-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcontour.yaml
8748 lines (8738 loc) · 502 KB
/
contour.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# This file is generated from the individual YAML files by generate-deployment.sh. Do not
# edit this file directly but instead edit the source files and re-render.
#
# Generated from:
# examples/contour/00-common.yaml
# examples/contour/01-contour-config.yaml
# examples/contour/01-crds.yaml
# examples/contour/02-job-certgen.yaml
# examples/contour/02-rbac.yaml
# examples/contour/02-role-contour.yaml
# examples/contour/02-service-contour.yaml
# examples/contour/02-service-envoy.yaml
# examples/contour/03-contour.yaml
# examples/contour/03-envoy.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: projectcontour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour
namespace: projectcontour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: envoy
namespace: projectcontour
---
apiVersion: v1
kind: ConfigMap
metadata:
name: contour
namespace: projectcontour
data:
contour.yaml: |
#
# server:
# determine which XDS Server implementation to utilize in Contour.
# xds-server-type: contour
#
# Specify the Gateway API configuration.
# gateway:
# controllerName: projectcontour.io/gateway-controller
#
# should contour expect to be running inside a k8s cluster
# incluster: true
#
# path to kubeconfig (if not running inside a k8s cluster)
# kubeconfig: /path/to/.kube/config
#
# Disable RFC-compliant behavior to strip "Content-Length" header if
# "Tranfer-Encoding: chunked" is also set.
# disableAllowChunkedLength: false
#
# Disable Envoy's non-standard merge_slashes path transformation option
# that strips duplicate slashes from request URLs.
# disableMergeSlashes: false
#
# Disable HTTPProxy permitInsecure field
disablePermitInsecure: false
tls:
# minimum TLS version that Contour will negotiate
# minimum-protocol-version: "1.2"
# TLS ciphers to be supported by Envoy TLS listeners when negotiating
# TLS 1.2.
# cipher-suites:
# - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
# - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
# - 'ECDHE-ECDSA-AES256-GCM-SHA384'
# - 'ECDHE-RSA-AES256-GCM-SHA384'
# Defines the Kubernetes name/namespace matching a secret to use
# as the fallback certificate when requests which don't match the
# SNI defined for a vhost.
fallback-certificate:
# name: fallback-secret-name
# namespace: projectcontour
envoy-client-certificate:
# name: envoy-client-cert-secret-name
# namespace: projectcontour
####
# ExternalName Services are disabled by default due to CVE-2021-XXXXX
# You can re-enable them by setting this setting to `true`.
# This is not recommended without understanding the security implications.
# Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details.
# enableExternalNameService: false
##
# Address to be placed in status.loadbalancer field of Ingress objects.
# May be either a literal IP address or a host name.
# The value will be placed directly into the relevant field inside the status.loadBalancer struct.
# ingress-status-address: local.projectcontour.io
### Logging options
# Default setting
accesslog-format: envoy
# The default access log format is defined by Envoy but it can be customized by setting following variable.
# accesslog-format-string: "...\n"
# To enable JSON logging in Envoy
# accesslog-format: json
# accesslog-level: info
# The default fields that will be logged are specified below.
# To customise this list, just add or remove entries.
# The canonical list is available at
# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
# json-fields:
# - "@timestamp"
# - "authority"
# - "bytes_received"
# - "bytes_sent"
# - "downstream_local_address"
# - "downstream_remote_address"
# - "duration"
# - "method"
# - "path"
# - "protocol"
# - "request_id"
# - "requested_server_name"
# - "response_code"
# - "response_flags"
# - "uber_trace_id"
# - "upstream_cluster"
# - "upstream_host"
# - "upstream_local_address"
# - "upstream_service_time"
# - "user_agent"
# - "x_forwarded_for"
# - "grpc_status"
# - "grpc_status_number"
#
# default-http-versions:
# - "HTTP/2"
# - "HTTP/1.1"
#
# The following shows the default proxy timeout settings.
# timeouts:
# request-timeout: infinity
# connection-idle-timeout: 60s
# stream-idle-timeout: 5m
# max-connection-duration: infinity
# delayed-close-timeout: 1s
# connection-shutdown-grace-period: 5s
# connect-timeout: 2s
#
# Envoy cluster settings.
# cluster:
# configure the cluster dns lookup family
# valid options are: auto (default), v4, v6
# dns-lookup-family: auto
#
# Envoy network settings.
# network:
# Configure the number of additional ingress proxy hops from the
# right side of the x-forwarded-for HTTP header to trust.
# num-trusted-hops: 0
# Configure the port used to access the Envoy Admin interface.
# admin-port: 9001
#
# Configure an optional global rate limit service.
# rateLimitService:
# Identifies the extension service defining the rate limit service,
# formatted as <namespace>/<name>.
# extensionService: projectcontour/ratelimit
# Defines the rate limit domain to pass to the rate limit service.
# Acts as a container for a set of rate limit definitions within
# the RLS.
# domain: contour
# Defines whether to allow requests to proceed when the rate limit
# service fails to respond with a valid rate limit decision within
# the timeout defined on the extension service.
# failOpen: false
# Defines whether to include the X-RateLimit headers X-RateLimit-Limit,
# X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF
# Internet-Draft linked below), on responses to clients when the Rate
# Limit Service is consulted for a request.
# ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
# enableXRateLimitHeaders: false
# Defines whether to translate status code 429 to grpc code RESOURCE_EXHAUSTED
# instead of the default UNAVAILABLE
# enableResourceExhaustedCode: false
#
# Global Policy settings.
# policy:
# # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself)
# request-headers:
# set:
# # example: the hostname of the Envoy instance that proxied the request
# X-Envoy-Hostname: %HOSTNAME%
# # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for
# l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT%
# # default headers to set on all responses (unless set/removed on the HTTPProxy object itself)
# response-headers:
# set:
# # example: Envoy flags that provide additional details about the response or connection
# X-Envoy-Response-Flags: %RESPONSE_FLAGS%
#
# metrics:
# contour:
# address: 0.0.0.0
# port: 8000
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
# envoy:
# address: 0.0.0.0
# port: 8002
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
#
# listener:
# connection-balancer: exact
# socket-options:
# tos: 64
# traffic-class: 64
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: contourconfigurations.projectcontour.io
spec:
preserveUnknownFields: false
group: projectcontour.io
names:
kind: ContourConfiguration
listKind: ContourConfigurationList
plural: contourconfigurations
shortNames:
- contourconfig
singular: contourconfiguration
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ContourConfiguration is the schema for a Contour instance.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ContourConfigurationSpec represents a configuration of a
Contour controller. It contains most of all the options that can be
customized, the other remaining options being command line flags.
properties:
debug:
description: Debug contains parameters to enable debug logging and
debug interfaces inside Contour.
properties:
address:
description: "Defines the Contour debug address interface. \n
Contour's default is \"127.0.0.1\"."
type: string
port:
description: "Defines the Contour debug address port. \n Contour's
default is 6060."
type: integer
type: object
enableExternalNameService:
description: "EnableExternalNameService allows processing of ExternalNameServices
\n Contour's default is false for security reasons."
type: boolean
envoy:
description: Envoy contains parameters for Envoy as well as how to
optionally configure a managed Envoy fleet.
properties:
clientCertificate:
description: ClientCertificate defines the namespace/name of the
Kubernetes secret containing the client certificate and private
key to be used when establishing TLS connection to upstream
cluster.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
cluster:
description: Cluster holds various configurable Envoy cluster
values that can be set in the config file.
properties:
dnsLookupFamily:
description: "DNSLookupFamily defines how external names are
looked up When configured as V4, the DNS resolver will only
perform a lookup for addresses in the IPv4 family. If V6
is configured, the DNS resolver will only perform a lookup
for addresses in the IPv6 family. If AUTO is configured,
the DNS resolver will first perform a lookup for addresses
in the IPv6 family and fallback to a lookup for addresses
in the IPv4 family. If ALL is specified, the DNS resolver
will perform a lookup for both IPv4 and IPv6 families, and
return all resolved addresses. When this is used, Happy
Eyeballs will be enabled for upstream connections. Refer
to Happy Eyeballs Support for more information. Note: This
only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
for more information. \n Values: `auto` (default), `v4`,
`v6`, `all`. \n Other values will produce an error."
type: string
maxRequestsPerConnection:
description: Defines the maximum requests for upstream connections.
If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
for more information.
format: int32
minimum: 1
type: integer
per-connection-buffer-limit-bytes:
description: Defines the soft limit on size of the cluster’s
new connection read and write buffers in bytes. If unspecified,
an implementation defined default is applied (1MiB). see
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
for more information.
format: int32
minimum: 1
type: integer
type: object
defaultHTTPVersions:
description: "DefaultHTTPVersions defines the default set of HTTPS
versions the proxy should accept. HTTP versions are strings
of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\"
and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both).
\n Other values will produce an error."
items:
description: HTTPVersionType is the name of a supported HTTP
version.
type: string
type: array
health:
description: "Health defines the endpoint Envoy uses to serve
health checks. \n Contour's default is { address: \"0.0.0.0\",
port: 8002 }."
properties:
address:
description: Defines the health address interface.
minLength: 1
type: string
port:
description: Defines the health port.
type: integer
type: object
http:
description: "Defines the HTTP Listener for Envoy. \n Contour's
default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\"
}."
properties:
accessLog:
description: AccessLog defines where Envoy logs are outputted
for this listener.
type: string
address:
description: Defines an Envoy Listener Address.
minLength: 1
type: string
port:
description: Defines an Envoy listener Port.
type: integer
type: object
https:
description: "Defines the HTTPS Listener for Envoy. \n Contour's
default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\"
}."
properties:
accessLog:
description: AccessLog defines where Envoy logs are outputted
for this listener.
type: string
address:
description: Defines an Envoy Listener Address.
minLength: 1
type: string
port:
description: Defines an Envoy listener Port.
type: integer
type: object
listener:
description: Listener hold various configurable Envoy listener
values.
properties:
connectionBalancer:
description: "ConnectionBalancer. If the value is exact, the
listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
for more information. \n Values: (empty string): use the
default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
\n Other values will produce an error."
type: string
disableAllowChunkedLength:
description: "DisableAllowChunkedLength disables the RFC-compliant
Envoy behavior to strip the \"Content-Length\" header if
\"Transfer-Encoding: chunked\" is also set. This is an emergency
off-switch to revert back to Envoy's default behavior in
case of failures. Please file an issue if failures are encountered.
See: https://github.com/projectcontour/contour/issues/3221
\n Contour's default is false."
type: boolean
disableMergeSlashes:
description: "DisableMergeSlashes disables Envoy's non-standard
merge_slashes path transformation option which strips duplicate
slashes from request URL paths. \n Contour's default is
false."
type: boolean
maxRequestsPerConnection:
description: Defines the maximum requests for downstream connections.
If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
for more information.
format: int32
minimum: 1
type: integer
per-connection-buffer-limit-bytes:
description: Defines the soft limit on size of the listener’s
new connection read and write buffers in bytes. If unspecified,
an implementation defined default is applied (1MiB). see
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
for more information.
format: int32
minimum: 1
type: integer
serverHeaderTransformation:
description: "Defines the action to be applied to the Server
header on the response path. When configured as overwrite,
overwrites any Server header with \"envoy\". When configured
as append_if_absent, if a Server header is present, pass
it through, otherwise set it to \"envoy\". When configured
as pass_through, pass through the value of the Server header,
and do not append a header if none is present. \n Values:
`overwrite` (default), `append_if_absent`, `pass_through`
\n Other values will produce an error. Contour's default
is overwrite."
type: string
socketOptions:
description: SocketOptions defines configurable socket options
for the listeners. Single set of options are applied to
all listeners.
properties:
tos:
description: Defines the value for IPv4 TOS field (including
6 bit DSCP field) for IP packets originating from Envoy
listeners. Single value is applied to all listeners.
If listeners are bound to IPv6-only addresses, setting
this option will cause an error.
format: int32
maximum: 255
minimum: 0
type: integer
trafficClass:
description: Defines the value for IPv6 Traffic Class
field (including 6 bit DSCP field) for IP packets originating
from the Envoy listeners. Single value is applied to
all listeners. If listeners are bound to IPv4-only addresses,
setting this option will cause an error.
format: int32
maximum: 255
minimum: 0
type: integer
type: object
tls:
description: TLS holds various configurable Envoy TLS listener
values.
properties:
cipherSuites:
description: "CipherSuites defines the TLS ciphers to
be supported by Envoy TLS listeners when negotiating
TLS 1.2. Ciphers are validated against the set that
Envoy supports by default. This parameter should only
be used by advanced users. Note that these will be ignored
when TLS 1.3 is in use. \n This field is optional; when
it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
\n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
\n Ciphers provided are validated against the following
list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" -
\"AES256-SHA\" \n Contour recommends leaving this undefined
unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock
Envoy builds and those using BoringSSL FIPS."
items:
type: string
type: array
maximumProtocolVersion:
description: "MaximumProtocolVersion is the maximum TLS
version this vhost should negotiate. \n Values: `1.2`,
`1.3`(default). \n Other values will produce an error."
type: string
minimumProtocolVersion:
description: "MinimumProtocolVersion is the minimum TLS
version this vhost should negotiate. \n Values: `1.2`
(default), `1.3`. \n Other values will produce an error."
type: string
type: object
useProxyProtocol:
description: "Use PROXY protocol for all listeners. \n Contour's
default is false."
type: boolean
type: object
logging:
description: Logging defines how Envoy's logs can be configured.
properties:
accessLogFormat:
description: "AccessLogFormat sets the global access log format.
\n Values: `envoy` (default), `json`. \n Other values will
produce an error."
type: string
accessLogFormatString:
description: AccessLogFormatString sets the access log format
when format is set to `envoy`. When empty, Envoy's default
format is used.
type: string
accessLogJSONFields:
description: AccessLogJSONFields sets the fields that JSON
logging will output when AccessLogFormat is json.
items:
type: string
type: array
accessLogLevel:
description: "AccessLogLevel sets the verbosity level of the
access log. \n Values: `info` (default, all requests are
logged), `error` (all non-success requests, i.e. 300+ response
code, are logged), `critical` (all 5xx requests are logged)
and `disabled`. \n Other values will produce an error."
type: string
type: object
metrics:
description: "Metrics defines the endpoint Envoy uses to serve
metrics. \n Contour's default is { address: \"0.0.0.0\", port:
8002 }."
properties:
address:
description: Defines the metrics address interface.
maxLength: 253
minLength: 1
type: string
port:
description: Defines the metrics port.
type: integer
tls:
description: TLS holds TLS file config details. Metrics and
health endpoints cannot have same port number when metrics
is served over HTTPS.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
keyFile:
description: Client key filename.
type: string
type: object
type: object
network:
description: Network holds various configurable Envoy network
values.
properties:
adminPort:
description: "Configure the port used to access the Envoy
Admin interface. If configured to port \"0\" then the admin
interface is disabled. \n Contour's default is 9001."
type: integer
numTrustedHops:
description: "XffNumTrustedHops defines the number of additional
ingress proxy hops from the right side of the x-forwarded-for
HTTP header to trust when determining the origin client’s
IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
for more information. \n Contour's default is 0."
format: int32
type: integer
type: object
service:
description: "Service holds Envoy service parameters for setting
Ingress status. \n Contour's default is { namespace: \"projectcontour\",
name: \"envoy\" }."
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
timeouts:
description: Timeouts holds various configurable timeouts that
can be set in the config file.
properties:
connectTimeout:
description: "ConnectTimeout defines how long the proxy should
wait when establishing connection to upstream service. If
not set, a default value of 2 seconds will be used. \n See
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
for more information."
type: string
connectionIdleTimeout:
description: "ConnectionIdleTimeout defines how long the proxy
should wait while there are no active requests (for HTTP/1.1)
or streams (for HTTP/2) before terminating an HTTP connection.
Set to \"infinity\" to disable the timeout entirely. \n
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
for more information."
type: string
connectionShutdownGracePeriod:
description: "ConnectionShutdownGracePeriod defines how long
the proxy will wait between sending an initial GOAWAY frame
and a second, final GOAWAY frame when terminating an HTTP/2
connection. During this grace period, the proxy will continue
to respond to new streams. After the final GOAWAY frame
has been sent, the proxy will refuse new streams. \n See
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
for more information."
type: string
delayedCloseTimeout:
description: "DelayedCloseTimeout defines how long envoy will
wait, once connection close processing has been initiated,
for the downstream peer to close the connection before Envoy
closes the socket associated with the connection. \n Setting
this timeout to 'infinity' will disable it, equivalent to
setting it to '0' in Envoy. Leaving it unset will result
in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
for more information."
type: string
maxConnectionDuration:
description: "MaxConnectionDuration defines the maximum period
of time after an HTTP connection has been established from
the client to the proxy before it is closed by the proxy,
regardless of whether there has been activity or not. Omit
or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
for more information."
type: string
requestTimeout:
description: "RequestTimeout sets the client request timeout
globally for Contour. Note that this is a timeout for the
entire request, not an idle timeout. Omit or set to \"infinity\"
to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
for more information."
type: string
streamIdleTimeout:
description: "StreamIdleTimeout defines how long the proxy
should wait while there is no request activity (for HTTP/1.1)
or stream activity (for HTTP/2) before terminating the HTTP
request or stream. Set to \"infinity\" to disable the timeout
entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
for more information."
type: string
type: object
type: object
gateway:
description: Gateway contains parameters for the gateway-api Gateway
that Contour is configured to serve traffic.
properties:
controllerName:
description: ControllerName is used to determine whether Contour
should reconcile a GatewayClass. The string takes the form of
"projectcontour.io/<namespace>/contour". If unset, the gatewayclass
controller will not be started. Exactly one of ControllerName
or GatewayRef must be set.
type: string
gatewayRef:
description: GatewayRef defines a specific Gateway that this Contour
instance corresponds to. If set, Contour will reconcile only
this gateway, and will not reconcile any gateway classes. Exactly
one of ControllerName or GatewayRef must be set.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
type: object
globalExtAuth:
description: GlobalExternalAuthorization allows envoys external authorization
filter to be enabled for all virtual hosts.
properties:
authPolicy:
description: AuthPolicy sets a default authorization policy for
client requests. This policy will be used unless overridden
by individual routes.
properties:
context:
additionalProperties:
type: string
description: Context is a set of key/value pairs that are
sent to the authentication server in the check request.
If a context is provided at an enclosing scope, the entries
are merged such that the inner scope overrides matching
keys from the outer scope.
type: object
disabled:
description: When true, this field disables client request
authentication for the scope of the policy.
type: boolean
type: object
extensionRef:
description: ExtensionServiceRef specifies the extension resource
that will authorize client requests.
properties:
apiVersion:
description: API version of the referent. If this field is
not specified, the default "projectcontour.io/v1alpha1"
will be used
minLength: 1
type: string
name:
description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
minLength: 1
type: string
namespace:
description: "Namespace of the referent. If this field is
not specifies, the namespace of the resource that targets
the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
minLength: 1
type: string
type: object
failOpen:
description: If FailOpen is true, the client request is forwarded
to the upstream service even if the authorization server fails
to respond. This field should not be set in most cases. It is
intended for use only while migrating applications from internal
authorization to Contour external authorization.
type: boolean
responseTimeout:
description: ResponseTimeout configures maximum time to wait for
a check response from the authorization server. Timeout durations
are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
The string "infinity" is also a valid input and specifies no
timeout.
pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
type: string
withRequestBody:
description: WithRequestBody specifies configuration for sending
the client request's body to authorization server.
properties:
allowPartialMessage:
description: If AllowPartialMessage is true, then Envoy will
buffer the body until MaxRequestBytes are reached.
type: boolean
maxRequestBytes:
default: 1024
description: MaxRequestBytes sets the maximum size of message
body ExtAuthz filter will hold in-memory.
format: int32
minimum: 1
type: integer
packAsBytes:
description: If PackAsBytes is true, the body sent to Authorization
Server is in raw bytes.
type: boolean
type: object
type: object
health:
description: "Health defines the endpoints Contour uses to serve health
checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000
}."
properties:
address:
description: Defines the health address interface.
minLength: 1
type: string
port:
description: Defines the health port.
type: integer
type: object
httpproxy:
description: HTTPProxy defines parameters on HTTPProxy.
properties:
disablePermitInsecure:
description: "DisablePermitInsecure disables the use of the permitInsecure
field in HTTPProxy. \n Contour's default is false."
type: boolean
fallbackCertificate:
description: FallbackCertificate defines the namespace/name of
the Kubernetes secret to use as fallback when a non-SNI request
is received.
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
rootNamespaces:
description: Restrict Contour to searching these namespaces for
root ingress routes.
items:
type: string
type: array
type: object
ingress:
description: Ingress contains parameters for ingress options.
properties:
classNames:
description: Ingress Class Names Contour should use.
items:
type: string
type: array
statusAddress:
description: Address to set in Ingress object status.
type: string
type: object
metrics:
description: "Metrics defines the endpoint Contour uses to serve metrics.
\n Contour's default is { address: \"0.0.0.0\", port: 8000 }."
properties:
address:
description: Defines the metrics address interface.
maxLength: 253
minLength: 1
type: string
port:
description: Defines the metrics port.
type: integer
tls:
description: TLS holds TLS file config details. Metrics and health
endpoints cannot have same port number when metrics is served
over HTTPS.
properties:
caFile:
description: CA filename.
type: string
certFile:
description: Client certificate filename.
type: string
keyFile:
description: Client key filename.
type: string
type: object
type: object
policy:
description: Policy specifies default policy applied if not overridden
by the user
properties:
applyToIngress:
description: "ApplyToIngress determines if the Policies will apply
to ingress objects \n Contour's default is false."
type: boolean
requestHeaders:
description: RequestHeadersPolicy defines the request headers
set/removed on all routes
properties:
remove:
items:
type: string
type: array
set:
additionalProperties:
type: string
type: object
type: object
responseHeaders:
description: ResponseHeadersPolicy defines the response headers
set/removed on all routes
properties:
remove:
items:
type: string
type: array
set:
additionalProperties:
type: string
type: object
type: object
type: object
rateLimitService:
description: RateLimitService optionally holds properties of the Rate
Limit Service to be used for global rate limiting.
properties:
defaultGlobalRateLimitPolicy:
description: DefaultGlobalRateLimitPolicy allows setting a default
global rate limit policy for every HTTPProxy. HTTPProxy can
overwrite this configuration.
properties:
descriptors:
description: Descriptors defines the list of descriptors that
will be generated and sent to the rate limit service. Each
descriptor contains 1+ key-value pair entries.
items:
description: RateLimitDescriptor defines a list of key-value
pair generators.
properties:
entries:
description: Entries is the list of key-value pair generators.
items:
description: RateLimitDescriptorEntry is a key-value
pair generator. Exactly one field on this struct
must be non-nil.
properties:
genericKey:
description: GenericKey defines a descriptor entry
with a static key and value.
properties:
key:
description: Key defines the key of the descriptor
entry. If not set, the key is set to "generic_key".
type: string
value:
description: Value defines the value of the
descriptor entry.
minLength: 1
type: string
type: object
remoteAddress:
description: RemoteAddress defines a descriptor
entry with a key of "remote_address" and a value
equal to the client's IP address (from x-forwarded-for).
type: object
requestHeader:
description: RequestHeader defines a descriptor
entry that's populated only if a given header
is present on the request. The descriptor key
is static, and the descriptor value is equal
to the value of the header.
properties:
descriptorKey:
description: DescriptorKey defines the key
to use on the descriptor entry.
minLength: 1
type: string
headerName:
description: HeaderName defines the name of
the header to look for on the request.
minLength: 1
type: string
type: object
requestHeaderValueMatch:
description: RequestHeaderValueMatch defines a
descriptor entry that's populated if the request's
headers match a set of 1+ match criteria. The
descriptor key is "header_match", and the descriptor
value is static.
properties:
expectMatch:
default: true
description: ExpectMatch defines whether the
request must positively match the match
criteria in order to generate a descriptor
entry (i.e. true), or not match the match
criteria in order to generate a descriptor
entry (i.e. false). The default is true.
type: boolean
headers:
description: Headers is a list of 1+ match
criteria to apply against the request to
determine whether to populate the descriptor
entry or not.
items:
description: HeaderMatchCondition specifies
how to conditionally match against HTTP
headers. The Name field is required, only
one of Present, NotPresent, Contains,
NotContains, Exact, NotExact and Regex
can be set. For negative matching rules
only (e.g. NotContains or NotExact) you
can set TreatMissingAsEmpty. IgnoreCase
has no effect for Regex.
properties:
contains:
description: Contains specifies a substring
that must be present in the header
value.
type: string
exact:
description: Exact specifies a string
that the header value must be equal
to.
type: string
ignoreCase:
description: IgnoreCase specifies that
string matching should be case insensitive.
Note that this has no effect on the
Regex parameter.
type: boolean