Status is a container for computed information about the HTTPProxy.

When true, this field disables client request authentication for the scope of the policy.

Context is a set of key/value pairs that are sent to the authentication server in the check request. If a context is provided at an enclosing scope, the entries are merged such that the inner scope overrides matching keys from the outer scope.

ExtensionServiceRef specifies the extension resource that will authorize client requests.

AuthPolicy sets a default authorization policy for client requests. This policy will be used unless overridden by individual routes.

ResponseTimeout configures maximum time to wait for a check response from the authorization server. Timeout durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. The string “infinity” is also a valid input and specifies no timeout.

If FailOpen is true, the client request is forwarded to the upstream service even if the authorization server fails to respond. This field should not be set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization.

Specifies whether the resource allows credentials.

AllowOrigin specifies the origins that will be allowed to do CORS requests. “*” means allow any origin.

AllowMethods specifies the content for the access-control-allow-methods header.

AllowHeaders specifies the content for the access-control-allow-headers header.

ExposeHeaders Specifies the content for the access-control-expose-headers header.

MaxAge indicates for how long the results of a preflight request can be cached. MaxAge durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS check for all cross-origin requests.

required, the name of a secret in the current namespace.

required, the namespaces the authority to reference the the secret will be delegated to. If TargetNamespaces is nil or empty, the CertificateDelegation’ is ignored. If the TargetNamespace list contains the character, “*” the secret will be delegated to all namespaces.

(Members of Condition are embedded into this type.)

Errors contains a slice of relevant error subconditions for this object.

Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. An empty slice here indicates no errors.

Warnings contains a slice of relevant warning subconditions for this object.

Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. An empty slice here indicates no warnings.

Name of a Kubernetes secret that contains a CA certificate bundle. The client certificate must validate against the certificates in the bundle.

API version of the referent. If this field is not specified, the default “projectcontour.io/v1alpha1” will be used

Namespace of the referent. If this field is not specifies, the namespace of the resource that targets the referent will be used.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Name of the referent.

More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Key defines the key of the descriptor entry. If not set, the key is set to “generic_key”.

Value defines the value of the descriptor entry.

Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries.

HTTP endpoint used to perform health checks on upstream service

The value of the host header in the HTTP health check request. If left empty (default value), the name “contour-envoy-healthcheck” will be used.

The interval (seconds) between health checks

The time to wait (seconds) for a health check response

The number of unhealthy health checks required before a host is marked unhealthy

The number of healthy health checks required before a host is marked healthy

Virtualhost appears at most once. If it is present, the object is considered to be a “root” HTTPProxy.

Routes are the ingress routes. If TCPProxy is present, Routes is ignored.

TCPProxy holds TCP proxy information.

Includes allow for specific routing configuration to be included from another HTTPProxy, possibly in another namespace.

LoadBalancer contains the current status of the load balancer.

Conditions contains information about the current status of the HTTPProxy, in an upstream-friendly container.

Contour will update a single condition, Valid, that is in normal-true polarity. That is, when currentStatus is valid, the Valid condition will be status: true, and vice versa.

Contour will leave untouched any other Conditions set in this block, in case some other controller wants to add a Condition.

If you are another controller owner and wish to add a condition, you should namespace your condition with a label, like controller.domain.com/ConditionName.

HeaderName is the name of the HTTP request header that will be used to calculate the hash key. If the header specified is not present on a request, no hash will be produced.

Name is the name of the header to match against. Name is required. Header names are case insensitive.

Present specifies that condition is true when the named header is present, regardless of its value. Note that setting Present to false does not make the condition true if the named header is absent.

Contains specifies a substring that must be present in the header value.

NotContains specifies a substring that must not be present in the header value.

Exact specifies a string that the header value must be equal to.

NoExact specifies a string that the header value must not be equal to. The condition is true if the header has any other value.

Name represents a key of a header

Value represents the value of a header specified by a key

Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value.

Remove specifies a list of HTTP header names to remove.

Name of the HTTPProxy

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

Conditions are a set of rules that are applied to included HTTPProxies. In effect, they are added onto the Conditions of included HTTPProxy Route structs. When applied, they are merged using AND, with one exception: There can be only one Prefix MatchCondition per Conditions slice. More than one Prefix, or contradictory Conditions, will make the include invalid.

Strategy specifies the policy used to balance requests across the pool of backend pods. Valid policy names are Random, RoundRobin, WeightedLeastRequest, Cookie, and RequestHash. If an unknown strategy name is specified or no policy is supplied, the default RoundRobin policy is used.

RequestHashPolicies contains a list of hash policies to apply when the RequestHash load balancing strategy is chosen. If an element of the supplied list of hash policies is invalid, it will be ignored. If the list of hash policies is empty after validation, the load balancing strategy will fall back to the default RoundRobin.

Requests defines how many requests per unit of time should be allowed before rate limiting occurs.

Unit defines the period of time within which requests over the limit will be rate limited. Valid values are “second”, “minute” and “hour”.

Burst defines the number of requests above the requests per unit that should be allowed within a short period of time.

ResponseStatusCode is the HTTP status code to use for responses to rate-limited requests. Codes must be in the 400-599 range (inclusive). If not specified, the Envoy default of 429 (Too Many Requests) is used.

ResponseHeadersToAdd is an optional list of response headers to set when a request is rate-limited.

Prefix defines a prefix match for a request.

Header specifies the header condition to match.

ReplacePrefix describes how the path prefix should be replaced.

Entries is the list of key-value pair generators.

GenericKey defines a descriptor entry with a static key and value.

RequestHeader defines a descriptor entry that’s populated only if a given header is present on the request. The descriptor key is static, and the descriptor value is equal to the value of the header.

RemoteAddress defines a descriptor entry with a key of “remote_address” and a value equal to the client’s IP address (from x-forwarded-for).

Local defines local rate limiting parameters, i.e. parameters for rate limiting that occurs within each Envoy pod as requests are handled.

Global defines global rate limiting parameters, i.e. parameters defining descriptors that are sent to an external rate limit service (RLS) for a rate limit decision on each request.

Prefix specifies the URL path prefix to be replaced.

If Prefix is specified, it must exactly match the MatchCondition prefix that is rendered by the chain of including HTTPProxies and only that path prefix will be replaced by Replacement. This allows HTTPProxies that are included through multiple roots to only replace specific path prefixes, leaving others unmodified.

If Prefix is not specified, all routing prefixes rendered by the include chain will be replaced.

Replacement is the string that the routing path prefix will be replaced with. This must not be empty.

Terminal is a flag that allows for short-circuiting computing of a hash for a given request. If set to true, and the request attribute specified in the attribute hash options is present, no further hash policies will be used to calculate a hash for the request.

HeaderHashOptions should be set when request header hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored.

HeaderName defines the name of the header to look for on the request.

DescriptorKey defines the key to use on the descriptor entry.

NumRetries is maximum allowed number of retries. If not supplied, the number of retries is one.

PerTryTimeout specifies the timeout per retry attempt. Ignored if NumRetries is not supplied.

RetryOn specifies the conditions on which to retry a request.

Supported HTTP conditions:

• 5xx
• gateway-error
• reset
• connect-failure
• retriable-4xx
• refused-stream
• retriable-status-codes
• retriable-headers

Supported gRPC conditions:

• cancelled
• deadline-exceeded
• internal
• resource-exhausted
• unavailable

RetriableStatusCodes specifies the HTTP status codes that should be retried.

This field is only respected when you include retriable-status-codes in the RetryOn field.

Conditions are a set of rules that are applied to a Route. When applied, they are merged using AND, with one exception: There can be only one Prefix MatchCondition per Conditions slice. More than one Prefix, or contradictory Conditions, will make the route invalid.

Services are the services to proxy traffic.

Enables websocket support for the route.

Allow this path to respond to insecure requests over HTTP which are normally not permitted when a virtualhost.tls block is present.

AuthPolicy updates the authorization policy that was set on the root HTTPProxy object for client requests that match this route.

The timeout policy for this route.

The retry policy for this route.

The health check policy for this route.

The load balancing policy for this route.

The policy for rewriting the path of the request URL after the request has been routed to a Service.

The policy for managing request headers during proxying.

The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported.

The policy for rate limiting on the route.

Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route.

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.

Weight defines percentage of traffic to balance traffic

UpstreamValidation defines how to verify the backend service’s certificate

If Mirror is true the Service will receive a read only mirror of the traffic for this route.

The policy for managing request headers during proxying. Rewriting the ‘Host’ header is not supported.

The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported.

Type of condition in CamelCase or in foo.example.com/CamelCase.

This must be in abnormal-true polarity, that is, ErrorFound or controller.io/ErrorFound.

The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

Status of the condition, one of True, False, Unknown.

Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API.

The value should be a CamelCase string.

This field may not be empty.

Message is a human readable message indicating details about the transition.

This may be an empty string.

The interval (seconds) between health checks

The time to wait (seconds) for a health check response

The number of unhealthy health checks required before a host is marked unhealthy

The number of healthy health checks required before a host is marked healthy

The load balancing policy for the backend services. Note that the Cookie and RequestHash load balancing strategies cannot be used here.

Services are the services to proxy traffic

Include specifies that this tcpproxy should be delegated to another HTTPProxy.

IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.

Exists due to a mistake when developing HTTPProxy and the field was marked plural when it should have been singular. This field should stay to not break backwards compatibility to v1 users.

The health check policy for this tcp proxy

Name of the child HTTPProxy

Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.

SecretName is the name of a TLS secret in the current namespace. Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate for the virtual host’s FQDN.

MinimumProtocolVersion is the minimum TLS version this vhost should negotiate. Valid options are 1.2 (default) and 1.3. Any other value defaults to TLS 1.2.

Passthrough defines whether the encrypted TLS handshake will be passed through to the backing cluster. Either Passthrough or SecretName must be specified, but not both.

ClientValidation defines how to verify the client certificate when an external client establishes a TLS connection to Envoy.

This setting:

1. Enables TLS client certificate validation.
2. Requires clients to present a TLS certificate (i.e. not optional validation).
3. Specifies how the client certificate will be validated.

EnableFallbackCertificate defines if the vhost should allow a default certificate to be applied which handles all requests which don’t match the SNI defined in this vhost.

Conditions contains information about the current status of the HTTPProxy, in an upstream-friendly container.

Contour will update a single condition, Valid, that is in normal-true polarity. That is, when currentStatus is valid, the Valid condition will be status: true, and vice versa.

Contour will leave untouched any other Conditions set in this block, in case some other controller wants to add a Condition.

If you are another controller owner and wish to add a condition, you should namespace your condition with a label, like controller.domain.com\ConditionName.

Timeout for receiving a response from the server after processing a request from client. If not supplied, Envoy’s default value of 15s applies.

Timeout after which, if there are no active requests for this route, the connection between Envoy and the backend or Envoy and the external client will be closed. If not specified, there is no per-route idle timeout, though a connection manager-wide stream_idle_timeout default of 5m still applies.

Name of the Kubernetes secret be used to validate the certificate presented by the backend

Key which is expected to be present in the ‘subjectAltName’ of the presented certificate

The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn.

If present the fields describes TLS properties of the virtual host. The SNI names that will be matched on are described in fqdn, the tls.secretName secret must contain a certificate that itself contains a name that matches the FQDN.

This field configures an extension service to perform authorization for this virtual host. Authorization can only be configured on virtual hosts that have TLS enabled. If the TLS configuration requires client certificate /validation, the client certificate is always included in the authentication check request.

Specifies the cross-origin policy to apply to the VirtualHost.

The policy for rate limiting on the virtual host.

Services specifies the set of Kubernetes Service resources that receive GRPC extension API requests. If no weights are specified for any of the entries in this array, traffic will be spread evenly across all the services. Otherwise, traffic is balanced proportionally to the Weight field in each entry.

UpstreamValidation defines how to verify the backend service’s certificate

Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.

The policy for load balancing GRPC service requests. Note that the Cookie and RequestHash load balancing strategies cannot be used here.

The timeout policy for requests to the services.

This field sets the version of the GRPC protocol that Envoy uses to send requests to the extension service. Since Contour always uses the v3 Envoy API, this is currently fixed at “v3”. However, other protocol options will be available in future.

Conditions contains the current status of the ExtensionService resource.

Contour will update a single condition, Valid, that is in normal-true polarity.

Contour will not modify any other Conditions set in this block, in case some other controller wants to add a Condition.

Name is the name of Kubernetes service that will accept service traffic.

Port (defined as Integer) to proxy traffic to since a service can have multiple defined.

Weight defines proportion of traffic to balance to the Kubernetes Service.