Contour Logo

Documentation

Contour API Reference

Packages:

projectcontour.io/v1

Package v1 holds the specification for the projectcontour.io Custom Resource Definitions (CRDs).

In building this CRD, we’ve inadvertently overloaded the word “Condition”, so we’ve tried to make this spec clear as to which types of condition are which.

MatchConditions are used by Routes and Includes to specify rules to match requests against for either routing or inclusion.

DetailedConditions are used in the Status of these objects to hold information about the relevant state of the object and the world around it.

SubConditions are used underneath DetailedConditions to give more detail to errors or warnings.

Resource Types:

HTTPProxy

HTTPProxy is an Ingress CRD specification.

FieldDescription
apiVersion
string
projectcontour.io/v1
kind
string
HTTPProxy
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
HTTPProxySpec


virtualhost
VirtualHost
(Optional)

Virtualhost appears at most once. If it is present, the object is considered to be a “root” HTTPProxy.

routes
[]Route
(Optional)

Routes are the ingress routes. If TCPProxy is present, Routes is ignored.

tcpproxy
TCPProxy
(Optional)

TCPProxy holds TCP proxy information.

includes
[]Include
(Optional)

Includes allow for specific routing configuration to be included from another HTTPProxy, possibly in another namespace.

ingressClassName
string
(Optional)

IngressClassName optionally specifies the ingress class to use for this HTTPProxy. This replaces the deprecated kubernetes.io/ingress.class annotation. For backwards compatibility, when that annotation is set, it is given precedence over this field.

status
HTTPProxyStatus
(Optional)

Status is a container for computed information about the HTTPProxy.

TLSCertificateDelegation

TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. See design/tls-certificate-delegation.md for details.

FieldDescription
apiVersion
string
projectcontour.io/v1
kind
string
TLSCertificateDelegation
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TLSCertificateDelegationSpec


delegations
[]CertificateDelegation
status
TLSCertificateDelegationStatus
(Optional)

AuthorizationPolicy

(Appears on: AuthorizationServer, Route)

AuthorizationPolicy modifies how client requests are authenticated.

FieldDescription
disabled
bool
(Optional)

When true, this field disables client request authentication for the scope of the policy.

context
map[string]string
(Optional)

Context is a set of key/value pairs that are sent to the authentication server in the check request. If a context is provided at an enclosing scope, the entries are merged such that the inner scope overrides matching keys from the outer scope.

AuthorizationServer

(Appears on: VirtualHost)

AuthorizationServer configures an external server to authenticate client requests. The external server must implement the v3 Envoy external authorization GRPC protocol (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).

FieldDescription
extensionRef
ExtensionServiceReference

ExtensionServiceRef specifies the extension resource that will authorize client requests.

authPolicy
AuthorizationPolicy
(Optional)

AuthPolicy sets a default authorization policy for client requests. This policy will be used unless overridden by individual routes.

responseTimeout
string
(Optional)

ResponseTimeout configures maximum time to wait for a check response from the authorization server. Timeout durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. The string “infinity” is also a valid input and specifies no timeout.

failOpen
bool
(Optional)

If FailOpen is true, the client request is forwarded to the upstream service even if the authorization server fails to respond. This field should not be set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization.

withRequestBody
AuthorizationServerBufferSettings
(Optional)

WithRequestBody specifies configuration for sending the client request’s body to authorization server.

AuthorizationServerBufferSettings

(Appears on: AuthorizationServer)

AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client request data and send it as part of authorization request

FieldDescription
maxRequestBytes
uint32
(Optional)

MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory.

allowPartialMessage
bool
(Optional)

If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached.

packAsBytes
bool
(Optional)

If PackAsBytes is true, the body sent to Authorization Server is in raw bytes.

CORSHeaderValue (string alias)

(Appears on: CORSPolicy)

CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.

CORSPolicy

(Appears on: VirtualHost)

CORSPolicy allows setting the CORS policy

FieldDescription
allowCredentials
bool
(Optional)

Specifies whether the resource allows credentials.

allowOrigin
[]string

AllowOrigin specifies the origins that will be allowed to do CORS requests. “*” means allow any origin.

allowMethods
[]CORSHeaderValue

AllowMethods specifies the content for the access-control-allow-methods header.

allowHeaders
[]CORSHeaderValue
(Optional)

AllowHeaders specifies the content for the access-control-allow-headers header.

exposeHeaders
[]CORSHeaderValue
(Optional)

ExposeHeaders Specifies the content for the access-control-expose-headers header.

maxAge
string
(Optional)

MaxAge indicates for how long the results of a preflight request can be cached. MaxAge durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS check for all cross-origin requests.

CertificateDelegation

(Appears on: TLSCertificateDelegationSpec)

CertificateDelegation maps the authority to reference a secret in the current namespace to a set of namespaces.

FieldDescription
secretName
string

required, the name of a secret in the current namespace.

targetNamespaces
[]string

required, the namespaces the authority to reference the the secret will be delegated to. If TargetNamespaces is nil or empty, the CertificateDelegation’ is ignored. If the TargetNamespace list contains the character, “*” the secret will be delegated to all namespaces.

CookieDomainRewrite

(Appears on: CookieRewritePolicy)

FieldDescription
value
string

Value is the value to rewrite the Domain attribute to. For now this is required.

CookiePathRewrite

(Appears on: CookieRewritePolicy)

FieldDescription
value
string

Value is the value to rewrite the Path attribute to. For now this is required.

CookieRewritePolicy

(Appears on: Route, Service)

FieldDescription
name
string

Name is the name of the cookie for which attributes will be rewritten.

pathRewrite
CookiePathRewrite
(Optional)

PathRewrite enables rewriting the Set-Cookie Path element. If not set, Path will not be rewritten.

domainRewrite
CookieDomainRewrite
(Optional)

DomainRewrite enables rewriting the Set-Cookie Domain element. If not set, Domain will not be rewritten.

secure
bool
(Optional)

Secure enables rewriting the Set-Cookie Secure element. If not set, Secure attribute will not be rewritten.

sameSite
string
(Optional)

SameSite enables rewriting the Set-Cookie SameSite element. If not set, SameSite attribute will not be rewritten.

DetailedCondition

(Appears on: HTTPProxyStatus, TLSCertificateDelegationStatus, ContourConfigurationStatus, ExtensionServiceStatus)

DetailedCondition is an extension of the normal Kubernetes conditions, with two extra fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) of the condition.

errors holds information about sub-conditions which are fatal to that condition and render its state False.

warnings holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.

Remember that Conditions have a type, a status, and a reason.

The type is the type of the condition, the most important one in this CRD set is Valid. Valid is a positive-polarity condition: when it is status: true there are no problems.

In more detail, status: true means that the object is has been ingested into Contour with no errors. warnings may still be present, and will be indicated in the Reason field. There must be zero entries in the errors slice in this case.

Valid, status: false means that the object has had one or more fatal errors during processing into Contour. The details of the errors will be present under the errors field. There must be at least one error in the errors slice if status is false.

For DetailedConditions of types other than Valid, the Condition must be in the negative polarity. When they have status true, there is an error. There must be at least one entry in the errors Subcondition slice. When they have status false, there are no serious errors, and there must be zero entries in the errors slice. In either case, there may be entries in the warnings slice.

Regardless of the polarity, the reason and message fields must be updated with either the detail of the reason (if there is one and only one entry in total across both the errors and warnings slices), or MultipleReasons if there is more than one entry.

FieldDescription
Condition
Kubernetes meta/v1.Condition

(Members of Condition are embedded into this type.)

errors
[]SubCondition
(Optional)

Errors contains a slice of relevant error subconditions for this object.

Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. An empty slice here indicates no errors.

warnings
[]SubCondition
(Optional)

Warnings contains a slice of relevant warning subconditions for this object.

Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. An empty slice here indicates no warnings.

DownstreamValidation

(Appears on: TLS)

DownstreamValidation defines how to verify the client certificate.

FieldDescription
caSecret
string
(Optional)

Name of a Kubernetes secret that contains a CA certificate bundle. The secret must contain key named ca.crt. The client certificate must validate against the certificates in the bundle. If specified and SkipClientCertValidation is true, client certificates will be required on requests.

skipClientCertValidation
bool
(Optional)

SkipClientCertValidation disables downstream client certificate validation. Defaults to false. This field is intended to be used in conjunction with external authorization in order to enable the external authorization server to validate client certificates. When this field is set to true, client certificates are requested but not verified by Envoy. If CACertificate is specified, client certificates are required on requests, but not verified. If external authorization is in use, they are presented to the external authorization server.

crlSecret
string
(Optional)

Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. The secret must contain key named crl.pem. This field will be used to verify that a client certificate has not been revoked. CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. Large CRL lists are not supported since individual secrets are limited to 1MiB in size.

crlOnlyVerifyLeafCert
bool
(Optional)

If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by CRL.

ExtensionServiceReference

(Appears on: AuthorizationServer)

ExtensionServiceReference names an ExtensionService resource.

FieldDescription
apiVersion
string
(Optional)

API version of the referent. If this field is not specified, the default “projectcontour.io/v1alpha1” will be used

namespace
string
(Optional)

Namespace of the referent. If this field is not specifies, the namespace of the resource that targets the referent will be used.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

name
string

Name of the referent.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

GenericKeyDescriptor

(Appears on: RateLimitDescriptorEntry)

GenericKeyDescriptor defines a descriptor entry with a static key and value.

FieldDescription
key
string
(Optional)

Key defines the key of the descriptor entry. If not set, the key is set to “generic_key”.

value
string

Value defines the value of the descriptor entry.

GlobalRateLimitPolicy

(Appears on: RateLimitPolicy)

GlobalRateLimitPolicy defines global rate limiting parameters.

FieldDescription
descriptors
[]RateLimitDescriptor

Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries.

HTTPDirectResponsePolicy

(Appears on: Route)

FieldDescription
statusCode
int

StatusCode is the HTTP response status to be returned.

body
string
(Optional)

Body is the content of the response body. If this setting is omitted, no body is included in the generated response.

Note: Body is not recommended to set too long otherwise it can have significant resource usage impacts.

HTTPHealthCheckPolicy

(Appears on: Route)

HTTPHealthCheckPolicy defines health checks on the upstream service.

FieldDescription
path
string

HTTP endpoint used to perform health checks on upstream service

host
string

The value of the host header in the HTTP health check request. If left empty (default value), the name “contour-envoy-healthcheck” will be used.

intervalSeconds
int64
(Optional)

The interval (seconds) between health checks

timeoutSeconds
int64
(Optional)

The time to wait (seconds) for a health check response

unhealthyThresholdCount
int64
(Optional)

The number of unhealthy health checks required before a host is marked unhealthy

healthyThresholdCount
int64
(Optional)

The number of healthy health checks required before a host is marked healthy

HTTPProxySpec

(Appears on: HTTPProxy)

HTTPProxySpec defines the spec of the CRD.

FieldDescription
virtualhost
VirtualHost
(Optional)

Virtualhost appears at most once. If it is present, the object is considered to be a “root” HTTPProxy.

routes
[]Route
(Optional)

Routes are the ingress routes. If TCPProxy is present, Routes is ignored.

tcpproxy
TCPProxy
(Optional)

TCPProxy holds TCP proxy information.

includes
[]Include
(Optional)

Includes allow for specific routing configuration to be included from another HTTPProxy, possibly in another namespace.

ingressClassName
string
(Optional)

IngressClassName optionally specifies the ingress class to use for this HTTPProxy. This replaces the deprecated kubernetes.io/ingress.class annotation. For backwards compatibility, when that annotation is set, it is given precedence over this field.

HTTPProxyStatus

(Appears on: HTTPProxy)

HTTPProxyStatus reports the current state of the HTTPProxy.

FieldDescription
currentStatus
string
(Optional)
description
string
(Optional)
loadBalancer
Kubernetes core/v1.LoadBalancerStatus
(Optional)

LoadBalancer contains the current status of the load balancer.

conditions
[]DetailedCondition
(Optional)

Conditions contains information about the current status of the HTTPProxy, in an upstream-friendly container.

Contour will update a single condition, Valid, that is in normal-true polarity. That is, when currentStatus is valid, the Valid condition will be status: true, and vice versa.

Contour will leave untouched any other Conditions set in this block, in case some other controller wants to add a Condition.

If you are another controller owner and wish to add a condition, you should namespace your condition with a label, like controller.domain.com/ConditionName.

HTTPRequestRedirectPolicy

(Appears on: Route)

HTTPRequestRedirectPolicy defines configuration for redirecting a request.

FieldDescription
scheme
string
(Optional)

Scheme is the scheme to be used in the value of the Location header in the response. When empty, the scheme of the request is used.

hostname
string
(Optional)

Hostname is the precise hostname to be used in the value of the Location header in the response. When empty, the hostname of the request is used. No wildcards are allowed.

port
int32
(Optional)

Port is the port to be used in the value of the Location header in the response. When empty, port (if specified) of the request is used.

statusCode
int
(Optional)

StatusCode is the HTTP status code to be used in response.

path
string
(Optional)

Path allows for redirection to a different path from the original on the request. The path must start with a leading slash.

Note: Only one of Path or Prefix can be defined.

prefix
string
(Optional)

Prefix defines the value to swap the matched prefix or path with. The prefix must start with a leading slash.

Note: Only one of Path or Prefix can be defined.

HeaderHashOptions

(Appears on: RequestHashPolicy)

HeaderHashOptions contains options to configure a HTTP request header hash policy, used in request attribute hash based load balancing.

FieldDescription
headerName
string

HeaderName is the name of the HTTP request header that will be used to calculate the hash key. If the header specified is not present on a request, no hash will be produced.

HeaderMatchCondition

(Appears on: MatchCondition, RequestHeaderValueMatchDescriptor)

HeaderMatchCondition specifies how to conditionally match against HTTP headers. The Name field is required, but only one of the remaining fields should be be provided.

FieldDescription
name
string

Name is the name of the header to match against. Name is required. Header names are case insensitive.

present
bool
(Optional)

Present specifies that condition is true when the named header is present, regardless of its value. Note that setting Present to false does not make the condition true if the named header is absent.

notpresent
bool
(Optional)

NotPresent specifies that condition is true when the named header is not present. Note that setting NotPresent to false does not make the condition true if the named header is present.

contains
string
(Optional)

Contains specifies a substring that must be present in the header value.

notcontains
string
(Optional)

NotContains specifies a substring that must not be present in the header value.

exact
string
(Optional)

Exact specifies a string that the header value must be equal to.

notexact
string
(Optional)

NoExact specifies a string that the header value must not be equal to. The condition is true if the header has any other value.

HeaderValue

(Appears on: HeadersPolicy, LocalRateLimitPolicy)

HeaderValue represents a header name/value pair

FieldDescription
name
string

Name represents a key of a header

value
string

Value represents the value of a header specified by a key

HeadersPolicy

(Appears on: Route, Service)

HeadersPolicy defines how headers are managed during forwarding. The Host header is treated specially and if set in a HTTP response will be used as the SNI server name when forwarding over TLS. It is an error to attempt to set the Host header in a HTTP response.

FieldDescription
set
[]HeaderValue
(Optional)

Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.

remove
[]string
(Optional)

Remove specifies a list of HTTP header names to remove.

Include

(Appears on: HTTPProxySpec)

Include describes a set of policies that can be applied to an HTTPProxy in a namespace.

FieldDescription
name
string

Name of the HTTPProxy

namespace
string
(Optional)

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

conditions
[]MatchCondition
(Optional)

Conditions are a set of rules that are applied to included HTTPProxies. In effect, they are added onto the Conditions of included HTTPProxy Route structs. When applied, they are merged using AND, with one exception: There can be only one Prefix MatchCondition per Conditions slice. More than one Prefix, or contradictory Conditions, will make the include invalid.

LoadBalancerPolicy

(Appears on: Route, TCPProxy, ExtensionServiceSpec)

LoadBalancerPolicy defines the load balancing policy.

FieldDescription
strategy
string

Strategy specifies the policy used to balance requests across the pool of backend pods. Valid policy names are Random, RoundRobin, WeightedLeastRequest, Cookie, and RequestHash. If an unknown strategy name is specified or no policy is supplied, the default RoundRobin policy is used.

requestHashPolicies
[]RequestHashPolicy

RequestHashPolicies contains a list of hash policies to apply when the RequestHash load balancing strategy is chosen. If an element of the supplied list of hash policies is invalid, it will be ignored. If the list of hash policies is empty after validation, the load balancing strategy will fall back to the default RoundRobin.

LocalRateLimitPolicy

(Appears on: RateLimitPolicy)

LocalRateLimitPolicy defines local rate limiting parameters.

FieldDescription
requests
uint32

Requests defines how many requests per unit of time should be allowed before rate limiting occurs.

unit
string

Unit defines the period of time within which requests over the limit will be rate limited. Valid values are “second”, “minute” and “hour”.

burst
uint32
(Optional)

Burst defines the number of requests above the requests per unit that should be allowed within a short period of time.

responseStatusCode
uint32
(Optional)

ResponseStatusCode is the HTTP status code to use for responses to rate-limited requests. Codes must be in the 400-599 range (inclusive). If not specified, the Envoy default of 429 (Too Many Requests) is used.

responseHeadersToAdd
[]HeaderValue
(Optional)

ResponseHeadersToAdd is an optional list of response headers to set when a request is rate-limited.

MatchCondition

(Appears on: Include, Route)

MatchCondition are a general holder for matching rules for HTTPProxies. One of Prefix or Header must be provided.

FieldDescription
prefix
string
(Optional)

Prefix defines a prefix match for a request.

header
HeaderMatchCondition
(Optional)

Header specifies the header condition to match.

PathRewritePolicy

(Appears on: Route)

PathRewritePolicy specifies how a request URL path should be rewritten. This rewriting takes place after a request is routed and has no subsequent effects on the proxy’s routing decision. No HTTP headers or body content is rewritten.

Exactly one field in this struct may be specified.

FieldDescription
replacePrefix
[]ReplacePrefix
(Optional)

ReplacePrefix describes how the path prefix should be replaced.

QueryParameterHashOptions

(Appears on: RequestHashPolicy)

QueryParameterHashOptions contains options to configure a query parameter based hash policy, used in request attribute hash based load balancing.

FieldDescription
parameterName
string

ParameterName is the name of the HTTP request query parameter that will be used to calculate the hash key. If the query parameter specified is not present on a request, no hash will be produced.

RateLimitDescriptor

(Appears on: GlobalRateLimitPolicy)

RateLimitDescriptor defines a list of key-value pair generators.

FieldDescription
entries
[]RateLimitDescriptorEntry

Entries is the list of key-value pair generators.

RateLimitDescriptorEntry

(Appears on: RateLimitDescriptor)

RateLimitDescriptorEntry is a key-value pair generator. Exactly one field on this struct must be non-nil.

FieldDescription
genericKey
GenericKeyDescriptor
(Optional)

GenericKey defines a descriptor entry with a static key and value.

requestHeader
RequestHeaderDescriptor
(Optional)

RequestHeader defines a descriptor entry that’s populated only if a given header is present on the request. The descriptor key is static, and the descriptor value is equal to the value of the header.

requestHeaderValueMatch
RequestHeaderValueMatchDescriptor
(Optional)

RequestHeaderValueMatch defines a descriptor entry that’s populated if the request’s headers match a set of 1+ match criteria. The descriptor key is “header_match”, and the descriptor value is static.

remoteAddress
RemoteAddressDescriptor
(Optional)

RemoteAddress defines a descriptor entry with a key of “remote_address” and a value equal to the client’s IP address (from x-forwarded-for).

RateLimitPolicy

(Appears on: Route, VirtualHost)

RateLimitPolicy defines rate limiting parameters.

FieldDescription
local
LocalRateLimitPolicy
(Optional)

Local defines local rate limiting parameters, i.e. parameters for rate limiting that occurs within each Envoy pod as requests are handled.

global
GlobalRateLimitPolicy
(Optional)

Global defines global rate limiting parameters, i.e. parameters defining descriptors that are sent to an external rate limit service (RLS) for a rate limit decision on each request.

RemoteAddressDescriptor

(Appears on: RateLimitDescriptorEntry)

RemoteAddressDescriptor defines a descriptor entry with a key of “remote_address” and a value equal to the client’s IP address (from x-forwarded-for).

ReplacePrefix

(Appears on: PathRewritePolicy)

ReplacePrefix describes a path prefix replacement.

FieldDescription
prefix
string
(Optional)

Prefix specifies the URL path prefix to be replaced.

If Prefix is specified, it must exactly match the MatchCondition prefix that is rendered by the chain of including HTTPProxies and only that path prefix will be replaced by Replacement. This allows HTTPProxies that are included through multiple roots to only replace specific path prefixes, leaving others unmodified.

If Prefix is not specified, all routing prefixes rendered by the include chain will be replaced.

replacement
string

Replacement is the string that the routing path prefix will be replaced with. This must not be empty.

RequestHashPolicy

(Appears on: LoadBalancerPolicy)

RequestHashPolicy contains configuration for an individual hash policy on a request attribute.

FieldDescription
terminal
bool

Terminal is a flag that allows for short-circuiting computing of a hash for a given request. If set to true, and the request attribute specified in the attribute hash options is present, no further hash policies will be used to calculate a hash for the request.

headerHashOptions
HeaderHashOptions
(Optional)

HeaderHashOptions should be set when request header hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.

queryParameterHashOptions
QueryParameterHashOptions
(Optional)

QueryParameterHashOptions should be set when request query parameter hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.

hashSourceIP
bool
(Optional)

HashSourceIP should be set to true when request source IP hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.

RequestHeaderDescriptor

(Appears on: RateLimitDescriptorEntry)

RequestHeaderDescriptor defines a descriptor entry that’s populated only if a given header is present on the request. The value of the descriptor entry is equal to the value of the header (if present).

FieldDescription
headerName
string

HeaderName defines the name of the header to look for on the request.

descriptorKey
string

DescriptorKey defines the key to use on the descriptor entry.

RequestHeaderValueMatchDescriptor

(Appears on: RateLimitDescriptorEntry)

RequestHeaderValueMatchDescriptor defines a descriptor entry that’s populated if the request’s headers match a set of 1+ match criteria. The descriptor key is “header_match”, and the descriptor value is statically defined.

FieldDescription
headers
[]HeaderMatchCondition

Headers is a list of 1+ match criteria to apply against the request to determine whether to populate the descriptor entry or not.

expectMatch
bool

ExpectMatch defines whether the request must positively match the match criteria in order to generate a descriptor entry (i.e. true), or not match the match criteria in order to generate a descriptor entry (i.e. false). The default is true.

value
string

Value defines the value of the descriptor entry.

RetryOn (string alias)

(Appears on: RetryPolicy)

RetryOn is a string type alias with validation to ensure that the value is valid.

RetryPolicy

(Appears on: Route)

RetryPolicy defines the attributes associated with retrying policy.

FieldDescription
count
int64
(Optional)

NumRetries is maximum allowed number of retries. If set to -1, then retries are disabled. If set to 0 or not supplied, the value is set to the Envoy default of 1.

perTryTimeout
string
(Optional)

PerTryTimeout specifies the timeout per retry attempt. Ignored if NumRetries is not supplied.

retryOn
[]RetryOn
(Optional)

RetryOn specifies the conditions on which to retry a request.

Supported HTTP conditions:

  • 5xx
  • gateway-error
  • reset
  • connect-failure
  • retriable-4xx
  • refused-stream
  • retriable-status-codes
  • retriable-headers

Supported gRPC conditions:

  • cancelled
  • deadline-exceeded
  • internal
  • resource-exhausted
  • unavailable
retriableStatusCodes
[]uint32
(Optional)

RetriableStatusCodes specifies the HTTP status codes that should be retried.

This field is only respected when you include retriable-status-codes in the RetryOn field.

Route

(Appears on: HTTPProxySpec)

Route contains the set of routes for a virtual host.

FieldDescription
conditions
[]MatchCondition
(Optional)

Conditions are a set of rules that are applied to a Route. When applied, they are merged using AND, with one exception: There can be only one Prefix MatchCondition per Conditions slice. More than one Prefix, or contradictory Conditions, will make the route invalid.

services
[]Service
(Optional)

Services are the services to proxy traffic.

enableWebsockets
bool
(Optional)

Enables websocket support for the route.

permitInsecure
bool
(Optional)

Allow this path to respond to insecure requests over HTTP which are normally not permitted when a virtualhost.tls block is present.

authPolicy
AuthorizationPolicy
(Optional)

AuthPolicy updates the authorization policy that was set on the root HTTPProxy object for client requests that match this route.

timeoutPolicy
TimeoutPolicy
(Optional)

The timeout policy for this route.

retryPolicy
RetryPolicy
(Optional)

The retry policy for this route.

healthCheckPolicy
HTTPHealthCheckPolicy
(Optional)

The health check policy for this route.

loadBalancerPolicy
LoadBalancerPolicy
(Optional)

The load balancing policy for this route.

pathRewritePolicy
PathRewritePolicy
(Optional)

The policy for rewriting the path of the request URL after the request has been routed to a Service.

requestHeadersPolicy
HeadersPolicy
(Optional)

The policy for managing request headers during proxying.

responseHeadersPolicy
HeadersPolicy
(Optional)

The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported.

cookieRewritePolicies
[]CookieRewritePolicy
(Optional)

The policies for rewriting Set-Cookie header attributes. Note that rewritten cookie names must be unique in this list. Order rewrite policies are specified in does not matter.

rateLimitPolicy
RateLimitPolicy
(Optional)

The policy for rate limiting on the route.

requestRedirectPolicy
HTTPRequestRedirectPolicy
(Optional)

RequestRedirectPolicy defines an HTTP redirection.

directResponsePolicy
HTTPDirectResponsePolicy
(Optional)

DirectResponsePolicy returns an arbitrary HTTP response directly.

Service

(Appears on: Route, TCPProxy)

Service defines an Kubernetes Service to proxy traffic.

FieldDescription
name
string

Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route.

port
int

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

protocol
string
(Optional)

Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.

weight
int64
(Optional)

Weight defines percentage of traffic to balance traffic

validation
UpstreamValidation
(Optional)

UpstreamValidation defines how to verify the backend service’s certificate

mirror
bool

If Mirror is true the Service will receive a read only mirror of the traffic for this route.

requestHeadersPolicy
HeadersPolicy
(Optional)

The policy for managing request headers during proxying. Rewriting the ‘Host’ header is not supported.

responseHeadersPolicy
HeadersPolicy
(Optional)

The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported.

cookieRewritePolicies
[]CookieRewritePolicy
(Optional)

The policies for rewriting Set-Cookie header attributes.

SubCondition

(Appears on: DetailedCondition)

SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.

It contains a subset of the Condition fields.

It is intended for warnings and errors, so type names should use abnormal-true polarity, that is, they should be of the form “ErrorPresent: true”.

The expected lifecycle for these errors is that they should only be present when the error or warning is, and should be removed when they are not relevant.

FieldDescription
type
string

Type of condition in CamelCase or in foo.example.com/CamelCase.

This must be in abnormal-true polarity, that is, ErrorFound or controller.io/ErrorFound.

The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

status
Kubernetes meta/v1.ConditionStatus

Status of the condition, one of True, False, Unknown.

reason
string

Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API.

The value should be a CamelCase string.

This field may not be empty.

message
string

Message is a human readable message indicating details about the transition.

This may be an empty string.

TCPHealthCheckPolicy

(Appears on: TCPProxy)

TCPHealthCheckPolicy defines health checks on the upstream service.

FieldDescription
intervalSeconds
int64
(Optional)

The interval (seconds) between health checks

timeoutSeconds
int64
(Optional)

The time to wait (seconds) for a health check response

unhealthyThresholdCount
uint32
(Optional)

The number of unhealthy health checks required before a host is marked unhealthy

healthyThresholdCount
uint32
(Optional)

The number of healthy health checks required before a host is marked healthy

TCPProxy

(Appears on: HTTPProxySpec)

TCPProxy contains the set of services to proxy TCP connections.

FieldDescription
loadBalancerPolicy
LoadBalancerPolicy
(Optional)

The load balancing policy for the backend services. Note that the Cookie and RequestHash load balancing strategies cannot be used here.

services
[]Service
(Optional)

Services are the services to proxy traffic

include
TCPProxyInclude
(Optional)

Include specifies that this tcpproxy should be delegated to another HTTPProxy.

includes
TCPProxyInclude
(Optional)

IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.

Exists due to a mistake when developing HTTPProxy and the field was marked plural when it should have been singular. This field should stay to not break backwards compatibility to v1 users.

healthCheckPolicy
TCPHealthCheckPolicy
(Optional)

The health check policy for this tcp proxy

TCPProxyInclude

(Appears on: TCPProxy)

TCPProxyInclude describes a target HTTPProxy document which contains the TCPProxy details.

FieldDescription
name
string

Name of the child HTTPProxy

namespace
string
(Optional)

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

TLS

(Appears on: VirtualHost)

TLS describes tls properties. The SNI names that will be matched on are described in the HTTPProxy’s Spec.VirtualHost.Fqdn field.

FieldDescription
secretName
string

SecretName is the name of a TLS secret in the current namespace. Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate for the virtual host’s FQDN.

minimumProtocolVersion
string
(Optional)

MinimumProtocolVersion is the minimum TLS version this vhost should negotiate. Valid options are 1.2 (default) and 1.3. Any other value defaults to TLS 1.2.

passthrough
bool
(Optional)

Passthrough defines whether the encrypted TLS handshake will be passed through to the backing cluster. Either Passthrough or SecretName must be specified, but not both.

clientValidation
DownstreamValidation
(Optional)

ClientValidation defines how to verify the client certificate when an external client establishes a TLS connection to Envoy.

This setting:

  1. Enables TLS client certificate validation.
  2. Specifies how the client certificate will be validated (i.e. validation required or skipped).

Note: Setting client certificate validation to be skipped should be only used in conjunction with an external authorization server that performs client validation as Contour will ensure client certificates are passed along.

enableFallbackCertificate
bool

EnableFallbackCertificate defines if the vhost should allow a default certificate to be applied which handles all requests which don’t match the SNI defined in this vhost.

TLSCertificateDelegationSpec

(Appears on: TLSCertificateDelegation)

TLSCertificateDelegationSpec defines the spec of the CRD

FieldDescription
delegations
[]CertificateDelegation

TLSCertificateDelegationStatus

(Appears on: TLSCertificateDelegation)

TLSCertificateDelegationStatus allows for the status of the delegation to be presented to the user.

FieldDescription
conditions
[]DetailedCondition
(Optional)

Conditions contains information about the current status of the HTTPProxy, in an upstream-friendly container.

Contour will update a single condition, Valid, that is in normal-true polarity. That is, when currentStatus is valid, the Valid condition will be status: true, and vice versa.

Contour will leave untouched any other Conditions set in this block, in case some other controller wants to add a Condition.

If you are another controller owner and wish to add a condition, you should namespace your condition with a label, like controller.domain.com\ConditionName.

TimeoutPolicy

(Appears on: Route, ExtensionServiceSpec)

TimeoutPolicy configures timeouts that are used for handling network requests.

TimeoutPolicy durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. The string “infinity” is also a valid input and specifies no timeout. A value of “0s” will be treated as if the field were not set, i.e. by using Envoy’s default behavior.

Example input values: “300ms”, “5s”, “1m”.

FieldDescription
response
string
(Optional)

Timeout for receiving a response from the server after processing a request from client. If not supplied, Envoy’s default value of 15s applies.

idle
string
(Optional)

Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. If not specified, there is no per-route idle timeout, though a connection manager-wide stream_idle_timeout default of 5m still applies.

idleConnection
string
(Optional)

Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. If not supplied, Envoy’s default value of 1h applies.

UpstreamValidation

(Appears on: Service, ExtensionServiceSpec)

UpstreamValidation defines how to verify the backend service’s certificate

FieldDescription
caSecret
string

Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. The secret must contain key named ca.crt.

subjectName
string

Key which is expected to be present in the ‘subjectAltName’ of the presented certificate.

VirtualHost

(Appears on: HTTPProxySpec)

VirtualHost appears at most once. If it is present, the object is considered to be a “root”.

FieldDescription
fqdn
string

The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn.

tls
TLS
(Optional)

If present the fields describes TLS properties of the virtual host. The SNI names that will be matched on are described in fqdn, the tls.secretName secret must contain a certificate that itself contains a name that matches the FQDN.

authorization
AuthorizationServer
(Optional)

This field configures an extension service to perform authorization for this virtual host. Authorization can only be configured on virtual hosts that have TLS enabled. If the TLS configuration requires client certificate validation, the client certificate is always included in the authentication check request.

corsPolicy
CORSPolicy
(Optional)

Specifies the cross-origin policy to apply to the VirtualHost.

rateLimitPolicy
RateLimitPolicy
(Optional)

The policy for rate limiting on the virtual host.


projectcontour.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the projectcontour.io v1alpha1 API group

Resource Types:

ContourConfiguration

ContourConfiguration is the schema for a Contour instance.

FieldDescription
apiVersion
string
projectcontour.io/v1alpha1
kind
string
ContourConfiguration
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ContourConfigurationSpec


xdsServer
XDSServerConfig
(Optional)

XDSServer contains parameters for the xDS server.

ingress
IngressConfig
(Optional)

Ingress contains parameters for ingress options.

debug
DebugConfig
(Optional)

Debug contains parameters to enable debug logging and debug interfaces inside Contour.

health
HealthConfig
(Optional)

Health defines the endpoints Contour uses to serve health checks.

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

envoy
EnvoyConfig
(Optional)

Envoy contains parameters for Envoy as well as how to optionally configure a managed Envoy fleet.

gateway
GatewayConfig
(Optional)

Gateway contains parameters for the gateway-api Gateway that Contour is configured to serve traffic.

httpproxy
HTTPProxyConfig
(Optional)

HTTPProxy defines parameters on HTTPProxy.

enableExternalNameService
bool
(Optional)

EnableExternalNameService allows processing of ExternalNameServices

Contour’s default is false for security reasons.

rateLimitService
RateLimitServiceConfig
(Optional)

RateLimitService optionally holds properties of the Rate Limit Service to be used for global rate limiting.

policy
PolicyConfig
(Optional)

Policy specifies default policy applied if not overridden by the user

metrics
MetricsConfig
(Optional)

Metrics defines the endpoint Contour uses to serve metrics.

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

status
ContourConfigurationStatus
(Optional)

ContourDeployment

ContourDeployment is the schema for a Contour Deployment.

FieldDescription
apiVersion
string
projectcontour.io/v1alpha1
kind
string
ContourDeployment
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ContourDeploymentSpec


contour
ContourSettings
(Optional)

Contour specifies deployment-time settings for the Contour part of the installation, i.e. the xDS server/control plane and associated resources, including things like replica count for the Deployment, and node placement constraints for the pods.

envoy
EnvoySettings
(Optional)

Envoy specifies deployment-time settings for the Envoy part of the installation, i.e. the xDS client/data plane and associated resources, including things like the workload type to use (DaemonSet or Deployment), node placement constraints for the pods, and various options for the Envoy service.

runtimeSettings
ContourConfigurationSpec
(Optional)

RuntimeSettings is a ContourConfiguration spec to be used when provisioning a Contour instance that will influence aspects of the Contour instance’s runtime behavior.

status
ContourDeploymentStatus

ExtensionService

ExtensionService is the schema for the Contour extension services API. An ExtensionService resource binds a network service to the Contour API so that Contour API features can be implemented by collaborating components.

FieldDescription
apiVersion
string
projectcontour.io/v1alpha1
kind
string
ExtensionService
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ExtensionServiceSpec


services
[]ExtensionServiceTarget

Services specifies the set of Kubernetes Service resources that receive GRPC extension API requests. If no weights are specified for any of the entries in this array, traffic will be spread evenly across all the services. Otherwise, traffic is balanced proportionally to the Weight field in each entry.

validation
UpstreamValidation
(Optional)

UpstreamValidation defines how to verify the backend service’s certificate

protocol
string
(Optional)

Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.

loadBalancerPolicy
LoadBalancerPolicy
(Optional)

The policy for load balancing GRPC service requests. Note that the Cookie and RequestHash load balancing strategies cannot be used here.

timeoutPolicy
TimeoutPolicy
(Optional)

The timeout policy for requests to the services.

protocolVersion
ExtensionProtocolVersion
(Optional)

This field sets the version of the GRPC protocol that Envoy uses to send requests to the extension service. Since Contour always uses the v3 Envoy API, this is currently fixed at “v3”. However, other protocol options will be available in future.

status
ExtensionServiceStatus

AccessLogFormatString (string alias)

AccessLogJSONFields ([]string alias)

(Appears on: EnvoyLogging)

AccessLogLevel (string alias)

(Appears on: EnvoyLogging)

ValueDescription

"disabled"

Disable the access log.

"error"

Log only requests that result in an error.

"info"

Log all requests. This is the default.

AccessLogType (string alias)

(Appears on: EnvoyLogging)

AccessLogType is the name of a supported access logging mechanism.

ValueDescription

"envoy"

DefaultAccessLogType is the default access log format.

"envoy"

Set the Envoy access logging to Envoy’s standard format. Can be customized using accessLogFormatString.

"json"

Set the Envoy access logging to a JSON format. Can be customized using jsonFields.

ClusterDNSFamilyType (string alias)

(Appears on: ClusterParameters)

ClusterDNSFamilyType is the Ip family to use for resolving DNS names in an Envoy cluster config.

ValueDescription

"auto"

DNS lookups will do a v6 lookup first, followed by a v4 if that fails.

"v4"

DNS lookups will only attempt v4 queries.

"v6"

DNS lookups will only attempt v6 queries.

ClusterParameters

(Appears on: EnvoyConfig)

ClusterParameters holds various configurable cluster values.

FieldDescription
dnsLookupFamily
ClusterDNSFamilyType
(Optional)

DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver will only perform a lookup for addresses in the IPv4 family. If V6 is configured, the DNS resolver will only perform a lookup for addresses in the IPv6 family. If AUTO is configured, the DNS resolver will first perform a lookup for addresses in the IPv6 family and fallback to a lookup for addresses in the IPv4 family. Note: This only applies to externalName clusters.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily for more information.

Values: auto (default), v4, v6.

Other values will produce an error.

ContourConfigurationSpec

(Appears on: ContourConfiguration, ContourDeploymentSpec)

ContourConfigurationSpec represents a configuration of a Contour controller. It contains most of all the options that can be customized, the other remaining options being command line flags.

FieldDescription
xdsServer
XDSServerConfig
(Optional)

XDSServer contains parameters for the xDS server.

ingress
IngressConfig
(Optional)

Ingress contains parameters for ingress options.

debug
DebugConfig
(Optional)

Debug contains parameters to enable debug logging and debug interfaces inside Contour.

health
HealthConfig
(Optional)

Health defines the endpoints Contour uses to serve health checks.

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

envoy
EnvoyConfig
(Optional)

Envoy contains parameters for Envoy as well as how to optionally configure a managed Envoy fleet.

gateway
GatewayConfig
(Optional)

Gateway contains parameters for the gateway-api Gateway that Contour is configured to serve traffic.

httpproxy
HTTPProxyConfig
(Optional)

HTTPProxy defines parameters on HTTPProxy.

enableExternalNameService
bool
(Optional)

EnableExternalNameService allows processing of ExternalNameServices

Contour’s default is false for security reasons.

rateLimitService
RateLimitServiceConfig
(Optional)

RateLimitService optionally holds properties of the Rate Limit Service to be used for global rate limiting.

policy
PolicyConfig
(Optional)

Policy specifies default policy applied if not overridden by the user

metrics
MetricsConfig
(Optional)

Metrics defines the endpoint Contour uses to serve metrics.

Contour’s default is { address: “0.0.0.0”, port: 8000 }.

ContourConfigurationStatus

(Appears on: ContourConfiguration)

ContourConfigurationStatus defines the observed state of a ContourConfiguration resource.

FieldDescription
conditions
[]DetailedCondition
(Optional)

Conditions contains the current status of the Contour resource.

Contour will update a single condition, Valid, that is in normal-true polarity.

Contour will not modify any other Conditions set in this block, in case some other controller wants to add a Condition.

ContourDeploymentSpec

(Appears on: ContourDeployment)

ContourDeploymentSpec specifies options for how a Contour instance should be provisioned.

FieldDescription
contour
ContourSettings
(Optional)

Contour specifies deployment-time settings for the Contour part of the installation, i.e. the xDS server/control plane and associated resources, including things like replica count for the Deployment, and node placement constraints for the pods.

envoy
EnvoySettings
(Optional)

Envoy specifies deployment-time settings for the Envoy part of the installation, i.e. the xDS client/data plane and associated resources, including things like the workload type to use (DaemonSet or Deployment), node placement constraints for the pods, and various options for the Envoy service.

runtimeSettings
ContourConfigurationSpec
(Optional)

RuntimeSettings is a ContourConfiguration spec to be used when provisioning a Contour instance that will influence aspects of the Contour instance’s runtime behavior.

ContourDeploymentStatus

(Appears on: ContourDeployment)

ContourDeploymentStatus defines the observed state of a ContourDeployment resource.

FieldDescription
conditions
[]Kubernetes meta/v1.Condition
(Optional)

Conditions describe the current conditions of the ContourDeployment resource.

ContourSettings

(Appears on: ContourDeploymentSpec)

ContourSettings contains settings for the Contour part of the installation, i.e. the xDS server/control plane and associated resources.

FieldDescription
replicas
int32

Replicas is the desired number of Contour replicas. If unset, defaults to 2.

nodePlacement
NodePlacement
(Optional)

NodePlacement describes node scheduling configuration of Contour pods.

DebugConfig

(Appears on: ContourConfigurationSpec)

DebugConfig contains Contour specific troubleshooting options.

FieldDescription
address
string
(Optional)

Defines the Contour debug address interface.

Contour’s default is “127.0.0.1”.

port
int
(Optional)

Defines the Contour debug address port.

Contour’s default is 6060.

EnvoyConfig

(Appears on: ContourConfigurationSpec)

EnvoyConfig defines how Envoy is to be Configured from Contour.

FieldDescription
listener
EnvoyListenerConfig
(Optional)

Listener hold various configurable Envoy listener values.

service
NamespacedName
(Optional)

Service holds Envoy service parameters for setting Ingress status.

Contour’s default is { namespace: “projectcontour”, name: “envoy” }.

http
EnvoyListener
(Optional)

Defines the HTTP Listener for Envoy.

Contour’s default is { address: “0.0.0.0”, port: 8080, accessLog: “/dev/stdout” }.

https
EnvoyListener
(Optional)

Defines the HTTPS Listener for Envoy.

Contour’s default is { address: “0.0.0.0”, port: 8443, accessLog: “/dev/stdout” }.

health
HealthConfig
(Optional)

Health defines the endpoint Envoy uses to serve health checks.

Contour’s default is { address: “0.0.0.0”, port: 8002 }.

metrics
MetricsConfig
(Optional)

Metrics defines the endpoint Envoy uses to serve metrics.

Contour’s default is { address: “0.0.0.0”, port: 8002 }.

clientCertificate
NamespacedName
(Optional)

ClientCertificate defines the namespace/name of the Kubernetes secret containing the client certificate and private key to be used when establishing TLS connection to upstream cluster.

logging
EnvoyLogging
(Optional)

Logging defines how Envoy’s logs can be configured.

defaultHTTPVersions
[]HTTPVersionType
(Optional)

DefaultHTTPVersions defines the default set of HTTPS versions the proxy should accept. HTTP versions are strings of the form “HTTP/xx”. Supported versions are “HTTP/1.1” and “HTTP/2”.

Values: HTTP/1.1, HTTP/2 (default: both).

Other values will produce an error.

timeouts
TimeoutParameters
(Optional)

Timeouts holds various configurable timeouts that can be set in the config file.

cluster
ClusterParameters
(Optional)

Cluster holds various configurable Envoy cluster values that can be set in the config file.

network
NetworkParameters
(Optional)

Network holds various configurable Envoy network values.

EnvoyListener

(Appears on: EnvoyConfig)

EnvoyListener defines parameters for an Envoy Listener.

FieldDescription
address
string
(Optional)

Defines an Envoy Listener Address.

port
int
(Optional)

Defines an Envoy listener Port.

accessLog
string
(Optional)

AccessLog defines where Envoy logs are outputted for this listener.

EnvoyListenerConfig

(Appears on: EnvoyConfig)

EnvoyListenerConfig hold various configurable Envoy listener values.

FieldDescription
useProxyProtocol
bool
(Optional)

Use PROXY protocol for all listeners.

Contour’s default is false.

disableAllowChunkedLength
bool
(Optional)

DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to strip the “Content-Length” header if “Transfer-Encoding: chunked” is also set. This is an emergency off-switch to revert back to Envoy’s default behavior in case of failures. Please file an issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221

Contour’s default is false.

disableMergeSlashes
bool
(Optional)

DisableMergeSlashes disables Envoy’s non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths.

Contour’s default is false.

connectionBalancer
string
(Optional)

ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig for more information.

Values: (empty string): use the default ConnectionBalancer, exact: use the Exact ConnectionBalancer.

Other values will produce an error.

tls
EnvoyTLS
(Optional)

TLS holds various configurable Envoy TLS listener values.

EnvoyLogging

(Appears on: EnvoyConfig)

EnvoyLogging defines how Envoy’s logs can be configured.

FieldDescription
accessLogFormat
AccessLogType
(Optional)

AccessLogFormat sets the global access log format.

Values: envoy (default), json.

Other values will produce an error.

accessLogFormatString
string
(Optional)

AccessLogFormatString sets the access log format when format is set to envoy. When empty, Envoy’s default format is used.

accessLogJSONFields
AccessLogJSONFields
(Optional)

AccessLogJSONFields sets the fields that JSON logging will output when AccessLogFormat is json.

accessLogLevel
AccessLogLevel
(Optional)

AccessLogLevel sets the verbosity level of the access log.

Values: info (default, meaning all requests are logged), error and disabled.

Other values will produce an error.

EnvoySettings

(Appears on: ContourDeploymentSpec)

EnvoySettings contains settings for the Envoy part of the installation, i.e. the xDS client/data plane and associated resources.

FieldDescription
workloadType
WorkloadType
(Optional)

WorkloadType is the type of workload to install Envoy as. Choices are DaemonSet and Deployment. If unset, defaults to DaemonSet.

replicas
int32

Replicas is the desired number of Envoy replicas. If WorkloadType is not “Deployment”, this field is ignored. Otherwise, if unset, defaults to 2.

networkPublishing
NetworkPublishing

NetworkPublishing defines how to expose Envoy to a network.

nodePlacement
NodePlacement
(Optional)

NodePlacement describes node scheduling configuration of Envoy pods.

EnvoyTLS

(Appears on: EnvoyListenerConfig)

EnvoyTLS describes tls parameters for Envoy listneners.

FieldDescription
minimumProtocolVersion
string
(Optional)

MinimumProtocolVersion is the minimum TLS version this vhost should negotiate.

Values: 1.2 (default), 1.3.

Other values will produce an error.

cipherSuites
[]string
(Optional)

CipherSuites defines the TLS ciphers to be supported by Envoy TLS listeners when negotiating TLS 1.2. Ciphers are validated against the set that Envoy supports by default. This parameter should only be used by advanced users. Note that these will be ignored when TLS 1.3 is in use.

This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure.

Contour’s default list is: - “[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]” - “[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]” - “ECDHE-ECDSA-AES256-GCM-SHA384” - “ECDHE-RSA-AES256-GCM-SHA384”

Ciphers provided are validated against the following list: - “[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]” - “[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]” - “ECDHE-ECDSA-AES128-GCM-SHA256” - “ECDHE-RSA-AES128-GCM-SHA256” - “ECDHE-ECDSA-AES128-SHA” - “ECDHE-RSA-AES128-SHA” - “AES128-GCM-SHA256” - “AES128-SHA” - “ECDHE-ECDSA-AES256-GCM-SHA384” - “ECDHE-RSA-AES256-GCM-SHA384” - “ECDHE-ECDSA-AES256-SHA” - “ECDHE-RSA-AES256-SHA” - “AES256-GCM-SHA384” - “AES256-SHA”

Contour recommends leaving this undefined unless you are sure you must.

See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.

ExtensionProtocolVersion (string alias)

(Appears on: ExtensionServiceSpec)

ExtensionProtocolVersion is the version of the GRPC protocol used to access extension services. The only version currently supported is “v3”.

ValueDescription

"v2"

SupportProtocolVersion2 requests the “v2” support protocol version.

Deprecated: this protocol version is no longer supported and the constant is retained for backwards compatibility only.

"v3"

SupportProtocolVersion3 requests the “v3” support protocol version.

ExtensionServiceSpec

(Appears on: ExtensionService)

ExtensionServiceSpec defines the desired state of an ExtensionService resource.

FieldDescription
services
[]ExtensionServiceTarget

Services specifies the set of Kubernetes Service resources that receive GRPC extension API requests. If no weights are specified for any of the entries in this array, traffic will be spread evenly across all the services. Otherwise, traffic is balanced proportionally to the Weight field in each entry.

validation
UpstreamValidation
(Optional)

UpstreamValidation defines how to verify the backend service’s certificate

protocol
string
(Optional)

Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.

loadBalancerPolicy
LoadBalancerPolicy
(Optional)

The policy for load balancing GRPC service requests. Note that the Cookie and RequestHash load balancing strategies cannot be used here.

timeoutPolicy
TimeoutPolicy
(Optional)

The timeout policy for requests to the services.

protocolVersion
ExtensionProtocolVersion
(Optional)

This field sets the version of the GRPC protocol that Envoy uses to send requests to the extension service. Since Contour always uses the v3 Envoy API, this is currently fixed at “v3”. However, other protocol options will be available in future.

ExtensionServiceStatus

(Appears on: ExtensionService)

ExtensionServiceStatus defines the observed state of an ExtensionService resource.

FieldDescription
conditions
[]DetailedCondition
(Optional)

Conditions contains the current status of the ExtensionService resource.

Contour will update a single condition, Valid, that is in normal-true polarity.

Contour will not modify any other Conditions set in this block, in case some other controller wants to add a Condition.

ExtensionServiceTarget

(Appears on: ExtensionServiceSpec)

ExtensionServiceTarget defines an Kubernetes Service to target with extension service traffic.

FieldDescription
name
string

Name is the name of Kubernetes service that will accept service traffic.

port
int

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

weight
uint32
(Optional)

Weight defines proportion of traffic to balance to the Kubernetes Service.

GatewayConfig

(Appears on: ContourConfigurationSpec)

GatewayConfig holds the config for Gateway API controllers.

FieldDescription
controllerName
string
(Optional)

ControllerName is used to determine whether Contour should reconcile a GatewayClass. The string takes the form of “projectcontour.io//contour”. If unset, the gatewayclass controller will not be started. Exactly one of ControllerName or GatewayRef must be set.

gatewayRef
NamespacedName
(Optional)

GatewayRef defines a specific Gateway that this Contour instance corresponds to. If set, Contour will reconcile only this gateway, and will not reconcile any gateway classes. Exactly one of ControllerName or GatewayRef must be set.

HTTPProxyConfig

(Appears on: ContourConfigurationSpec)

HTTPProxyConfig defines parameters on HTTPProxy.

FieldDescription
disablePermitInsecure
bool
(Optional)

DisablePermitInsecure disables the use of the permitInsecure field in HTTPProxy.

Contour’s default is false.

rootNamespaces
[]string
(Optional)

Restrict Contour to searching these namespaces for root ingress routes.

fallbackCertificate
NamespacedName
(Optional)

FallbackCertificate defines the namespace/name of the Kubernetes secret to use as fallback when a non-SNI request is received.

HTTPVersionType (string alias)

(Appears on: EnvoyConfig)

HTTPVersionType is the name of a supported HTTP version.

ValueDescription

"HTTP/1.1"

HTTPVersion1 is the name of the HTTP/1.1 version.

"HTTP/2"

HTTPVersion2 is the name of the HTTP/2 version.

HeadersPolicy

(Appears on: PolicyConfig)

FieldDescription
set
map[string]string
(Optional)
remove
[]string
(Optional)

HealthConfig

(Appears on: ContourConfigurationSpec, EnvoyConfig)

HealthConfig defines the endpoints to enable health checks.

FieldDescription
address
string
(Optional)

Defines the health address interface.

port
int
(Optional)

Defines the health port.

IngressConfig

(Appears on: ContourConfigurationSpec)

IngressConfig defines ingress specific config items.

FieldDescription
classNames
[]string
(Optional)

Ingress Class Names Contour should use.

statusAddress
string
(Optional)

Address to set in Ingress object status.

LogLevel (string alias)

LogLevel is the logging levels available.

ValueDescription

"debug"

DebugLog sets the log level for Contour to debug.

"info"

InfoLog sets the log level for Contour to info.

MetricsConfig

(Appears on: ContourConfigurationSpec, EnvoyConfig)

MetricsConfig defines the metrics endpoint.

FieldDescription
address
string
(Optional)

Defines the metrics address interface.

port
int
(Optional)

Defines the metrics port.

tls
MetricsTLS
(Optional)

TLS holds TLS file config details. Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.

MetricsTLS

(Appears on: MetricsConfig)

TLS holds TLS file config details.

FieldDescription
caFile
string
(Optional)

CA filename.

certFile
string
(Optional)

Client certificate filename.

keyFile
string
(Optional)

Client key filename.

NamespacedName

(Appears on: EnvoyConfig, GatewayConfig, HTTPProxyConfig, RateLimitServiceConfig)

NamespacedName defines the namespace/name of the Kubernetes resource referred from the config file. Used for Contour config YAML file parsing, otherwise we could use K8s types.NamespacedName.

FieldDescription
name
string
namespace
string

NetworkParameters

(Appears on: EnvoyConfig)

NetworkParameters hold various configurable network values.

FieldDescription
numTrustedHops
uint32
(Optional)

XffNumTrustedHops defines the number of additional ingress proxy hops from the right side of the x-forwarded-for HTTP header to trust when determining the origin client’s IP address.

See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops for more information.

Contour’s default is 0.

adminPort
int
(Optional)

Configure the port used to access the Envoy Admin interface. If configured to port “0” then the admin interface is disabled.

Contour’s default is 9001.

NetworkPublishing

(Appears on: EnvoySettings)

NetworkPublishing defines the schema for publishing to a network.

FieldDescription
type
NetworkPublishingType
(Optional)

NetworkPublishingType is the type of publishing strategy to use. Valid values are:

  • LoadBalancerService

In this configuration, network endpoints for Envoy use container networking. A Kubernetes LoadBalancer Service is created to publish Envoy network endpoints.

See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer

  • NodePortService

Publishes Envoy network endpoints using a Kubernetes NodePort Service.

In this configuration, Envoy network endpoints use container networking. A Kubernetes NodePort Service is created to publish the network endpoints.

See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

  • ClusterIPService

Publishes Envoy network endpoints using a Kubernetes ClusterIP Service.

In this configuration, Envoy network endpoints use container networking. A Kubernetes ClusterIP Service is created to publish the network endpoints.

See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

If unset, defaults to LoadBalancerService.

serviceAnnotations
map[string]string
(Optional)

ServiceAnnotations is the annotations to add to the provisioned Envoy service.

NetworkPublishingType (string alias)

(Appears on: NetworkPublishing)

NetworkPublishingType is a way to publish network endpoints.

ValueDescription

"ClusterIPService"

ClusterIPServicePublishingType publishes a network endpoint using a Kubernetes ClusterIP Service.

"LoadBalancerService"

LoadBalancerServicePublishingType publishes a network endpoint using a Kubernetes LoadBalancer Service.

"NodePortService"

NodePortServicePublishingType publishes a network endpoint using a Kubernetes NodePort Service.

NodePlacement

(Appears on: ContourSettings, EnvoySettings)

NodePlacement describes node scheduling configuration for pods. If nodeSelector and tolerations are specified, the scheduler will use both to determine where to place the pod(s).

FieldDescription
nodeSelector
map[string]string
(Optional)

NodeSelector is the simplest recommended form of node selection constraint and specifies a map of key-value pairs. For the pod to be eligible to run on a node, the node must have each of the indicated key-value pairs as labels (it can have additional labels as well).

If unset, the pod(s) will be scheduled to any available node.

tolerations
[]Kubernetes core/v1.Toleration
(Optional)

Tolerations work with taints to ensure that pods are not scheduled onto inappropriate nodes. One or more taints are applied to a node; this marks that the node should not accept any pods that do not tolerate the taints.

The default is an empty list.

See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ for additional details.

PolicyConfig

(Appears on: ContourConfigurationSpec)

PolicyConfig holds default policy used if not explicitly set by the user

FieldDescription
requestHeaders
HeadersPolicy
(Optional)

RequestHeadersPolicy defines the request headers set/removed on all routes

responseHeaders
HeadersPolicy
(Optional)

ResponseHeadersPolicy defines the response headers set/removed on all routes

applyToIngress
bool
(Optional)

ApplyToIngress determines if the Policies will apply to ingress objects

Contour’s default is false.

RateLimitServiceConfig

(Appears on: ContourConfigurationSpec)

RateLimitServiceConfig defines properties of a global Rate Limit Service.

FieldDescription
extensionService
NamespacedName

ExtensionService identifies the extension service defining the RLS.

domain
string
(Optional)

Domain is passed to the Rate Limit Service.

failOpen
bool
(Optional)

FailOpen defines whether to allow requests to proceed when the Rate Limit Service fails to respond with a valid rate limit decision within the timeout defined on the extension service.

enableXRateLimitHeaders
bool
(Optional)

EnableXRateLimitHeaders defines whether to include the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF Internet-Draft linked below), on responses to clients when the Rate Limit Service is consulted for a request.

ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html

TLS

(Appears on: XDSServerConfig)

TLS holds TLS file config details.

FieldDescription
caFile
string
(Optional)

CA filename.

certFile
string
(Optional)

Client certificate filename.

keyFile
string
(Optional)

Client key filename.

insecure
bool
(Optional)

Allow serving the xDS gRPC API without TLS.

TimeoutParameters

(Appears on: EnvoyConfig)

TimeoutParameters holds various configurable proxy timeout values.

FieldDescription
requestTimeout
string
(Optional)

RequestTimeout sets the client request timeout globally for Contour. Note that this is a timeout for the entire request, not an idle timeout. Omit or set to “infinity” to disable the timeout entirely.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout for more information.

connectionIdleTimeout
string
(Optional)

ConnectionIdleTimeout defines how long the proxy should wait while there are no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating an HTTP connection. Set to “infinity” to disable the timeout entirely.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout for more information.

streamIdleTimeout
string
(Optional)

StreamIdleTimeout defines how long the proxy should wait while there is no request activity (for HTTP/1.1) or stream activity (for HTTP/2) before terminating the HTTP request or stream. Set to “infinity” to disable the timeout entirely.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout for more information.

maxConnectionDuration
string
(Optional)

MaxConnectionDuration defines the maximum period of time after an HTTP connection has been established from the client to the proxy before it is closed by the proxy, regardless of whether there has been activity or not. Omit or set to “infinity” for no max duration.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration for more information.

delayedCloseTimeout
string
(Optional)

DelayedCloseTimeout defines how long envoy will wait, once connection close processing has been initiated, for the downstream peer to close the connection before Envoy closes the socket associated with the connection.

Setting this timeout to ‘infinity’ will disable it, equivalent to setting it to ‘0’ in Envoy. Leaving it unset will result in the Envoy default value being used.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout for more information.

connectionShutdownGracePeriod
string
(Optional)

ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. During this grace period, the proxy will continue to respond to new streams. After the final GOAWAY frame has been sent, the proxy will refuse new streams.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout for more information.

connectTimeout
string
(Optional)

ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. If not set, a default value of 2 seconds will be used.

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout for more information.

WorkloadType (string alias)

(Appears on: EnvoySettings)

WorkloadType is the type of Kubernetes workload to use for a component.

XDSServerConfig

(Appears on: ContourConfigurationSpec)

XDSServerConfig holds the config for the Contour xDS server.

FieldDescription
type
XDSServerType
(Optional)

Defines the XDSServer to use for contour serve.

Values: contour (default), envoy.

Other values will produce an error.

address
string
(Optional)

Defines the xDS gRPC API address which Contour will serve.

Contour’s default is “0.0.0.0”.

port
int
(Optional)

Defines the xDS gRPC API port which Contour will serve.

Contour’s default is 8001.

tls
TLS
(Optional)

TLS holds TLS file config details.

Contour’s default is { caFile: “/certs/ca.crt”, certFile: “/certs/tls.cert”, keyFile: “/certs/tls.key”, insecure: false }.

XDSServerType (string alias)

(Appears on: XDSServerConfig)

XDSServerType is the type of xDS server implementation.

ValueDescription

"contour"

Use Contour’s xDS server.

"envoy"

Use the upstream go-control-plane-based xDS server.


Generated with gen-crd-api-reference-docs.

Ready to try Contour?

Read our getting started documentation.