projectcontour.io / v1 / HTTPProxy
- string
.apiVersion
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- string
.kind
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- object required
.metadata
- object required
.spec
HTTPProxySpec defines the spec of the CRD.
- array
.spec .includes
Includes allow for specific routing configuration to be included from another HTTPProxy, possibly in another namespace.
- array
.spec .includes[] .conditions
Conditions are a set of rules that are applied to included HTTPProxies. In effect, they are added onto the Conditions of included HTTPProxy Route structs. When applied, they are merged using AND, with one exception: There can be only one Prefix MatchCondition per Conditions slice. More than one Prefix, or contradictory Conditions, will make the include invalid. Exact and Regex match conditions are not allowed on includes.
- string
.spec .includes[] .conditions[] .exact
Exact defines a exact match for a request. This field is not allowed in include match conditions.
- object
.spec .includes[] .conditions[] .header
Header specifies the header condition to match.
- string
.spec .includes[] .conditions[] .header .contains
Contains specifies a substring that must be present in the header value.
- string
.spec .includes[] .conditions[] .header .exact
Exact specifies a string that the header value must be equal to.
- boolean
.spec .includes[] .conditions[] .header .ignoreCase
IgnoreCase specifies that string matching should be case insensitive. Note that this has no effect on the Regex parameter.
- string required
.spec .includes[] .conditions[] .header .name
Name is the name of the header to match against. Name is required. Header names are case insensitive.
- string
.spec .includes[] .conditions[] .header .notcontains
NotContains specifies a substring that must not be present in the header value.
- string
.spec .includes[] .conditions[] .header .notexact
NoExact specifies a string that the header value must not be equal to. The condition is true if the header has any other value.
- boolean
.spec .includes[] .conditions[] .header .notpresent
NotPresent specifies that condition is true when the named header is not present. Note that setting NotPresent to false does not make the condition true if the named header is present.
- boolean
.spec .includes[] .conditions[] .header .present
Present specifies that condition is true when the named header is present, regardless of its value. Note that setting Present to false does not make the condition true if the named header is absent.
- string
.spec .includes[] .conditions[] .header .regex
Regex specifies a regular expression pattern that must match the header value.
- boolean
.spec .includes[] .conditions[] .header .treatMissingAsEmpty
TreatMissingAsEmpty specifies if the header match rule specified header does not exist, this header value will be treated as empty. Defaults to false. Unlike the underlying Envoy implementation this is only supported for negative matches (e.g. NotContains, NotExact).
- string
.spec .includes[] .conditions[] .prefix
Prefix defines a prefix match for a request.
- object
.spec .includes[] .conditions[] .queryParameter
QueryParameter specifies the query parameter condition to match.
- string
.spec .includes[] .conditions[] .queryParameter .contains
Contains specifies a substring that must be present in the query parameter value.
- string
.spec .includes[] .conditions[] .queryParameter .exact
Exact specifies a string that the query parameter value must be equal to.
- boolean
.spec .includes[] .conditions[] .queryParameter .ignoreCase
IgnoreCase specifies that string matching should be case insensitive. Note that this has no effect on the Regex parameter.
- string required
.spec .includes[] .conditions[] .queryParameter .name
Name is the name of the query parameter to match against. Name is required. Query parameter names are case insensitive.
- string
.spec .includes[] .conditions[] .queryParameter .prefix
Prefix defines a prefix match for the query parameter value.
- boolean
.spec .includes[] .conditions[] .queryParameter .present
Present specifies that condition is true when the named query parameter is present, regardless of its value. Note that setting Present to false does not make the condition true if the named query parameter is absent.
- string
.spec .includes[] .conditions[] .queryParameter .regex
Regex specifies a regular expression pattern that must match the query parameter value.
- string
.spec .includes[] .conditions[] .queryParameter .suffix
Suffix defines a suffix match for a query parameter value.
- string
.spec .includes[] .conditions[] .regex
Regex defines a regex match for a request. This field is not allowed in include match conditions.
- string required
.spec .includes[] .name
Name of the HTTPProxy
- string
.spec .includes[] .namespace
Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.
- string
.spec .ingressClassName
IngressClassName optionally specifies the ingress class to use for this HTTPProxy. This replaces the deprecated
kubernetes.io/ingress.classannotation. For backwards compatibility, when that annotation is set, it is given precedence over this field. - array
.spec .routes
Routes are the ingress routes. If TCPProxy is present, Routes is ignored.
- object
.spec .routes[] .authPolicy
AuthPolicy updates the authorization policy that was set on the root HTTPProxy object for client requests that match this route.
- object
.spec .routes[] .authPolicy .context
Context is a set of key/value pairs that are sent to the authentication server in the check request. If a context is provided at an enclosing scope, the entries are merged such that the inner scope overrides matching keys from the outer scope.
- boolean
.spec .routes[] .authPolicy .disabled
When true, this field disables client request authentication for the scope of the policy.
- array
.spec .routes[] .conditions
Conditions are a set of rules that are applied to a Route. When applied, they are merged using AND, with one exception: There can be only one Prefix, Exact or Regex MatchCondition per Conditions slice. More than one of these condition types, or contradictory Conditions, will make the route invalid.
- string
.spec .routes[] .conditions[] .exact
Exact defines a exact match for a request. This field is not allowed in include match conditions.
- object
.spec .routes[] .conditions[] .header
Header specifies the header condition to match.
- string
.spec .routes[] .conditions[] .header .contains
Contains specifies a substring that must be present in the header value.
- string
.spec .routes[] .conditions[] .header .exact
Exact specifies a string that the header value must be equal to.
- boolean
.spec .routes[] .conditions[] .header .ignoreCase
IgnoreCase specifies that string matching should be case insensitive. Note that this has no effect on the Regex parameter.
- string required
.spec .routes[] .conditions[] .header .name
Name is the name of the header to match against. Name is required. Header names are case insensitive.
- string
.spec .routes[] .conditions[] .header .notcontains
NotContains specifies a substring that must not be present in the header value.
- string
.spec .routes[] .conditions[] .header .notexact
NoExact specifies a string that the header value must not be equal to. The condition is true if the header has any other value.
- boolean
.spec .routes[] .conditions[] .header .notpresent
NotPresent specifies that condition is true when the named header is not present. Note that setting NotPresent to false does not make the condition true if the named header is present.
- boolean
.spec .routes[] .conditions[] .header .present
Present specifies that condition is true when the named header is present, regardless of its value. Note that setting Present to false does not make the condition true if the named header is absent.
- string
.spec .routes[] .conditions[] .header .regex
Regex specifies a regular expression pattern that must match the header value.
- boolean
.spec .routes[] .conditions[] .header .treatMissingAsEmpty
TreatMissingAsEmpty specifies if the header match rule specified header does not exist, this header value will be treated as empty. Defaults to false. Unlike the underlying Envoy implementation this is only supported for negative matches (e.g. NotContains, NotExact).
- string
.spec .routes[] .conditions[] .prefix
Prefix defines a prefix match for a request.
- object
.spec .routes[] .conditions[] .queryParameter
QueryParameter specifies the query parameter condition to match.
- string
.spec .routes[] .conditions[] .queryParameter .contains
Contains specifies a substring that must be present in the query parameter value.
- string
.spec .routes[] .conditions[] .queryParameter .exact
Exact specifies a string that the query parameter value must be equal to.
- boolean
.spec .routes[] .conditions[] .queryParameter .ignoreCase
IgnoreCase specifies that string matching should be case insensitive. Note that this has no effect on the Regex parameter.
- string required
.spec .routes[] .conditions[] .queryParameter .name
Name is the name of the query parameter to match against. Name is required. Query parameter names are case insensitive.
- string
.spec .routes[] .conditions[] .queryParameter .prefix
Prefix defines a prefix match for the query parameter value.
- boolean
.spec .routes[] .conditions[] .queryParameter .present
Present specifies that condition is true when the named query parameter is present, regardless of its value. Note that setting Present to false does not make the condition true if the named query parameter is absent.
- string
.spec .routes[] .conditions[] .queryParameter .regex
Regex specifies a regular expression pattern that must match the query parameter value.
- string
.spec .routes[] .conditions[] .queryParameter .suffix
Suffix defines a suffix match for a query parameter value.
- string
.spec .routes[] .conditions[] .regex
Regex defines a regex match for a request. This field is not allowed in include match conditions.
- object
.spec .routes[] .directResponsePolicy
DirectResponsePolicy returns an arbitrary HTTP response directly.
- string
.spec .routes[] .directResponsePolicy .body
Body is the content of the response body. If this setting is omitted, no body is included in the generated response. Note: Body is not recommended to set too long otherwise it can have significant resource usage impacts.
- integer required
.spec .routes[] .directResponsePolicy .statusCode
StatusCode is the HTTP response status to be returned.
- boolean
.spec .routes[] .enableWebsockets
Enables websocket support for the route.
- object
.spec .routes[] .healthCheckPolicy
The health check policy for this route.
- array
.spec .routes[] .healthCheckPolicy .expectedStatuses
The ranges of HTTP response statuses considered healthy. Follow half-open semantics, i.e. for each range the start is inclusive and the end is exclusive. Must be within the range [100,600). If not specified, only a 200 response status is considered healthy.
- integer required
.spec .routes[] .healthCheckPolicy .expectedStatuses[] .end
The end (exclusive) of a range of HTTP status codes.
- integer required
.spec .routes[] .healthCheckPolicy .expectedStatuses[] .start
The start (inclusive) of a range of HTTP status codes.
- integer
.spec .routes[] .healthCheckPolicy .healthyThresholdCount
The number of healthy health checks required before a host is marked healthy
- string
.spec .routes[] .healthCheckPolicy .host
The value of the host header in the HTTP health check request. If left empty (default value), the name “contour-envoy-healthcheck” will be used.
- integer
.spec .routes[] .healthCheckPolicy .intervalSeconds
The interval (seconds) between health checks
- string required
.spec .routes[] .healthCheckPolicy .path
HTTP endpoint used to perform health checks on upstream service
- integer
.spec .routes[] .healthCheckPolicy .timeoutSeconds
The time to wait (seconds) for a health check response
- integer
.spec .routes[] .healthCheckPolicy .unhealthyThresholdCount
The number of unhealthy health checks required before a host is marked unhealthy
- object
.spec .routes[] .internalRedirectPolicy
The policy to define when to handle redirects responses internally.
- string
.spec .routes[] .internalRedirectPolicy .allowCrossSchemeRedirect
AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme than the value of x-forwarded-proto. SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme is HTTP, only HTTP redirect targets are allowed.
- boolean
.spec .routes[] .internalRedirectPolicy .denyRepeatedRouteRedirect
If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has been followed by a previous redirect from the current route.
- integer
.spec .routes[] .internalRedirectPolicy .maxInternalRedirects
MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal redirects that a downstream request has encountered is lower than this value.
- array
.spec .routes[] .internalRedirectPolicy .redirectResponseCodes
RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. Only 301, 302, 303, 307 and 308 are valid values.
- array
.spec .routes[] .ipAllowPolicy
IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching requests should be allowed. All other requests will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. The rules defined here override any rules set on the root HTTPProxy.
- string required
.spec .routes[] .ipAllowPolicy[] .cidr
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be a bare IP address (without a mask) to filter on exactly one address.
- string required
.spec .routes[] .ipAllowPolicy[] .source
Source indicates how to determine the ip address to filter on, and can be one of two values:
Remotefilters on the ip address of the client, accounting for PROXY and X-Forwarded-For as needed.Peerfilters on the ip of the network request, ignoring PROXY and X-Forwarded-For.
- array
.spec .routes[] .ipDenyPolicy
IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching requests should be denied. All other requests will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. The rules defined here override any rules set on the root HTTPProxy.
- string required
.spec .routes[] .ipDenyPolicy[] .cidr
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be a bare IP address (without a mask) to filter on exactly one address.
- string required
.spec .routes[] .ipDenyPolicy[] .source
Source indicates how to determine the ip address to filter on, and can be one of two values:
Remotefilters on the ip address of the client, accounting for PROXY and X-Forwarded-For as needed.Peerfilters on the ip of the network request, ignoring PROXY and X-Forwarded-For.
- object
.spec .routes[] .jwtVerificationPolicy
The policy for verifying JWTs for requests to this route.
- boolean
.spec .routes[] .jwtVerificationPolicy .disabled
Disabled defines whether to disable all JWT verification for this route. This can be used to opt specific routes out of the default JWT provider for the HTTPProxy. At most one of this field or the “require” field can be specified.
- string
.spec .routes[] .jwtVerificationPolicy .require
Require names a specific JWT provider (defined in the virtual host) to require for the route. If specified, this field overrides the default provider if one exists. If this field is not specified, the default provider will be required if one exists. At most one of this field or the “disabled” field can be specified.
- object
.spec .routes[] .loadBalancerPolicy
The load balancing policy for this route.
- array
.spec .routes[] .loadBalancerPolicy .requestHashPolicies
RequestHashPolicies contains a list of hash policies to apply when the
RequestHashload balancing strategy is chosen. If an element of the supplied list of hash policies is invalid, it will be ignored. If the list of hash policies is empty after validation, the load balancing strategy will fall back to the defaultRoundRobin. - boolean
.spec .routes[] .loadBalancerPolicy .requestHashPolicies[] .hashSourceIP
HashSourceIP should be set to true when request source IP hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.
- object
.spec .routes[] .loadBalancerPolicy .requestHashPolicies[] .headerHashOptions
HeaderHashOptions should be set when request header hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.
- string required
.spec .routes[] .loadBalancerPolicy .requestHashPolicies[] .headerHashOptions .headerName
HeaderName is the name of the HTTP request header that will be used to calculate the hash key. If the header specified is not present on a request, no hash will be produced.
- object
.spec .routes[] .loadBalancerPolicy .requestHashPolicies[] .queryParameterHashOptions
QueryParameterHashOptions should be set when request query parameter hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.
- string required
.spec .routes[] .loadBalancerPolicy .requestHashPolicies[] .queryParameterHashOptions .parameterName
ParameterName is the name of the HTTP request query parameter that will be used to calculate the hash key. If the query parameter specified is not present on a request, no hash will be produced.
- boolean
.spec .routes[] .loadBalancerPolicy .requestHashPolicies[] .terminal
Terminal is a flag that allows for short-circuiting computing of a hash for a given request. If set to true, and the request attribute specified in the attribute hash options is present, no further hash policies will be used to calculate a hash for the request.
- string
.spec .routes[] .loadBalancerPolicy .strategy
Strategy specifies the policy used to balance requests across the pool of backend pods. Valid policy names are
Random,RoundRobin,WeightedLeastRequest,Cookie, andRequestHash. If an unknown strategy name is specified or no policy is supplied, the defaultRoundRobinpolicy is used. - object
.spec .routes[] .pathRewritePolicy
The policy for rewriting the path of the request URL after the request has been routed to a Service.
- array
.spec .routes[] .pathRewritePolicy .replacePrefix
ReplacePrefix describes how the path prefix should be replaced.
- string
.spec .routes[] .pathRewritePolicy .replacePrefix[] .prefix
Prefix specifies the URL path prefix to be replaced. If Prefix is specified, it must exactly match the MatchCondition prefix that is rendered by the chain of including HTTPProxies and only that path prefix will be replaced by Replacement. This allows HTTPProxies that are included through multiple roots to only replace specific path prefixes, leaving others unmodified. If Prefix is not specified, all routing prefixes rendered by the include chain will be replaced.
- string required
.spec .routes[] .pathRewritePolicy .replacePrefix[] .replacement
Replacement is the string that the routing path prefix will be replaced with. This must not be empty.
- boolean
.spec .routes[] .permitInsecure
Allow this path to respond to insecure requests over HTTP which are normally not permitted when a
virtualhost.tlsblock is present. - object
.spec .routes[] .rateLimitPolicy
The policy for rate limiting on the route.
- object
.spec .routes[] .rateLimitPolicy .global
Global defines global rate limiting parameters, i.e. parameters defining descriptors that are sent to an external rate limit service (RLS) for a rate limit decision on each request.
- array
.spec .routes[] .rateLimitPolicy .global .descriptors
Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries.
- array required
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries
Entries is the list of key-value pair generators.
- object
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .genericKey
GenericKey defines a descriptor entry with a static key and value.
- string
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .genericKey .key
Key defines the key of the descriptor entry. If not set, the key is set to “generic_key”.
- string required
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .genericKey .value
Value defines the value of the descriptor entry.
- object
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .remoteAddress
RemoteAddress defines a descriptor entry with a key of “remote_address” and a value equal to the client’s IP address (from x-forwarded-for).
- object
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeader
RequestHeader defines a descriptor entry that’s populated only if a given header is present on the request. The descriptor key is static, and the descriptor value is equal to the value of the header.
- string required
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeader .descriptorKey
DescriptorKey defines the key to use on the descriptor entry.
- string required
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeader .headerName
HeaderName defines the name of the header to look for on the request.
- object
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch
RequestHeaderValueMatch defines a descriptor entry that’s populated if the request’s headers match a set of 1+ match criteria. The descriptor key is “header_match”, and the descriptor value is static.
- boolean
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .expectMatch
ExpectMatch defines whether the request must positively match the match criteria in order to generate a descriptor entry (i.e. true), or not match the match criteria in order to generate a descriptor entry (i.e. false). The default is true.
- array
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers
Headers is a list of 1+ match criteria to apply against the request to determine whether to populate the descriptor entry or not.
- string
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .contains
Contains specifies a substring that must be present in the header value.
- string
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .exact
Exact specifies a string that the header value must be equal to.
- boolean
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .ignoreCase
IgnoreCase specifies that string matching should be case insensitive. Note that this has no effect on the Regex parameter.
- string required
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .name
Name is the name of the header to match against. Name is required. Header names are case insensitive.
- string
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .notcontains
NotContains specifies a substring that must not be present in the header value.
- string
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .notexact
NoExact specifies a string that the header value must not be equal to. The condition is true if the header has any other value.
- boolean
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .notpresent
NotPresent specifies that condition is true when the named header is not present. Note that setting NotPresent to false does not make the condition true if the named header is present.
- boolean
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .present
Present specifies that condition is true when the named header is present, regardless of its value. Note that setting Present to false does not make the condition true if the named header is absent.
- string
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .regex
Regex specifies a regular expression pattern that must match the header value.
- boolean
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .treatMissingAsEmpty
TreatMissingAsEmpty specifies if the header match rule specified header does not exist, this header value will be treated as empty. Defaults to false. Unlike the underlying Envoy implementation this is only supported for negative matches (e.g. NotContains, NotExact).
- string required
.spec .routes[] .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .value
Value defines the value of the descriptor entry.
- boolean
.spec .routes[] .rateLimitPolicy .global .disabled
Disabled configures the HTTPProxy to not use the default global rate limit policy defined by the Contour configuration.
- object
.spec .routes[] .rateLimitPolicy .local
Local defines local rate limiting parameters, i.e. parameters for rate limiting that occurs within each Envoy pod as requests are handled.
- integer
.spec .routes[] .rateLimitPolicy .local .burst
Burst defines the number of requests above the requests per unit that should be allowed within a short period of time.
- integer required
.spec .routes[] .rateLimitPolicy .local .requests
Requests defines how many requests per unit of time should be allowed before rate limiting occurs.
- array
.spec .routes[] .rateLimitPolicy .local .responseHeadersToAdd
ResponseHeadersToAdd is an optional list of response headers to set when a request is rate-limited.
- string required
.spec .routes[] .rateLimitPolicy .local .responseHeadersToAdd[] .name
Name represents a key of a header
- string required
.spec .routes[] .rateLimitPolicy .local .responseHeadersToAdd[] .value
Value represents the value of a header specified by a key
- integer
.spec .routes[] .rateLimitPolicy .local .responseStatusCode
ResponseStatusCode is the HTTP status code to use for responses to rate-limited requests. Codes must be in the 400-599 range (inclusive). If not specified, the Envoy default of 429 (Too Many Requests) is used.
- string required
.spec .routes[] .rateLimitPolicy .local .unit
Unit defines the period of time within which requests over the limit will be rate limited. Valid values are “second”, “minute” and “hour”.
- object
.spec .routes[] .requestHeadersPolicy
The policy for managing request headers during proxying. You may dynamically rewrite the Host header to be forwarded upstream to the content of a request header using the below format “%REQ(X-Header-Name)%”. If the value of the header is empty, it is ignored. *NOTE: Pay attention to the potential security implications of using this option. Provided header must come from trusted source. **NOTE: The header rewrite is only done while forwarding and has no bearing on the routing decision.
- array
.spec .routes[] .requestHeadersPolicy .remove
Remove specifies a list of HTTP header names to remove.
- array
.spec .routes[] .requestHeadersPolicy .set
Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.
- string required
.spec .routes[] .requestHeadersPolicy .set[] .name
Name represents a key of a header
- string required
.spec .routes[] .requestHeadersPolicy .set[] .value
Value represents the value of a header specified by a key
- object
.spec .routes[] .requestRedirectPolicy
RequestRedirectPolicy defines an HTTP redirection.
- string
.spec .routes[] .requestRedirectPolicy .hostname
Hostname is the precise hostname to be used in the value of the
Locationheader in the response. When empty, the hostname of the request is used. No wildcards are allowed. - string
.spec .routes[] .requestRedirectPolicy .path
Path allows for redirection to a different path from the original on the request. The path must start with a leading slash. Note: Only one of Path or Prefix can be defined.
- integer
.spec .routes[] .requestRedirectPolicy .port
Port is the port to be used in the value of the
Locationheader in the response. When empty, port (if specified) of the request is used. - string
.spec .routes[] .requestRedirectPolicy .prefix
Prefix defines the value to swap the matched prefix or path with. The prefix must start with a leading slash. Note: Only one of Path or Prefix can be defined.
- string
.spec .routes[] .requestRedirectPolicy .scheme
Scheme is the scheme to be used in the value of the
Locationheader in the response. When empty, the scheme of the request is used. - integer
.spec .routes[] .requestRedirectPolicy .statusCode
StatusCode is the HTTP status code to be used in response.
- object
.spec .routes[] .responseHeadersPolicy
The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported.
- array
.spec .routes[] .responseHeadersPolicy .remove
Remove specifies a list of HTTP header names to remove.
- array
.spec .routes[] .responseHeadersPolicy .set
Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.
- string required
.spec .routes[] .responseHeadersPolicy .set[] .name
Name represents a key of a header
- string required
.spec .routes[] .responseHeadersPolicy .set[] .value
Value represents the value of a header specified by a key
- object
.spec .routes[] .retryPolicy
The retry policy for this route.
- integer
.spec .routes[] .retryPolicy .count
NumRetries is maximum allowed number of retries. If set to -1, then retries are disabled. If set to 0 or not supplied, the value is set to the Envoy default of 1.
- string
.spec .routes[] .retryPolicy .perTryTimeout
PerTryTimeout specifies the timeout per retry attempt. Ignored if NumRetries is not supplied.
- array
.spec .routes[] .retryPolicy .retriableStatusCodes
RetriableStatusCodes specifies the HTTP status codes that should be retried. This field is only respected when you include
retriable-status-codesin theRetryOnfield. - array
.spec .routes[] .retryPolicy .retryOn
RetryOn specifies the conditions on which to retry a request. Supported HTTP conditions:
5xxgateway-errorresetreset-before-requestconnect-failureenvoy-ratelimitedretriable-4xxrefused-streamretriable-status-codesretriable-headershttp3-post-connect-failureSupported gRPC conditions:cancelleddeadline-exceededinternalresource-exhaustedunavailable
- array
.spec .routes[] .services
Services are the services to proxy traffic.
- integer
.spec .routes[] .services[] .healthPort
HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks.
- boolean
.spec .routes[] .services[] .mirror
If Mirror is true the Service will receive a read only mirror of the traffic for this route. If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This occurs since we cannot distinguish omitted fields from those explicitly set to their default values
- string required
.spec .routes[] .services[] .name
Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route.
- integer required
.spec .routes[] .services[] .port
Port (defined as Integer) to proxy traffic to since a service can have multiple defined.
- string
.spec .routes[] .services[] .protocol
Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
- object
.spec .routes[] .services[] .requestHeadersPolicy
The policy for managing request headers during proxying.
- array
.spec .routes[] .services[] .requestHeadersPolicy .remove
Remove specifies a list of HTTP header names to remove.
- array
.spec .routes[] .services[] .requestHeadersPolicy .set
Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.
- string required
.spec .routes[] .services[] .requestHeadersPolicy .set[] .name
Name represents a key of a header
- string required
.spec .routes[] .services[] .requestHeadersPolicy .set[] .value
Value represents the value of a header specified by a key
- object
.spec .routes[] .services[] .responseHeadersPolicy
The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported.
- array
.spec .routes[] .services[] .responseHeadersPolicy .remove
Remove specifies a list of HTTP header names to remove.
- array
.spec .routes[] .services[] .responseHeadersPolicy .set
Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.
- string required
.spec .routes[] .services[] .responseHeadersPolicy .set[] .name
Name represents a key of a header
- string required
.spec .routes[] .services[] .responseHeadersPolicy .set[] .value
Value represents the value of a header specified by a key
- object
.spec .routes[] .services[] .slowStartPolicy
Slow start will gradually increase amount of traffic to a newly added endpoint.
- string
.spec .routes[] .services[] .slowStartPolicy .aggression
The speed of traffic increase over the slow start window. Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. The value of aggression parameter should be greater than 0.0. More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
- integer
.spec .routes[] .services[] .slowStartPolicy .minWeightPercent
The minimum or starting percentage of traffic to send to new endpoints. A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. If not specified, the default is 10%.
- string required
.spec .routes[] .services[] .slowStartPolicy .window
The duration of slow start window. Duration is expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
- object
.spec .routes[] .services[] .validation
UpstreamValidation defines how to verify the backend service’s certificate
- string required
.spec .routes[] .services[] .validation .caSecret
Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. The secret must contain key named ca.crt. The name can be optionally prefixed with namespace “namespace/name”. When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
- string required
.spec .routes[] .services[] .validation .subjectName
Key which is expected to be present in the ‘subjectAltName’ of the presented certificate. Deprecated: migrate to using the plural field subjectNames.
- array
.spec .routes[] .services[] .validation .subjectNames
List of keys, of which at least one is expected to be present in the ‘subjectAltName of the presented certificate.
- integer
.spec .routes[] .services[] .weight
Weight defines percentage of traffic to balance traffic
- object
.spec .routes[] .timeoutPolicy
The timeout policy for this route.
- string
.spec .routes[] .timeoutPolicy .idle
Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. If not specified, there is no per-route idle timeout, though a connection manager-wide stream_idle_timeout default of 5m still applies.
- string
.spec .routes[] .timeoutPolicy .idleConnection
Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. If not supplied, Envoy’s default value of 1h applies.
- string
.spec .routes[] .timeoutPolicy .response
Timeout for receiving a response from the server after processing a request from client. If not supplied, Envoy’s default value of 15s applies.
- object
.spec .tcpproxy
TCPProxy holds TCP proxy information.
- object
.spec .tcpproxy .healthCheckPolicy
The health check policy for this tcp proxy
- integer
.spec .tcpproxy .healthCheckPolicy .healthyThresholdCount
The number of healthy health checks required before a host is marked healthy
- integer
.spec .tcpproxy .healthCheckPolicy .intervalSeconds
The interval (seconds) between health checks
- integer
.spec .tcpproxy .healthCheckPolicy .timeoutSeconds
The time to wait (seconds) for a health check response
- integer
.spec .tcpproxy .healthCheckPolicy .unhealthyThresholdCount
The number of unhealthy health checks required before a host is marked unhealthy
- object
.spec .tcpproxy .include
Include specifies that this tcpproxy should be delegated to another HTTPProxy.
- string required
.spec .tcpproxy .include .name
Name of the child HTTPProxy
- string
.spec .tcpproxy .include .namespace
Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.
- object
.spec .tcpproxy .includes
IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. Exists due to a mistake when developing HTTPProxy and the field was marked plural when it should have been singular. This field should stay to not break backwards compatibility to v1 users.
- string required
.spec .tcpproxy .includes .name
Name of the child HTTPProxy
- string
.spec .tcpproxy .includes .namespace
Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.
- object
.spec .tcpproxy .loadBalancerPolicy
The load balancing policy for the backend services. Note that the
CookieandRequestHashload balancing strategies cannot be used here. - array
.spec .tcpproxy .loadBalancerPolicy .requestHashPolicies
RequestHashPolicies contains a list of hash policies to apply when the
RequestHashload balancing strategy is chosen. If an element of the supplied list of hash policies is invalid, it will be ignored. If the list of hash policies is empty after validation, the load balancing strategy will fall back to the defaultRoundRobin. - boolean
.spec .tcpproxy .loadBalancerPolicy .requestHashPolicies[] .hashSourceIP
HashSourceIP should be set to true when request source IP hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.
- object
.spec .tcpproxy .loadBalancerPolicy .requestHashPolicies[] .headerHashOptions
HeaderHashOptions should be set when request header hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.
- string required
.spec .tcpproxy .loadBalancerPolicy .requestHashPolicies[] .headerHashOptions .headerName
HeaderName is the name of the HTTP request header that will be used to calculate the hash key. If the header specified is not present on a request, no hash will be produced.
- object
.spec .tcpproxy .loadBalancerPolicy .requestHashPolicies[] .queryParameterHashOptions
QueryParameterHashOptions should be set when request query parameter hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.
- string required
.spec .tcpproxy .loadBalancerPolicy .requestHashPolicies[] .queryParameterHashOptions .parameterName
ParameterName is the name of the HTTP request query parameter that will be used to calculate the hash key. If the query parameter specified is not present on a request, no hash will be produced.
- boolean
.spec .tcpproxy .loadBalancerPolicy .requestHashPolicies[] .terminal
Terminal is a flag that allows for short-circuiting computing of a hash for a given request. If set to true, and the request attribute specified in the attribute hash options is present, no further hash policies will be used to calculate a hash for the request.
- string
.spec .tcpproxy .loadBalancerPolicy .strategy
Strategy specifies the policy used to balance requests across the pool of backend pods. Valid policy names are
Random,RoundRobin,WeightedLeastRequest,Cookie, andRequestHash. If an unknown strategy name is specified or no policy is supplied, the defaultRoundRobinpolicy is used. - array
.spec .tcpproxy .services
Services are the services to proxy traffic
- integer
.spec .tcpproxy .services[] .healthPort
HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks.
- boolean
.spec .tcpproxy .services[] .mirror
If Mirror is true the Service will receive a read only mirror of the traffic for this route. If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This occurs since we cannot distinguish omitted fields from those explicitly set to their default values
- string required
.spec .tcpproxy .services[] .name
Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route.
- integer required
.spec .tcpproxy .services[] .port
Port (defined as Integer) to proxy traffic to since a service can have multiple defined.
- string
.spec .tcpproxy .services[] .protocol
Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
- object
.spec .tcpproxy .services[] .requestHeadersPolicy
The policy for managing request headers during proxying.
- array
.spec .tcpproxy .services[] .requestHeadersPolicy .remove
Remove specifies a list of HTTP header names to remove.
- array
.spec .tcpproxy .services[] .requestHeadersPolicy .set
Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.
- string required
.spec .tcpproxy .services[] .requestHeadersPolicy .set[] .name
Name represents a key of a header
- string required
.spec .tcpproxy .services[] .requestHeadersPolicy .set[] .value
Value represents the value of a header specified by a key
- object
.spec .tcpproxy .services[] .responseHeadersPolicy
The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported.
- array
.spec .tcpproxy .services[] .responseHeadersPolicy .remove
Remove specifies a list of HTTP header names to remove.
- array
.spec .tcpproxy .services[] .responseHeadersPolicy .set
Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.
- string required
.spec .tcpproxy .services[] .responseHeadersPolicy .set[] .name
Name represents a key of a header
- string required
.spec .tcpproxy .services[] .responseHeadersPolicy .set[] .value
Value represents the value of a header specified by a key
- object
.spec .tcpproxy .services[] .slowStartPolicy
Slow start will gradually increase amount of traffic to a newly added endpoint.
- string
.spec .tcpproxy .services[] .slowStartPolicy .aggression
The speed of traffic increase over the slow start window. Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. The value of aggression parameter should be greater than 0.0. More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
- integer
.spec .tcpproxy .services[] .slowStartPolicy .minWeightPercent
The minimum or starting percentage of traffic to send to new endpoints. A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. If not specified, the default is 10%.
- string required
.spec .tcpproxy .services[] .slowStartPolicy .window
The duration of slow start window. Duration is expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
- object
.spec .tcpproxy .services[] .validation
UpstreamValidation defines how to verify the backend service’s certificate
- string required
.spec .tcpproxy .services[] .validation .caSecret
Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. The secret must contain key named ca.crt. The name can be optionally prefixed with namespace “namespace/name”. When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
- string required
.spec .tcpproxy .services[] .validation .subjectName
Key which is expected to be present in the ‘subjectAltName’ of the presented certificate. Deprecated: migrate to using the plural field subjectNames.
- array
.spec .tcpproxy .services[] .validation .subjectNames
List of keys, of which at least one is expected to be present in the ‘subjectAltName of the presented certificate.
- integer
.spec .tcpproxy .services[] .weight
Weight defines percentage of traffic to balance traffic
- object
.spec .virtualhost
Virtualhost appears at most once. If it is present, the object is considered to be a “root” HTTPProxy.
- object
.spec .virtualhost .corsPolicy
Specifies the cross-origin policy to apply to the VirtualHost.
- boolean
.spec .virtualhost .corsPolicy .allowCredentials
Specifies whether the resource allows credentials.
- array
.spec .virtualhost .corsPolicy .allowHeaders
AllowHeaders specifies the content for the access-control-allow-headers header.
- array required
.spec .virtualhost .corsPolicy .allowMethods
AllowMethods specifies the content for the access-control-allow-methods header.
- array required
.spec .virtualhost .corsPolicy .allowOrigin
AllowOrigin specifies the origins that will be allowed to do CORS requests. Allowed values include “*” which signifies any origin is allowed, an exact origin of the form “scheme://host[:port]” (where port is optional), or a valid regex pattern. Note that regex patterns are validated and a simple “glob” pattern (e.g. *.foo.com) will be rejected or produce unexpected matches when applied as a regex.
- boolean
.spec .virtualhost .corsPolicy .allowPrivateNetwork
AllowPrivateNetwork specifies whether to allow private network requests. See https://developer.chrome.com/blog/private-network-access-preflight.
- array
.spec .virtualhost .corsPolicy .exposeHeaders
ExposeHeaders Specifies the content for the access-control-expose-headers header.
- string
.spec .virtualhost .corsPolicy .maxAge
MaxAge indicates for how long the results of a preflight request can be cached. MaxAge durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS check for all cross-origin requests.
- string required
.spec .virtualhost .fqdn
The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn.
- array
.spec .virtualhost .ipAllowPolicy
IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching requests should be allowed. All other requests will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. The rules defined here may be overridden in a Route.
- string required
.spec .virtualhost .ipAllowPolicy[] .cidr
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be a bare IP address (without a mask) to filter on exactly one address.
- string required
.spec .virtualhost .ipAllowPolicy[] .source
Source indicates how to determine the ip address to filter on, and can be one of two values:
Remotefilters on the ip address of the client, accounting for PROXY and X-Forwarded-For as needed.Peerfilters on the ip of the network request, ignoring PROXY and X-Forwarded-For.
- array
.spec .virtualhost .ipDenyPolicy
IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching requests should be denied. All other requests will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. The rules defined here may be overridden in a Route.
- string required
.spec .virtualhost .ipDenyPolicy[] .cidr
CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be a bare IP address (without a mask) to filter on exactly one address.
- string required
.spec .virtualhost .ipDenyPolicy[] .source
Source indicates how to determine the ip address to filter on, and can be one of two values:
Remotefilters on the ip address of the client, accounting for PROXY and X-Forwarded-For as needed.Peerfilters on the ip of the network request, ignoring PROXY and X-Forwarded-For.
- array
.spec .virtualhost .jwtProviders
Providers to use for verifying JSON Web Tokens (JWTs) on the virtual host.
- array
.spec .virtualhost .jwtProviders[] .audiences
Audiences that JWTs are allowed to have in the “aud” field. If not provided, JWT audiences are not checked.
- boolean
.spec .virtualhost .jwtProviders[] .default
Whether the provider should apply to all routes in the HTTPProxy/its includes by default. At most one provider can be marked as the default. If no provider is marked as the default, individual routes must explicitly identify the provider they require.
- boolean
.spec .virtualhost .jwtProviders[] .forwardJWT
Whether the JWT should be forwarded to the backend service after successful verification. By default, the JWT is not forwarded.
- string
.spec .virtualhost .jwtProviders[] .issuer
Issuer that JWTs are required to have in the “iss” field. If not provided, JWT issuers are not checked.
- string required
.spec .virtualhost .jwtProviders[] .name
Unique name for the provider.
- object required
.spec .virtualhost .jwtProviders[] .remoteJWKS
Remote JWKS to use for verifying JWT signatures.
- string
.spec .virtualhost .jwtProviders[] .remoteJWKS .cacheDuration
How long to cache the JWKS locally. If not specified, Envoy’s default of 5m applies.
- string
.spec .virtualhost .jwtProviders[] .remoteJWKS .dnsLookupFamily
The DNS IP address resolution policy for the JWKS URI. When configured as “v4”, the DNS resolver will only perform a lookup for addresses in the IPv4 family. If “v6” is configured, the DNS resolver will only perform a lookup for addresses in the IPv6 family. If “all” is configured, the DNS resolver will perform a lookup for addresses in both the IPv4 and IPv6 family. If “auto” is configured, the DNS resolver will first perform a lookup for addresses in the IPv6 family and fallback to a lookup for addresses in the IPv4 family. If not specified, the Contour-wide setting defined in the config file or ContourConfiguration applies (defaults to “auto”). See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily for more information.
- string
.spec .virtualhost .jwtProviders[] .remoteJWKS .timeout
How long to wait for a response from the URI. If not specified, a default of 1s applies.
- string required
.spec .virtualhost .jwtProviders[] .remoteJWKS .uri
The URI for the JWKS.
- object
.spec .virtualhost .jwtProviders[] .remoteJWKS .validation
UpstreamValidation defines how to verify the JWKS’s TLS certificate.
- string required
.spec .virtualhost .jwtProviders[] .remoteJWKS .validation .caSecret
Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. The secret must contain key named ca.crt. The name can be optionally prefixed with namespace “namespace/name”. When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
- string required
.spec .virtualhost .jwtProviders[] .remoteJWKS .validation .subjectName
Key which is expected to be present in the ‘subjectAltName’ of the presented certificate. Deprecated: migrate to using the plural field subjectNames.
- array
.spec .virtualhost .jwtProviders[] .remoteJWKS .validation .subjectNames
List of keys, of which at least one is expected to be present in the ‘subjectAltName of the presented certificate.
- object
.spec .virtualhost .rateLimitPolicy
The policy for rate limiting on the virtual host.
- object
.spec .virtualhost .rateLimitPolicy .global
Global defines global rate limiting parameters, i.e. parameters defining descriptors that are sent to an external rate limit service (RLS) for a rate limit decision on each request.
- array
.spec .virtualhost .rateLimitPolicy .global .descriptors
Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries.
- array required
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries
Entries is the list of key-value pair generators.
- object
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .genericKey
GenericKey defines a descriptor entry with a static key and value.
- string
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .genericKey .key
Key defines the key of the descriptor entry. If not set, the key is set to “generic_key”.
- string required
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .genericKey .value
Value defines the value of the descriptor entry.
- object
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .remoteAddress
RemoteAddress defines a descriptor entry with a key of “remote_address” and a value equal to the client’s IP address (from x-forwarded-for).
- object
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeader
RequestHeader defines a descriptor entry that’s populated only if a given header is present on the request. The descriptor key is static, and the descriptor value is equal to the value of the header.
- string required
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeader .descriptorKey
DescriptorKey defines the key to use on the descriptor entry.
- string required
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeader .headerName
HeaderName defines the name of the header to look for on the request.
- object
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch
RequestHeaderValueMatch defines a descriptor entry that’s populated if the request’s headers match a set of 1+ match criteria. The descriptor key is “header_match”, and the descriptor value is static.
- boolean
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .expectMatch
ExpectMatch defines whether the request must positively match the match criteria in order to generate a descriptor entry (i.e. true), or not match the match criteria in order to generate a descriptor entry (i.e. false). The default is true.
- array
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers
Headers is a list of 1+ match criteria to apply against the request to determine whether to populate the descriptor entry or not.
- string
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .contains
Contains specifies a substring that must be present in the header value.
- string
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .exact
Exact specifies a string that the header value must be equal to.
- boolean
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .ignoreCase
IgnoreCase specifies that string matching should be case insensitive. Note that this has no effect on the Regex parameter.
- string required
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .name
Name is the name of the header to match against. Name is required. Header names are case insensitive.
- string
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .notcontains
NotContains specifies a substring that must not be present in the header value.
- string
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .notexact
NoExact specifies a string that the header value must not be equal to. The condition is true if the header has any other value.
- boolean
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .notpresent
NotPresent specifies that condition is true when the named header is not present. Note that setting NotPresent to false does not make the condition true if the named header is present.
- boolean
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .present
Present specifies that condition is true when the named header is present, regardless of its value. Note that setting Present to false does not make the condition true if the named header is absent.
- string
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .regex
Regex specifies a regular expression pattern that must match the header value.
- boolean
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .headers[] .treatMissingAsEmpty
TreatMissingAsEmpty specifies if the header match rule specified header does not exist, this header value will be treated as empty. Defaults to false. Unlike the underlying Envoy implementation this is only supported for negative matches (e.g. NotContains, NotExact).
- string required
.spec .virtualhost .rateLimitPolicy .global .descriptors[] .entries[] .requestHeaderValueMatch .value
Value defines the value of the descriptor entry.
- boolean
.spec .virtualhost .rateLimitPolicy .global .disabled
Disabled configures the HTTPProxy to not use the default global rate limit policy defined by the Contour configuration.
- object
.spec .virtualhost .rateLimitPolicy .local
Local defines local rate limiting parameters, i.e. parameters for rate limiting that occurs within each Envoy pod as requests are handled.
- integer
.spec .virtualhost .rateLimitPolicy .local .burst
Burst defines the number of requests above the requests per unit that should be allowed within a short period of time.
- integer required
.spec .virtualhost .rateLimitPolicy .local .requests
Requests defines how many requests per unit of time should be allowed before rate limiting occurs.
- array
.spec .virtualhost .rateLimitPolicy .local .responseHeadersToAdd
ResponseHeadersToAdd is an optional list of response headers to set when a request is rate-limited.
- string required
.spec .virtualhost .rateLimitPolicy .local .responseHeadersToAdd[] .name
Name represents a key of a header
- string required
.spec .virtualhost .rateLimitPolicy .local .responseHeadersToAdd[] .value
Value represents the value of a header specified by a key
- integer
.spec .virtualhost .rateLimitPolicy .local .responseStatusCode
ResponseStatusCode is the HTTP status code to use for responses to rate-limited requests. Codes must be in the 400-599 range (inclusive). If not specified, the Envoy default of 429 (Too Many Requests) is used.
- string required
.spec .virtualhost .rateLimitPolicy .local .unit
Unit defines the period of time within which requests over the limit will be rate limited. Valid values are “second”, “minute” and “hour”.
- object
.spec .virtualhost .tls
If present the fields describes TLS properties of the virtual host. The SNI names that will be matched on are described in fqdn, the tls.secretName secret must contain a certificate that itself contains a name that matches the FQDN.
- object
.spec .virtualhost .tls .clientValidation
ClientValidation defines how to verify the client certificate when an external client establishes a TLS connection to Envoy. This setting:
- Enables TLS client certificate validation.
- Specifies how the client certificate will be validated (i.e. validation required or skipped). Note: Setting client certificate validation to be skipped should be only used in conjunction with an external authorization server that performs client validation as Contour will ensure client certificates are passed along.
- string
.spec .virtualhost .tls .clientValidation .caSecret
Name of a Kubernetes secret that contains a CA certificate bundle. The secret must contain key named ca.crt. The client certificate must validate against the certificates in the bundle. If specified and SkipClientCertValidation is true, client certificates will be required on requests. The name can be optionally prefixed with namespace “namespace/name”. When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
- boolean
.spec .virtualhost .tls .clientValidation .crlOnlyVerifyLeafCert
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by CRL.
- string
.spec .virtualhost .tls .clientValidation .crlSecret
Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. The secret must contain key named crl.pem. This field will be used to verify that a client certificate has not been revoked. CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. Large CRL lists are not supported since individual secrets are limited to 1MiB in size. The name can be optionally prefixed with namespace “namespace/name”. When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
- object
.spec .virtualhost .tls .clientValidation .forwardClientCertificate
ForwardClientCertificate adds the selected data from the passed client TLS certificate to the x-forwarded-client-cert header.
- boolean
.spec .virtualhost .tls .clientValidation .forwardClientCertificate .cert
Client cert in URL encoded PEM format.
- boolean
.spec .virtualhost .tls .clientValidation .forwardClientCertificate .chain
Client cert chain (including the leaf cert) in URL encoded PEM format.
- boolean
.spec .virtualhost .tls .clientValidation .forwardClientCertificate .dns
DNS type Subject Alternative Names of the client cert.
- boolean
.spec .virtualhost .tls .clientValidation .forwardClientCertificate .subject
Subject of the client cert.
- boolean
.spec .virtualhost .tls .clientValidation .forwardClientCertificate .uri
URI type Subject Alternative Name of the client cert.
- boolean
.spec .virtualhost .tls .clientValidation .optionalClientCertificate
OptionalClientCertificate when set to true will request a client certificate but allow the connection to continue if the client does not provide one. If a client certificate is sent, it will be verified according to the other properties, which includes disabling validation if SkipClientCertValidation is set. Defaults to false.
- boolean
.spec .virtualhost .tls .clientValidation .skipClientCertValidation
SkipClientCertValidation disables downstream client certificate validation. Defaults to false. This field is intended to be used in conjunction with external authorization in order to enable the external authorization server to validate client certificates. When this field is set to true, client certificates are requested but not verified by Envoy. If CACertificate is specified, client certificates are required on requests, but not verified. If external authorization is in use, they are presented to the external authorization server.
- boolean
.spec .virtualhost .tls .enableFallbackCertificate
EnableFallbackCertificate defines if the vhost should allow a default certificate to be applied which handles all requests which don’t match the SNI defined in this vhost.
- string
.spec .virtualhost .tls .maximumProtocolVersion
MaximumProtocolVersion is the maximum TLS version this vhost should negotiate. Valid options are
1.2and1.3(default). Any other value defaults to TLS 1.3. - string
.spec .virtualhost .tls .minimumProtocolVersion
MinimumProtocolVersion is the minimum TLS version this vhost should negotiate. Valid options are
1.2(default) and1.3. Any other value defaults to TLS 1.2. - boolean
.spec .virtualhost .tls .passthrough
Passthrough defines whether the encrypted TLS handshake will be passed through to the backing cluster. Either Passthrough or SecretName must be specified, but not both.
- string
.spec .virtualhost .tls .secretName
SecretName is the name of a TLS secret. Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate for the virtual host’s FQDN. The name can be optionally prefixed with namespace “namespace/name”. When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
- object
.status
Status is a container for computed information about the HTTPProxy.
- array
.status .conditions
Conditions contains information about the current status of the HTTPProxy, in an upstream-friendly container. Contour will update a single condition,
Valid, that is in normal-true polarity. That is, whencurrentStatusisvalid, theValidcondition will bestatus: true, and vice versa. Contour will leave untouched any other Conditions set in this block, in case some other controller wants to add a Condition. If you are another controller owner and wish to add a condition, you should namespace your condition with a label, likecontroller.domain.com/ConditionName. - array
.status .conditions[] .errors
Errors contains a slice of relevant error subconditions for this object. Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. An empty slice here indicates no errors.
- string required
.status .conditions[] .errors[] .message
Message is a human readable message indicating details about the transition. This may be an empty string.
- string required
.status .conditions[] .errors[] .reason
Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- string required
.status .conditions[] .errors[] .status
Status of the condition, one of True, False, Unknown.
- string required
.status .conditions[] .errors[] .type
Type of condition in
CamelCaseor infoo.example.com/CamelCase. This must be in abnormal-true polarity, that is,ErrorFoundorcontroller.io/ErrorFound. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - string required
.status .conditions[] .lastTransitionTime
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- string required
.status .conditions[] .message
message is a human readable message indicating details about the transition. This may be an empty string.
- integer
.status .conditions[] .observedGeneration
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
- string required
.status .conditions[] .reason
reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- string required
.status .conditions[] .status
status of the condition, one of True, False, Unknown.
- string required
.status .conditions[] .type
type of condition in CamelCase or in foo.example.com/CamelCase.
- array
.status .conditions[] .warnings
Warnings contains a slice of relevant warning subconditions for this object. Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. An empty slice here indicates no warnings.
- string required
.status .conditions[] .warnings[] .message
Message is a human readable message indicating details about the transition. This may be an empty string.
- string required
.status .conditions[] .warnings[] .reason
Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- string required
.status .conditions[] .warnings[] .status
Status of the condition, one of True, False, Unknown.
- string required
.status .conditions[] .warnings[] .type
Type of condition in
CamelCaseor infoo.example.com/CamelCase. This must be in abnormal-true polarity, that is,ErrorFoundorcontroller.io/ErrorFound. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - string
.status .currentStatus
- string
.status .description
- object
.status .loadBalancer
LoadBalancer contains the current status of the load balancer.
- array
.status .loadBalancer .ingress
Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
- string
.status .loadBalancer .ingress[] .hostname
Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers)
- string
.status .loadBalancer .ingress[] .ip
IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers)
- string
.status .loadBalancer .ingress[] .ipMode
IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. Setting this to “VIP” indicates that traffic is delivered to the node with the destination set to the load-balancer’s IP and port. Setting this to “Proxy” indicates that traffic is delivered to the node or pod with the destination set to the node’s IP and node port or the pod’s IP and port. Service implementations may use this information to adjust traffic routing.
- array
.status .loadBalancer .ingress[] .ports
Ports is a list of records of service ports If used, every port defined in the service should have an entry in it
- string required
.status .loadBalancer .ingress[] .ports[] .error
Error is to record the problem with the service port The format of the error shall comply with the following rules:
- built-in error values shall be specified in this file and those shall use CamelCase names
- cloud provider specific error values must have names that comply with the format foo.example.com/CamelCase.
- integer required
.status .loadBalancer .ingress[] .ports[] .port
Port is the port number of the service port of which status is recorded here
- string required
.status .loadBalancer .ingress[] .ports[] .protocol
Protocol is the protocol of the service port of which status is recorded here The supported values are: “TCP”, “UDP”, “SCTP”