ConfigMapVolumeSource{ + LocalObjectReference: v1.LocalObjectReference{ + Name: "envoy-bootstrap", + }, + }, + }, + }, { + Name: "envoy-admin", + VolumeSource: v1.VolumeSource{ + EmptyDir: &v1.EmptyDirVolumeSource{}, + }, + }} + + // Remove cert volume mount. + d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts = []v1.VolumeMount{ + d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts[0], // Config mount + d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts[2], // Admin mount + } + + d.EnvoyDaemonSet.Spec.Template.Spec.Volumes = append(d.EnvoyDaemonSet.Spec.Template.Spec.Volumes, d.EnvoyExtraVolumes...) + d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts = append(d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts, d.EnvoyExtraVolumeMounts...) + + // Remove init container. + d.EnvoyDaemonSet.Spec.Template.Spec.InitContainers = nil + + // Remove shutdown-manager container. + d.EnvoyDaemonSet.Spec.Template.Spec.Containers = d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1:] + + // Expose the metrics & admin interfaces via host port to test from outside the kind cluster. + d.EnvoyDaemonSet.Spec.Template.Spec.Containers[0].Ports = append(d.EnvoyDaemonSet.Spec.Template.Spec.Containers[0].Ports, + v1.ContainerPort{ + Name: "metrics", + ContainerPort: 8002, + HostPort: 8002, + Protocol: v1.ProtocolTCP, + }) + return d.EnsureEnvoyDaemonSet() + } + + // Set the ReplicaCount=1 + d.EnvoyDeployment.Spec.Replicas = pointer.Int32(1) + // Add bootstrap ConfigMap as volume and add envoy admin volume on Envoy pods (also removes cert volume). - d.EnvoyDaemonSet.Spec.Template.Spec.Volumes = []v1.Volume{{ + d.EnvoyDeployment.Spec.Template.Spec.Volumes = []v1.Volume{{ Name: "envoy-config", VolumeSource: v1.VolumeSource{ ConfigMap: &v1.ConfigMapVolumeSource{ @@ -508,29 +613,29 @@ func (d *Deployment) EnsureResourcesForLocalContour() error { }} // Remove cert volume mount. - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts = []v1.VolumeMount{ - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts[0], // Config mount - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts[2], // Admin mount + d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts = []v1.VolumeMount{ + d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts[0], // Config mount + d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts[2], // Admin mount } - d.EnvoyDaemonSet.Spec.Template.Spec.Volumes = append(d.EnvoyDaemonSet.Spec.Template.Spec.Volumes, d.EnvoyExtraVolumes...) - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts = append(d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts, d.EnvoyExtraVolumeMounts...) + d.EnvoyDeployment.Spec.Template.Spec.Volumes = append(d.EnvoyDeployment.Spec.Template.Spec.Volumes, d.EnvoyExtraVolumes...) + d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts = append(d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts, d.EnvoyExtraVolumeMounts...) // Remove init container. - d.EnvoyDaemonSet.Spec.Template.Spec.InitContainers = nil + d.EnvoyDeployment.Spec.Template.Spec.InitContainers = nil // Remove shutdown-manager container. - d.EnvoyDaemonSet.Spec.Template.Spec.Containers = d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1:] + d.EnvoyDeployment.Spec.Template.Spec.Containers = d.EnvoyDeployment.Spec.Template.Spec.Containers[1:] // Expose the metrics & admin interfaces via host port to test from outside the kind cluster. - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[0].Ports = append(d.EnvoyDaemonSet.Spec.Template.Spec.Containers[0].Ports, + d.EnvoyDeployment.Spec.Template.Spec.Containers[0].Ports = append(d.EnvoyDeployment.Spec.Template.Spec.Containers[0].Ports, v1.ContainerPort{ Name: "metrics", ContainerPort: 8002, HostPort: 8002, Protocol: v1.ProtocolTCP, }) - return d.EnsureEnvoyDaemonSet() + return d.EnsureEnvoyDeployment() } // DeleteResourcesForLocalContour ensures deletion of all resources @@ -540,7 +645,6 @@ func (d *Deployment) EnsureResourcesForLocalContour() error { // couple minutes to complete. func (d *Deployment) DeleteResourcesForLocalContour() error { for _, r := range []client.Object{ - d.EnvoyDaemonSet, d.ContourConfigMap, d.EnvoyService, d.TLSCertDelegationCRD, @@ -553,6 +657,17 @@ func (d *Deployment) DeleteResourcesForLocalContour() error { } } + switch d.EnvoyDeploymentMode { + case DaemonsetMode: + if err := ensureDeleted(d.EnvoyDaemonSet); err != nil { + return err + } + case DeploymentMode: + if err := ensureDeleted(d.EnvoyDeployment); err != nil { + return err + } + } + return nil } diff --git a/test/e2e/deployment/admin_test.go b/test/e2e/deployment/admin_test.go new file mode 100644 index 00000000000..4f0cd7ce547 --- /dev/null +++ b/test/e2e/deployment/admin_test.go @@ -0,0 +1,57 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build e2e +// +build e2e + +package deployment + +import ( + . "github.com/onsi/ginkgo" + "github.com/projectcontour/contour/test/e2e" + "github.com/stretchr/testify/require" +) + +func testAdminInterface() { + Specify("requests to admin listener are served", func() { + t := f.T() + + cases := map[string]int{ + "/certs": 200, + "/clusters": 200, + "/listeners": 200, + "/config_dump": 200, + "/memory": 200, + "/ready": 200, + "/runtime": 200, + "/server_info": 200, + "/stats": 200, + "/stats/prometheus": 200, + "/stats/recentlookups": 200, + "/quitquitquit": 404, + "/healthcheck/ok": 404, + "/healthcheck/fail": 404, + } + + for prefix, code := range cases { + t.Logf("Querying admin prefix %q", prefix) + + res, ok := f.HTTP.AdminRequestUntil(&e2e.HTTPRequestOpts{ + Path: prefix, + Condition: e2e.HasStatusCode(code), + }) + require.NotNil(t, res, "request never succeeded") + require.Truef(t, ok, "expected 200 response code, got %d", res.StatusCode) + } + }) +} diff --git a/test/e2e/deployment/deployment_test.go b/test/e2e/deployment/deployment_test.go new file mode 100644 index 00000000000..d39b7e44dde --- /dev/null +++ b/test/e2e/deployment/deployment_test.go @@ -0,0 +1,153 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build e2e +// +build e2e + +package deployment + +import ( + "testing" + + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" + v1 "k8s.io/api/core/v1" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/gexec" + "github.com/projectcontour/contour/pkg/config" + "github.com/projectcontour/contour/test/e2e" + "github.com/stretchr/testify/require" +) + +var ( + f = e2e.NewFramework(false, e2e.DeploymentMode) + + // Functions called after suite to clean up resources. + cleanup []func() +) + +func TestInfra(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Deployment tests") +} + +var _ = BeforeSuite(func() { + // Add volume mount for the Envoy deployment for certificate and key, + // used only for testing metrics over HTTPS. + f.Deployment.EnvoyExtraVolumeMounts = []v1.VolumeMount{{ + Name: "metrics-certs", + MountPath: "/metrics-certs", + }} + f.Deployment.EnvoyExtraVolumes = []v1.Volume{{ + Name: "metrics-certs", + VolumeSource: v1.VolumeSource{ + Secret: &v1.SecretVolumeSource{ + SecretName: "metrics-server", + }}, + }} + + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) + + // Create certificate and key for metrics over HTTPS. + cleanup = append(cleanup, + f.Certs.CreateCA("projectcontour", "metrics-ca"), + f.Certs.CreateCert("projectcontour", "metrics-server", "metrics-ca", "localhost"), + f.Certs.CreateCert("projectcontour", "metrics-client", "metrics-ca"), + ) +}) + +var _ = AfterSuite(func() { + // Delete resources individually instead of deleting the entire contour + // namespace as a performance optimization, because deleting non-empty + // namespaces can take up to a couple of minutes to complete. + for _, c := range cleanup { + c() + } + require.NoError(f.T(), f.Deployment.DeleteResourcesForLocalContour()) + gexec.CleanupBuildArtifacts() +}) + +var _ = Describe("Infra", func() { + var ( + contourCmd *gexec.Session + kubectlCmd *gexec.Session + contourConfig *config.Parameters + contourConfiguration *contour_api_v1alpha1.ContourConfiguration + contourConfigFile string + additionalContourArgs []string + ) + + BeforeEach(func() { + // Contour config file contents, can be modified in nested + // BeforeEach. + contourConfig = &config.Parameters{} + + // Contour configuration crd, can be modified in nested + // BeforeEach. + contourConfiguration = e2e.DefaultContourConfiguration() + + // Default contour serve command line arguments can be appended to in + // nested BeforeEach. + additionalContourArgs = []string{} + }) + + // JustBeforeEach is called after each of the nested BeforeEach are + // called, so it is a final setup step before running a test. + // A nested BeforeEach may have modified Contour config, so we wait + // until here to start Contour. + JustBeforeEach(func() { + var err error + contourCmd, contourConfigFile, err = f.Deployment.StartLocalContour(contourConfig, contourConfiguration, additionalContourArgs...) + require.NoError(f.T(), err) + + // Wait for Envoy to be healthy. + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) + + kubectlCmd, err = f.Kubectl.StartKubectlPortForward(19001, 9001, "projectcontour", "deployment/envoy", additionalContourArgs...) + require.NoError(f.T(), err) + }) + + AfterEach(func() { + f.Kubectl.StopKubectlPortForward(kubectlCmd) + require.NoError(f.T(), f.Deployment.StopLocalContour(contourCmd, contourConfigFile)) + }) + + f.Test(testMetrics) + f.Test(testReady) + + Context("when serving metrics over HTTPS", func() { + BeforeEach(func() { + contourConfig.Metrics.Envoy = config.MetricsServerParameters{ + Address: "0.0.0.0", + Port: 8003, + ServerCert: "/metrics-certs/tls.crt", + ServerKey: "/metrics-certs/tls.key", + CABundle: "/metrics-certs/ca.crt", + } + + contourConfiguration.Spec.Envoy.Metrics = contour_api_v1alpha1.MetricsConfig{ + Address: "0.0.0.0", + Port: 8003, + TLS: &contour_api_v1alpha1.MetricsTLS{ + CertFile: "/metrics-certs/tls.crt", + KeyFile: "/metrics-certs/tls.key", + CAFile: "/metrics-certs/ca.crt", + }, + } + }) + f.Test(testEnvoyMetricsOverHTTPS) + }) + + f.Test(testAdminInterface) +}) diff --git a/test/e2e/deployment/metrics_test.go b/test/e2e/deployment/metrics_test.go new file mode 100644 index 00000000000..73becc4b4c4 --- /dev/null +++ b/test/e2e/deployment/metrics_test.go @@ -0,0 +1,111 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build e2e +// +build e2e + +package deployment + +import ( + "crypto/tls" + "net/http" + "time" + + . "github.com/onsi/ginkgo" + "github.com/onsi/gomega" + "github.com/projectcontour/contour/test/e2e" + "github.com/stretchr/testify/require" +) + +func testMetrics() { + Specify("requests to default metrics listener are served", func() { + t := f.T() + + res, ok := f.HTTP.MetricsRequestUntil(&e2e.HTTPRequestOpts{ + Path: "/stats", + Condition: e2e.HasStatusCode(200), + }) + require.NotNil(t, res, "request never succeeded") + require.Truef(t, ok, "expected 200 response code, got %d", res.StatusCode) + }) +} + +func testReady() { + Specify("requests to default ready listener are served", func() { + t := f.T() + + res, ok := f.HTTP.MetricsRequestUntil(&e2e.HTTPRequestOpts{ + Path: "/ready", + Condition: e2e.HasStatusCode(200), + }) + require.NotNil(t, res, "request never succeeded") + require.Truef(t, ok, "expected 200 response code, got %d", res.StatusCode) + }) +} + +func testEnvoyMetricsOverHTTPS() { + Specify("requests to metrics listener are served", func() { + t := f.T() + + // Port-forward seems to be flaky. Following sequence happens: + // + // 1. Envoy becomes ready. + // 2. Port-forward is started. + // 3. HTTPS request is sent but the connection times out with errors + // "error creating error stream for port 18003 -> 8003: Timeout occurred", + // "error creating forwarding stream for port 18003 -> 8003: Timeout occurred" + // 4. Meanwhile the metrics listener gets added. + // 5. Sometimes (one out of ~1-50 runs) port-forward gets stuck and packets are not forwarded + // even after listener is up and connection attempts are still regularly retried. + // + // When the problem occurs, Wireshark does not show any traffic on the container side. + // The problem could be e.g. undiscovered race condition with Kubernetes port-forward. + // + // Following workarounds seem to work: + // + // a) Add a fixed delay before port-forwarding. + // b) Wait for Envoy to have listener by observing Envoy logs before port-forwarding. + // c) Restart port-forwarding when connection attempts fail. + // + // Executing port-forward started in BeforeEach(), JustBeforeEach() or combining metrics + // port with the admin port-forward command (127.0.0.1:19001 -> 9001) did not help. + // + // The simplest workaround (a) is taken here. + time.Sleep(5 * time.Second) + + // Port-forward for metrics over HTTPS + kubectlCmd, err := f.Kubectl.StartKubectlPortForward(18003, 8003, "projectcontour", "deployment/envoy") + require.NoError(t, err) + defer f.Kubectl.StopKubectlPortForward(kubectlCmd) + + clientCert, caBundle := f.Certs.GetTLSCertificate("projectcontour", "metrics-client") + client := http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS13, + Certificates: []tls.Certificate{clientCert}, + RootCAs: caBundle, + }, + }, + } + + gomega.Eventually(func() int { + resp, err := client.Get("https://localhost:18003/stats") + if err != nil { + GinkgoWriter.Println(err) + return 0 + } + return resp.StatusCode + }, "10s", "1s").Should(gomega.Equal(http.StatusOK)) + }) +} diff --git a/test/e2e/framework.go b/test/e2e/framework.go index f061c1d34a6..59c1221ddd0 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -82,7 +82,7 @@ type Framework struct { t ginkgo.GinkgoTInterface } -func NewFramework(inClusterTestSuite bool) *Framework { +func NewFramework(inClusterTestSuite bool, envoyDeploymentMode EnvoyDeploymentMode) *Framework { t := ginkgo.GinkgoT() // Deferring GinkgoRecover() provides better error messages in case of panic @@ -173,13 +173,14 @@ func NewFramework(inClusterTestSuite bool) *Framework { } deployment := &Deployment{ - client: crClient, - cmdOutputWriter: ginkgo.GinkgoWriter, - kubeConfig: kubeConfig, - localContourHost: contourHost, - localContourPort: contourPort, - contourBin: contourBin, - contourImage: contourImage, + client: crClient, + cmdOutputWriter: ginkgo.GinkgoWriter, + kubeConfig: kubeConfig, + localContourHost: contourHost, + localContourPort: contourPort, + contourBin: contourBin, + contourImage: contourImage, + EnvoyDeploymentMode: envoyDeploymentMode, } kubectl := &Kubectl{ diff --git a/test/e2e/gateway/gateway_test.go b/test/e2e/gateway/gateway_test.go index 15c7dc40217..3177ad76cac 100644 --- a/test/e2e/gateway/gateway_test.go +++ b/test/e2e/gateway/gateway_test.go @@ -35,7 +35,7 @@ import ( gatewayapi_v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" ) -var f = e2e.NewFramework(false) +var f = e2e.NewFramework(false, e2e.DaemonsetMode) func TestGatewayAPI(t *testing.T) { RegisterFailHandler(Fail) @@ -43,7 +43,7 @@ func TestGatewayAPI(t *testing.T) { } var _ = BeforeSuite(func() { - require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour(e2e.UseEnvoyDaemonsetDeploymentModel())) + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) }) var _ = AfterSuite(func() { diff --git a/test/e2e/httpproxy/httpproxy_test.go b/test/e2e/httpproxy/httpproxy_test.go index 733eead1da7..103668ccfb6 100644 --- a/test/e2e/httpproxy/httpproxy_test.go +++ b/test/e2e/httpproxy/httpproxy_test.go @@ -34,7 +34,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -var f = e2e.NewFramework(false) +var f = e2e.NewFramework(false, e2e.DaemonsetMode) func TestHTTPProxy(t *testing.T) { RegisterFailHandler(Fail) @@ -42,7 +42,7 @@ func TestHTTPProxy(t *testing.T) { } var _ = BeforeSuite(func() { - require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour(e2e.UseEnvoyDaemonsetDeploymentModel())) + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) }) var _ = AfterSuite(func() { diff --git a/test/e2e/infra/infra_test.go b/test/e2e/infra/infra_test.go index b22f5ae55d9..669c707112f 100644 --- a/test/e2e/infra/infra_test.go +++ b/test/e2e/infra/infra_test.go @@ -31,7 +31,7 @@ import ( ) var ( - f = e2e.NewFramework(false) + f = e2e.NewFramework(false, e2e.DaemonsetMode) // Functions called after suite to clean up resources. cleanup []func() @@ -112,7 +112,7 @@ var _ = Describe("Infra", func() { require.NoError(f.T(), err) // Wait for Envoy to be healthy. - require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetUpdated()) + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) kubectlCmd, err = f.Kubectl.StartKubectlPortForward(19001, 9001, "projectcontour", "daemonset/envoy", additionalContourArgs...) require.NoError(f.T(), err) diff --git a/test/e2e/ingress/ingress_test.go b/test/e2e/ingress/ingress_test.go index e89ca394d86..3e744305e45 100644 --- a/test/e2e/ingress/ingress_test.go +++ b/test/e2e/ingress/ingress_test.go @@ -33,7 +33,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -var f = e2e.NewFramework(false) +var f = e2e.NewFramework(false, e2e.DaemonsetMode) func TestIngress(t *testing.T) { RegisterFailHandler(Fail) @@ -41,7 +41,7 @@ func TestIngress(t *testing.T) { } var _ = BeforeSuite(func() { - require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour(e2e.UseEnvoyDaemonsetDeploymentModel())) + require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) }) var _ = AfterSuite(func() { diff --git a/test/e2e/upgrade/upgrade_test.go b/test/e2e/upgrade/upgrade_test.go index 8c146f5fcfd..be34a47f04d 100644 --- a/test/e2e/upgrade/upgrade_test.go +++ b/test/e2e/upgrade/upgrade_test.go @@ -32,7 +32,7 @@ import ( ) var ( - f = e2e.NewFramework(true) + f = e2e.NewFramework(true, e2e.DaemonsetMode) // Contour version we are upgrading from. contourUpgradeFromVersion string @@ -108,7 +108,7 @@ var _ = Describe("upgrading Contour", func() { By("waiting for envoy daemonset to be updated") require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetOutOfDate()) - require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetUpdated()) + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) By("ensuring app is still routable") checkRoutability(appHost) From 598d5f7a067c9e37366b1b7e5958df164c83bf9c Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Wed, 17 Nov 2021 20:38:57 -0500 Subject: [PATCH 06/13] add missing securityContext bits to deployment example Signed-off-by: Steve Sloka --- examples/deployment/03-envoy-deployment.yaml | 4 ++++ examples/render/contour-deployment.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/examples/deployment/03-envoy-deployment.yaml b/examples/deployment/03-envoy-deployment.yaml index fcbbe9c16e0..c2470e22b9d 100644 --- a/examples/deployment/03-envoy-deployment.yaml +++ b/examples/deployment/03-envoy-deployment.yaml @@ -152,3 +152,7 @@ spec: secret: secretName: envoycert restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index c485e06a69e..43b1662519c 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -5225,3 +5225,7 @@ spec: secret: secretName: envoycert restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 From ffb52f9a3ad0adf5811b064c63af41e82566e7cb Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Thu, 18 Nov 2021 14:01:54 -0500 Subject: [PATCH 07/13] remove debug line Signed-off-by: Steve Sloka --- test/e2e/deployment.go | 1 - 1 file changed, 1 deletion(-) diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index 4e2a416b75c..2a580807d0a 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -190,7 +190,6 @@ func (d *Deployment) UnmarshalResources() error { switch d.EnvoyDeploymentMode { case DeploymentMode: if err := decoderDeployment.Decode(d.EnvoyDeployment); err != nil { - fmt.Println("--- err: ", err) return err } case DaemonsetMode: From 1085f919c063874f95d753864c6eaf535f7f4ef9 Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Fri, 19 Nov 2021 11:13:22 -0500 Subject: [PATCH 08/13] change how a deployment is ready Signed-off-by: Steve Sloka --- test/e2e/deployment.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index 2a580807d0a..9a3ad5f3882 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -423,9 +423,7 @@ func (d *Deployment) waitForEnvoyDeploymentUpdated() error { if err := d.client.Get(context.TODO(), client.ObjectKeyFromObject(d.EnvoyDeployment), tempDeploy); err != nil { return false, err } - return tempDeploy.Status.ReadyReplicas > 0 && - tempDeploy.Status.ReadyReplicas == tempDeploy.Status.Replicas && - tempDeploy.Status.UpdatedReplicas == tempDeploy.Status.Replicas, nil + return tempDeploy.Status.UnavailableReplicas == 0, nil } return wait.PollImmediate(time.Millisecond*50, time.Minute*3, deploymentUpdated) } From a054609ddf8acd1dc06d29a30833062968fa2101 Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Fri, 19 Nov 2021 11:53:13 -0500 Subject: [PATCH 09/13] copy httpproxy test to deployment e2e tests and refactor a bit Signed-off-by: Steve Sloka --- test/e2e/deployment/deployment_test.go | 2 + .../deployment/path_condition_match_test.go | 110 ++++++++++++++++++ test/e2e/httpproxy.go | 36 ++++++ 3 files changed, 148 insertions(+) create mode 100644 test/e2e/deployment/path_condition_match_test.go create mode 100644 test/e2e/httpproxy.go diff --git a/test/e2e/deployment/deployment_test.go b/test/e2e/deployment/deployment_test.go index d39b7e44dde..c6cd7911683 100644 --- a/test/e2e/deployment/deployment_test.go +++ b/test/e2e/deployment/deployment_test.go @@ -150,4 +150,6 @@ var _ = Describe("Infra", func() { }) f.Test(testAdminInterface) + + f.NamespacedTest("httpproxy-path-condition-match-deployment", testPathConditionMatch) }) diff --git a/test/e2e/deployment/path_condition_match_test.go b/test/e2e/deployment/path_condition_match_test.go new file mode 100644 index 00000000000..94fb262a01d --- /dev/null +++ b/test/e2e/deployment/path_condition_match_test.go @@ -0,0 +1,110 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build e2e +// +build e2e + +package deployment + +import ( + . "github.com/onsi/ginkgo" + contourv1 "github.com/projectcontour/contour/apis/projectcontour/v1" + "github.com/projectcontour/contour/test/e2e" + "github.com/stretchr/testify/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func testPathConditionMatch(namespace string) { + Specify("path match routing works", func() { + t := f.T() + + f.Fixtures.Echo.Deploy(namespace, "echo-slash-prefix") + f.Fixtures.Echo.Deploy(namespace, "echo-slash-noprefix") + f.Fixtures.Echo.Deploy(namespace, "echo-slash-default") + + p := &contourv1.HTTPProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: "path-conditions", + }, + Spec: contourv1.HTTPProxySpec{ + VirtualHost: &contourv1.VirtualHost{ + Fqdn: "pathconditions.projectcontour.io", + }, + Routes: []contourv1.Route{ + { + Services: []contourv1.Service{ + { + Name: "echo-slash-prefix", + Port: 80, + }, + }, + Conditions: []contourv1.MatchCondition{ + { + Prefix: "/path/prefix/", + }, + }, + }, + { + Services: []contourv1.Service{ + { + Name: "echo-slash-noprefix", + Port: 80, + }, + }, + Conditions: []contourv1.MatchCondition{ + { + Prefix: "/path/prefix", + }, + }, + }, + { + Services: []contourv1.Service{ + { + Name: "echo-slash-default", + Port: 80, + }, + }, + }, + }, + }, + } + f.CreateHTTPProxyAndWaitFor(p, e2e.HTTPProxyValid) + + cases := map[string]string{ + "/": "echo-slash-default", + "/foo": "echo-slash-default", + "/path/prefix": "echo-slash-noprefix", + "/path/prefixfoo": "echo-slash-noprefix", + "/path/prefix/": "echo-slash-prefix", + "/path/prefix/foo": "echo-slash-prefix", + } + + for path, expectedService := range cases { + t.Logf("Querying %q, expecting service %q", path, expectedService) + + res, ok := f.HTTP.RequestUntil(&e2e.HTTPRequestOpts{ + Host: p.Spec.VirtualHost.Fqdn, + Path: path, + Condition: e2e.HasStatusCode(200), + }) + if !assert.Truef(t, ok, "expected 200 response code, got %d", res.StatusCode) { + continue + } + + body := f.GetEchoResponseBody(res.Body) + assert.Equal(t, namespace, body.Namespace) + assert.Equal(t, expectedService, body.Service) + } + }) +} diff --git a/test/e2e/httpproxy.go b/test/e2e/httpproxy.go new file mode 100644 index 00000000000..cbfca2c9047 --- /dev/null +++ b/test/e2e/httpproxy.go @@ -0,0 +1,36 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build e2e +// +build e2e + +package e2e + +import contourv1 "github.com/projectcontour/contour/apis/projectcontour/v1" + +// HTTPProxyValid returns true if the proxy has a .status.currentStatus +// of "valid". +func HTTPProxyValid(proxy *contourv1.HTTPProxy) bool { + + if proxy == nil { + return false + } + + if len(proxy.Status.Conditions) == 0 { + return false + } + + cond := proxy.Status.GetConditionFor("Valid") + return cond.Status == "True" + +} From 4c23715201578f28453ca4614ba78ba3a62ad0a0 Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Mon, 29 Nov 2021 15:18:49 -0500 Subject: [PATCH 10/13] review comments Signed-off-by: Steve Sloka --- .github/workflows/prbuild.yaml | 48 +++++++++--------- test/e2e/deployment.go | 69 +++++++------------------- test/e2e/deployment/deployment_test.go | 2 +- 3 files changed, 43 insertions(+), 76 deletions(-) diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index df68d2cec50..d8cdf2ae9fb 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -1,7 +1,7 @@ name: Build and Test Pull Request # Trigger the workflow on push or pull request -on: +on: push: pull_request: types: [opened, synchronize] @@ -74,7 +74,7 @@ jobs: status: ${{ job.status }} steps: ${{ toJson(steps) }} channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + if: ${{ failure() && github.ref == 'refs/heads/main' }} build-image: needs: - lint @@ -82,27 +82,27 @@ jobs: - codegen runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - - name: Build image - env: - TAG_LATEST: "false" - run: | - make multiarch-build - - name: Upload image - uses: actions/upload-artifact@v2 - with: - name: image - path: image/contour-*.tar - - uses: act10ns/slack@v1 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + with: + version: latest + - name: Build image + env: + TAG_LATEST: "false" + run: | + make multiarch-build + - name: Upload image + uses: actions/upload-artifact@v2 + with: + name: image + path: image/contour-*.tar + - uses: act10ns/slack@v1 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} e2e: runs-on: ubuntu-latest needs: [build-image] @@ -313,4 +313,4 @@ jobs: status: ${{ job.status }} steps: ${{ toJson(steps) }} channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} \ No newline at end of file + if: ${{ failure() && github.ref == 'refs/heads/main' }} diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index 9a3ad5f3882..9c819a56473 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -545,55 +545,21 @@ func (d *Deployment) EnsureResourcesForLocalContour() error { } if d.EnvoyDeploymentMode == DaemonsetMode { - - // Add bootstrap ConfigMap as volume and add envoy admin volume on Envoy pods (also removes cert volume). - d.EnvoyDaemonSet.Spec.Template.Spec.Volumes = []v1.Volume{{ - Name: "envoy-config", - VolumeSource: v1.VolumeSource{ - ConfigMap: &v1.ConfigMapVolumeSource{ - LocalObjectReference: v1.LocalObjectReference{ - Name: "envoy-bootstrap", - }, - }, - }, - }, { - Name: "envoy-admin", - VolumeSource: v1.VolumeSource{ - EmptyDir: &v1.EmptyDirVolumeSource{}, - }, - }} - - // Remove cert volume mount. - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts = []v1.VolumeMount{ - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts[0], // Config mount - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts[2], // Admin mount - } - - d.EnvoyDaemonSet.Spec.Template.Spec.Volumes = append(d.EnvoyDaemonSet.Spec.Template.Spec.Volumes, d.EnvoyExtraVolumes...) - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts = append(d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1].VolumeMounts, d.EnvoyExtraVolumeMounts...) - - // Remove init container. - d.EnvoyDaemonSet.Spec.Template.Spec.InitContainers = nil - - // Remove shutdown-manager container. - d.EnvoyDaemonSet.Spec.Template.Spec.Containers = d.EnvoyDaemonSet.Spec.Template.Spec.Containers[1:] - - // Expose the metrics & admin interfaces via host port to test from outside the kind cluster. - d.EnvoyDaemonSet.Spec.Template.Spec.Containers[0].Ports = append(d.EnvoyDaemonSet.Spec.Template.Spec.Containers[0].Ports, - v1.ContainerPort{ - Name: "metrics", - ContainerPort: 8002, - HostPort: 8002, - Protocol: v1.ProtocolTCP, - }) + d.EnvoyDaemonSet.Spec.Template = d.mutatePodTemplate(d.EnvoyDaemonSet.Spec.Template) return d.EnsureEnvoyDaemonSet() } + d.EnvoyDeployment.Spec.Template = d.mutatePodTemplate(d.EnvoyDeployment.Spec.Template) + // Set the ReplicaCount=1 d.EnvoyDeployment.Spec.Replicas = pointer.Int32(1) + return d.EnsureEnvoyDeployment() +} + +func (d *Deployment) mutatePodTemplate(pts v1.PodTemplateSpec) v1.PodTemplateSpec { // Add bootstrap ConfigMap as volume and add envoy admin volume on Envoy pods (also removes cert volume). - d.EnvoyDeployment.Spec.Template.Spec.Volumes = []v1.Volume{{ + pts.Spec.Volumes = []v1.Volume{{ Name: "envoy-config", VolumeSource: v1.VolumeSource{ ConfigMap: &v1.ConfigMapVolumeSource{ @@ -610,29 +576,30 @@ func (d *Deployment) EnsureResourcesForLocalContour() error { }} // Remove cert volume mount. - d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts = []v1.VolumeMount{ - d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts[0], // Config mount - d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts[2], // Admin mount + pts.Spec.Containers[1].VolumeMounts = []v1.VolumeMount{ + pts.Spec.Containers[1].VolumeMounts[0], // Config mount + pts.Spec.Containers[1].VolumeMounts[2], // Admin mount } - d.EnvoyDeployment.Spec.Template.Spec.Volumes = append(d.EnvoyDeployment.Spec.Template.Spec.Volumes, d.EnvoyExtraVolumes...) - d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts = append(d.EnvoyDeployment.Spec.Template.Spec.Containers[1].VolumeMounts, d.EnvoyExtraVolumeMounts...) + pts.Spec.Volumes = append(pts.Spec.Volumes, d.EnvoyExtraVolumes...) + pts.Spec.Containers[1].VolumeMounts = append(pts.Spec.Containers[1].VolumeMounts, d.EnvoyExtraVolumeMounts...) // Remove init container. - d.EnvoyDeployment.Spec.Template.Spec.InitContainers = nil + pts.Spec.InitContainers = nil // Remove shutdown-manager container. - d.EnvoyDeployment.Spec.Template.Spec.Containers = d.EnvoyDeployment.Spec.Template.Spec.Containers[1:] + pts.Spec.Containers = pts.Spec.Containers[1:] // Expose the metrics & admin interfaces via host port to test from outside the kind cluster. - d.EnvoyDeployment.Spec.Template.Spec.Containers[0].Ports = append(d.EnvoyDeployment.Spec.Template.Spec.Containers[0].Ports, + pts.Spec.Containers[0].Ports = append(pts.Spec.Containers[0].Ports, v1.ContainerPort{ Name: "metrics", ContainerPort: 8002, HostPort: 8002, Protocol: v1.ProtocolTCP, }) - return d.EnsureEnvoyDeployment() + + return pts } // DeleteResourcesForLocalContour ensures deletion of all resources diff --git a/test/e2e/deployment/deployment_test.go b/test/e2e/deployment/deployment_test.go index c6cd7911683..4247a25e35b 100644 --- a/test/e2e/deployment/deployment_test.go +++ b/test/e2e/deployment/deployment_test.go @@ -37,7 +37,7 @@ var ( cleanup []func() ) -func TestInfra(t *testing.T) { +func TestDeployment(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Deployment tests") } From 0adcc3b547fa3650240e83bc70e9a880ccc6560e Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Wed, 1 Dec 2021 11:37:47 -0500 Subject: [PATCH 11/13] rebase Signed-off-by: Steve Sloka --- test/e2e/deployment.go | 4 ++-- test/e2e/httpproxy.go | 36 ---------------------------- test/e2e/incluster/incluster_test.go | 4 ++-- 3 files changed, 4 insertions(+), 40 deletions(-) delete mode 100644 test/e2e/httpproxy.go diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index 9c819a56473..dee3def57df 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -623,11 +623,11 @@ func (d *Deployment) DeleteResourcesForLocalContour() error { switch d.EnvoyDeploymentMode { case DaemonsetMode: - if err := ensureDeleted(d.EnvoyDaemonSet); err != nil { + if err := d.ensureDeleted(d.EnvoyDaemonSet); err != nil { return err } case DeploymentMode: - if err := ensureDeleted(d.EnvoyDeployment); err != nil { + if err := d.ensureDeleted(d.EnvoyDeployment); err != nil { return err } } diff --git a/test/e2e/httpproxy.go b/test/e2e/httpproxy.go deleted file mode 100644 index cbfca2c9047..00000000000 --- a/test/e2e/httpproxy.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright Project Contour Authors -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//go:build e2e -// +build e2e - -package e2e - -import contourv1 "github.com/projectcontour/contour/apis/projectcontour/v1" - -// HTTPProxyValid returns true if the proxy has a .status.currentStatus -// of "valid". -func HTTPProxyValid(proxy *contourv1.HTTPProxy) bool { - - if proxy == nil { - return false - } - - if len(proxy.Status.Conditions) == 0 { - return false - } - - cond := proxy.Status.GetConditionFor("Valid") - return cond.Status == "True" - -} diff --git a/test/e2e/incluster/incluster_test.go b/test/e2e/incluster/incluster_test.go index 213312001ca..994a6085ed9 100644 --- a/test/e2e/incluster/incluster_test.go +++ b/test/e2e/incluster/incluster_test.go @@ -28,7 +28,7 @@ import ( "github.com/stretchr/testify/require" ) -var f = e2e.NewFramework(true) +var f = e2e.NewFramework(true, e2e.DaemonsetMode) func TestIncluster(t *testing.T) { RegisterFailHandler(Fail) @@ -71,7 +71,7 @@ var _ = Describe("Incluster", func() { require.NoError(f.T(), f.Client.Create(context.TODO(), contourConfig)) require.NoError(f.T(), f.Deployment.EnsureContourDeployment()) require.NoError(f.T(), f.Deployment.WaitForContourDeploymentUpdated()) - require.NoError(f.T(), f.Deployment.WaitForEnvoyDaemonSetUpdated()) + require.NoError(f.T(), f.Deployment.WaitForEnvoyUpdated()) }) AfterEach(func() { From 218d63a423a3615726b519f804e9ff74a3c0dfbd Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Fri, 7 Jan 2022 14:34:04 -0500 Subject: [PATCH 12/13] rebase Signed-off-by: Steve Sloka --- examples/render/contour-deployment.yaml | 82 ++++++++++++++++++++++++- test/e2e/deployment.go | 4 +- test/e2e/deployment/metrics_test.go | 2 +- 3 files changed, 82 insertions(+), 6 deletions(-) diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 43b1662519c..612f8e3fb7f 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -3127,6 +3127,56 @@ spec: type: object type: array type: object + requestRedirectPolicy: + description: RequestRedirectPolicy defines an HTTP redirection. + properties: + hostname: + description: Hostname is the precise hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. No wildcards + are allowed. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path allows for redirection to a different + path from the original on the request. The path must start + with a leading slash. \n Note: Only one of Path or Prefix + can be defined." + pattern: ^\/.*$ + type: string + port: + description: Port is the port to be used in the value of + the `Location` header in the response. When empty, port + (if specified) of the request is used. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + prefix: + description: "Prefix defines the value to swap the matched + prefix or path with. The prefix must start with a leading + slash. \n Note: Only one of Path or Prefix can be defined." + pattern: ^\/.*$ + type: string + scheme: + description: Scheme is the scheme to be used in the value + of the `Location` header in the response. When empty, + the scheme of the request is used. + enum: + - http + - https + type: string + statusCode: + default: 302 + description: StatusCode is the HTTP status code to be used + in response. + enum: + - 301 + - 302 + type: integer + type: object responseHeadersPolicy: description: The policy for managing response headers during proxying. Rewriting the 'Host' header is not supported. @@ -3403,7 +3453,6 @@ spec: - name - port type: object - minItems: 1 type: array timeoutPolicy: description: The timeout policy for this route. @@ -3425,8 +3474,6 @@ spec: pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object - required: - - services type: object type: array tcpproxy: @@ -3795,6 +3842,26 @@ spec: no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string + withRequestBody: + description: WithRequestBody specifies configuration for sending + the client request's body to authorization server. + properties: + allowPartialMessage: + description: If AllowPartialMessage is true, then Envoy + will buffer the body until MaxRequestBytes are reached. + type: boolean + maxRequestBytes: + default: 1024 + description: MaxRequestBytes sets the maximum size of + message body ExtAuthz filter will hold in-memory. + format: int32 + minimum: 1 + type: integer + packAsBytes: + description: If PackAsBytes is true, the body sent to + Authorization Server is in raw bytes. + type: boolean + type: object required: - extensionRef type: object @@ -4839,6 +4906,7 @@ rules: - "" resources: - configmaps + - events verbs: - create - get @@ -4854,6 +4922,14 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update - apiGroups: - gateway.networking.k8s.io resources: diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index dee3def57df..f7bf9fc3670 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -623,11 +623,11 @@ func (d *Deployment) DeleteResourcesForLocalContour() error { switch d.EnvoyDeploymentMode { case DaemonsetMode: - if err := d.ensureDeleted(d.EnvoyDaemonSet); err != nil { + if err := d.EnsureDeleted(d.EnvoyDaemonSet); err != nil { return err } case DeploymentMode: - if err := d.ensureDeleted(d.EnvoyDeployment); err != nil { + if err := d.EnsureDeleted(d.EnvoyDeployment); err != nil { return err } } diff --git a/test/e2e/deployment/metrics_test.go b/test/e2e/deployment/metrics_test.go index 73becc4b4c4..4d69a46a14a 100644 --- a/test/e2e/deployment/metrics_test.go +++ b/test/e2e/deployment/metrics_test.go @@ -21,7 +21,7 @@ import ( "net/http" "time" - . "github.com/onsi/ginkgo" + . "github.com/onsi/ginkgo/v2" "github.com/onsi/gomega" "github.com/projectcontour/contour/test/e2e" "github.com/stretchr/testify/require" From 13c97a779797004093d5d3537c67578bec9e1571 Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Fri, 7 Jan 2022 15:22:27 -0500 Subject: [PATCH 13/13] fixup gingko imports Signed-off-by: Steve Sloka --- test/e2e/deployment/admin_test.go | 2 +- test/e2e/deployment/deployment_test.go | 2 +- .../e2e/deployment/path_condition_match_test.go | 2 +- test/e2e/framework.go | 17 ----------------- 4 files changed, 3 insertions(+), 20 deletions(-) diff --git a/test/e2e/deployment/admin_test.go b/test/e2e/deployment/admin_test.go index 4f0cd7ce547..921950a9f51 100644 --- a/test/e2e/deployment/admin_test.go +++ b/test/e2e/deployment/admin_test.go @@ -17,7 +17,7 @@ package deployment import ( - . "github.com/onsi/ginkgo" + . "github.com/onsi/ginkgo/v2" "github.com/projectcontour/contour/test/e2e" "github.com/stretchr/testify/require" ) diff --git a/test/e2e/deployment/deployment_test.go b/test/e2e/deployment/deployment_test.go index 4247a25e35b..7c2ac80e287 100644 --- a/test/e2e/deployment/deployment_test.go +++ b/test/e2e/deployment/deployment_test.go @@ -22,7 +22,7 @@ import ( contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" v1 "k8s.io/api/core/v1" - . "github.com/onsi/ginkgo" + . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/onsi/gomega/gexec" "github.com/projectcontour/contour/pkg/config" diff --git a/test/e2e/deployment/path_condition_match_test.go b/test/e2e/deployment/path_condition_match_test.go index 94fb262a01d..4f996d5a59e 100644 --- a/test/e2e/deployment/path_condition_match_test.go +++ b/test/e2e/deployment/path_condition_match_test.go @@ -17,7 +17,7 @@ package deployment import ( - . "github.com/onsi/ginkgo" + . "github.com/onsi/ginkgo/v2" contourv1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/test/e2e" "github.com/stretchr/testify/assert" diff --git a/test/e2e/framework.go b/test/e2e/framework.go index 59c1221ddd0..3f562e12189 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -19,7 +19,6 @@ package e2e import ( "context" "encoding/json" - "fmt" "net/http" "os" "path/filepath" @@ -460,22 +459,6 @@ func UsingContourConfigCRD() bool { return found && useContourConfiguration == "true" } -// UseEnvoyDaemonsetDeploymentModel determines if Envoy should be deployed as a Daemonset or a Deployment -// when running E2E tests. It looks for the env var "USE_ENVOY_DEPLOYMENT". If it exists and is valid, then -// that value is returned, otherwise true is returned to indicate that the default daemonset model is to be used. -func UseEnvoyDaemonsetDeploymentModel() bool { - - if useEnvoyDeployment, found := os.LookupEnv("USE_ENVOY_DEPLOYMENT"); found { - got, err := strconv.ParseBool(useEnvoyDeployment) - if err != nil { - fmt.Printf("error trying to parse \"USE_ENVOY_DEPLOYMENT\" env var, defaulting to use Daemonset: %v\n", err) - return true - } - return !got - } - return true -} - // HTTPProxyValid returns true if the proxy has a .status.currentStatus // of "valid". func HTTPProxyValid(proxy *contourv1.HTTPProxy) bool {