Documentation
Introduction
Configuration
- HTTPProxy Fundamentals
- Virtual Hosts
- Inclusion and Delegation
- TLS Termination
- Upstream TLS
- Request Routing
- External Service Routing
- Request Rewriting
- CORS
- Websockets
- Upstream Health Checks
- Client Authorization
- TLS Delegation
- Rate Limiting
- Annotations Reference
- API Reference
Deployment
- Deployment Options
- Contour Configuration
- Upgrading Contour
- Enabling TLS between Envoy and Contour
- Redeploy Envoy
Guides
- AWS with NLB
- Cert-Manager
- External Authorization
- JSON logging
- Migrating to HTTPProxy
- Prometheus Metrics
- PROXY Protocol Support
- Resource Limits
Troubleshooting
- Envoy Administration Access
- Contour Debug Logging
- Envoy Debug Logging
- Visualize the Contour Graph
- Show Contour xDS Resources
- Profiling Contour
- Contour Operator
Resources
- Support Policy
- Compatibility Matrix
- Contour Deprecation Policy
- Release Process
- Frequently Asked Questions
- Tagging
Contribute
Contour API Reference
Packages:
projectcontour.io/v1
Package v1 holds the specification for the projectcontour.io Custom Resource Definitions (CRDs).
In building this CRD, we’ve inadvertently overloaded the word “Condition”, so we’ve tried to make this spec clear as to which types of condition are which.
MatchConditions
are used by Routes
and Includes
to specify rules to match requests against for either
routing or inclusion.
DetailedConditions
are used in the Status
of these objects to hold information about the relevant
state of the object and the world around it.
SubConditions
are used underneath DetailedConditions
to give more detail to errors or warnings.
HTTPProxy
HTTPProxy is an Ingress CRD specification.
Field | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|
apiVersion string | projectcontour.io/v1 | ||||||||
kind string | HTTPProxy | ||||||||
metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the
metadata field. | ||||||||
spec HTTPProxySpec |
| ||||||||
status HTTPProxyStatus | (Optional) Status is a container for computed information about the HTTPProxy. |
TLSCertificateDelegation
TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. See design/tls-certificate-delegation.md for details.
Field | Description | ||
---|---|---|---|
apiVersion string | projectcontour.io/v1 | ||
kind string | TLSCertificateDelegation | ||
metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the
metadata field. | ||
spec TLSCertificateDelegationSpec |
| ||
status TLSCertificateDelegationStatus | (Optional) |
AuthorizationPolicy
(Appears on: AuthorizationServer, Route)
AuthorizationPolicy modifies how client requests are authenticated.
Field | Description |
---|---|
disabled bool | (Optional) When true, this field disables client request authentication for the scope of the policy. |
context map[string]string | (Optional) Context is a set of key/value pairs that are sent to the authentication server in the check request. If a context is provided at an enclosing scope, the entries are merged such that the inner scope overrides matching keys from the outer scope. |
AuthorizationServer
(Appears on: VirtualHost)
AuthorizationServer configures an external server to authenticate client requests. The external server must implement the v3 Envoy external authorization GRPC protocol (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).
Field | Description |
---|---|
extensionRef ExtensionServiceReference | ExtensionServiceRef specifies the extension resource that will authorize client requests. |
authPolicy AuthorizationPolicy | (Optional) AuthPolicy sets a default authorization policy for client requests. This policy will be used unless overridden by individual routes. |
responseTimeout string | (Optional) ResponseTimeout configures maximum time to wait for a check response from the authorization server. Timeout durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. The string “infinity” is also a valid input and specifies no timeout. |
failOpen bool | (Optional) If FailOpen is true, the client request is forwarded to the upstream service even if the authorization server fails to respond. This field should not be set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. |
CORSHeaderValue
(string
alias)
(Appears on: CORSPolicy)
CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
CORSPolicy
(Appears on: VirtualHost)
CORSPolicy allows setting the CORS policy
Field | Description |
---|---|
allowCredentials bool | (Optional) Specifies whether the resource allows credentials. |
allowOrigin []string | AllowOrigin specifies the origins that will be allowed to do CORS requests. “*” means allow any origin. |
allowMethods []CORSHeaderValue | AllowMethods specifies the content for the access-control-allow-methods header. |
allowHeaders []CORSHeaderValue | (Optional) AllowHeaders specifies the content for the access-control-allow-headers header. |
exposeHeaders []CORSHeaderValue | (Optional) ExposeHeaders Specifies the content for the access-control-expose-headers header. |
maxAge string | (Optional) MaxAge indicates for how long the results of a preflight request can be cached. MaxAge durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS check for all cross-origin requests. |
CertificateDelegation
(Appears on: TLSCertificateDelegationSpec)
CertificateDelegation maps the authority to reference a secret in the current namespace to a set of namespaces.
Field | Description |
---|---|
secretName string | required, the name of a secret in the current namespace. |
targetNamespaces []string | required, the namespaces the authority to reference the the secret will be delegated to. If TargetNamespaces is nil or empty, the CertificateDelegation’ is ignored. If the TargetNamespace list contains the character, “*” the secret will be delegated to all namespaces. |
DetailedCondition
(Appears on: HTTPProxyStatus, TLSCertificateDelegationStatus, ExtensionServiceStatus)
DetailedCondition is an extension of the normal Kubernetes conditions, with two extra fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) of the condition.
errors
holds information about sub-conditions which are fatal to that condition and render its state False.
warnings
holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
Remember that Conditions have a type, a status, and a reason.
The type is the type of the condition, the most important one in this CRD set is Valid
.
Valid
is a positive-polarity condition: when it is status: true
there are no problems.
In more detail, status: true
means that the object is has been ingested into Contour with no errors.
warnings
may still be present, and will be indicated in the Reason field. There must be zero entries in the errors
slice in this case.
Valid
, status: false
means that the object has had one or more fatal errors during processing into Contour.
The details of the errors will be present under the errors
field. There must be at least one error in the errors
slice if status
is false
.
For DetailedConditions of types other than Valid
, the Condition must be in the negative polarity.
When they have status
true
, there is an error. There must be at least one entry in the errors
Subcondition slice.
When they have status
false
, there are no serious errors, and there must be zero entries in the errors
slice.
In either case, there may be entries in the warnings
slice.
Regardless of the polarity, the reason
and message
fields must be updated with either the detail of the reason
(if there is one and only one entry in total across both the errors
and warnings
slices), or
MultipleReasons
if there is more than one entry.
Field | Description |
---|---|
Condition Kubernetes meta/v1.Condition | (Members of |
errors []SubCondition | (Optional) Errors contains a slice of relevant error subconditions for this object. Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. An empty slice here indicates no errors. |
warnings []SubCondition | (Optional) Warnings contains a slice of relevant warning subconditions for this object. Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. An empty slice here indicates no warnings. |
DownstreamValidation
(Appears on: TLS)
DownstreamValidation defines how to verify the client certificate.
Field | Description |
---|---|
caSecret string | (Optional) Name of a Kubernetes secret that contains a CA certificate bundle. The client certificate must validate against the certificates in the bundle. |
skipClientCertValidation bool | (Optional) SkipClientCertValidation disables downstream client certificate validation. Defaults to false. This field is intended to be used in conjunction with external authorization in order to enable the external authorization server to validate client certificates. When this field is set to true, client certificates are requested but not verified by Envoy. If external authorization is in use, they are presented to the external authorization server. |
ExtensionServiceReference
(Appears on: AuthorizationServer)
ExtensionServiceReference names an ExtensionService resource.
Field | Description |
---|---|
apiVersion string | (Optional) API version of the referent. If this field is not specified, the default “projectcontour.io/v1alpha1” will be used |
namespace string | (Optional) Namespace of the referent. If this field is not specifies, the namespace of the resource that targets the referent will be used. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
name string | Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
GenericKeyDescriptor
(Appears on: RateLimitDescriptorEntry)
GenericKeyDescriptor defines a descriptor entry with a static key and value.
Field | Description |
---|---|
key string | (Optional) Key defines the key of the descriptor entry. If not set, the key is set to “generic_key”. |
value string | Value defines the value of the descriptor entry. |
GlobalRateLimitPolicy
(Appears on: RateLimitPolicy)
GlobalRateLimitPolicy defines global rate limiting parameters.
Field | Description |
---|---|
descriptors []RateLimitDescriptor | Descriptors defines the list of descriptors that will be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries. |
HTTPHealthCheckPolicy
(Appears on: Route)
HTTPHealthCheckPolicy defines health checks on the upstream service.
Field | Description |
---|---|
path string | HTTP endpoint used to perform health checks on upstream service |
host string | The value of the host header in the HTTP health check request. If left empty (default value), the name “contour-envoy-healthcheck” will be used. |
intervalSeconds int64 | (Optional) The interval (seconds) between health checks |
timeoutSeconds int64 | (Optional) The time to wait (seconds) for a health check response |
unhealthyThresholdCount int64 | (Optional) The number of unhealthy health checks required before a host is marked unhealthy |
healthyThresholdCount int64 | (Optional) The number of healthy health checks required before a host is marked healthy |
HTTPProxySpec
(Appears on: HTTPProxy)
HTTPProxySpec defines the spec of the CRD.
Field | Description |
---|---|
virtualhost VirtualHost | (Optional) Virtualhost appears at most once. If it is present, the object is considered to be a “root” HTTPProxy. |
routes []Route | (Optional) Routes are the ingress routes. If TCPProxy is present, Routes is ignored. |
tcpproxy TCPProxy | (Optional) TCPProxy holds TCP proxy information. |
includes []Include | (Optional) Includes allow for specific routing configuration to be included from another HTTPProxy, possibly in another namespace. |
HTTPProxyStatus
(Appears on: HTTPProxy)
HTTPProxyStatus reports the current state of the HTTPProxy.
Field | Description |
---|---|
currentStatus string | (Optional) |
description string | (Optional) |
loadBalancer Kubernetes core/v1.LoadBalancerStatus | (Optional) LoadBalancer contains the current status of the load balancer. |
conditions []DetailedCondition | (Optional) Conditions contains information about the current status of the HTTPProxy, in an upstream-friendly container. Contour will update a single condition, Contour will leave untouched any other Conditions set in this block, in case some other controller wants to add a Condition. If you are another controller owner and wish to add a condition, you should
namespace your condition with a label, like |
HeaderHashOptions
(Appears on: RequestHashPolicy)
HeaderHashOptions contains options to configure a HTTP request header hash policy, used in request attribute hash based load balancing.
Field | Description |
---|---|
headerName string | HeaderName is the name of the HTTP request header that will be used to calculate the hash key. If the header specified is not present on a request, no hash will be produced. |
HeaderMatchCondition
(Appears on: MatchCondition, RequestHeaderValueMatchDescriptor)
HeaderMatchCondition specifies how to conditionally match against HTTP headers. The Name field is required, but only one of the remaining fields should be be provided.
Field | Description |
---|---|
name string | Name is the name of the header to match against. Name is required. Header names are case insensitive. |
present bool | (Optional) Present specifies that condition is true when the named header is present, regardless of its value. Note that setting Present to false does not make the condition true if the named header is absent. |
notpresent bool | (Optional) NotPresent specifies that condition is true when the named header is not present. Note that setting NotPresent to false does not make the condition true if the named header is present. |
contains string | (Optional) Contains specifies a substring that must be present in the header value. |
notcontains string | (Optional) NotContains specifies a substring that must not be present in the header value. |
exact string | (Optional) Exact specifies a string that the header value must be equal to. |
notexact string | (Optional) NoExact specifies a string that the header value must not be equal to. The condition is true if the header has any other value. |
HeaderValue
(Appears on: HeadersPolicy, LocalRateLimitPolicy)
HeaderValue represents a header name/value pair
Field | Description |
---|---|
name string | Name represents a key of a header |
value string | Value represents the value of a header specified by a key |
HeadersPolicy
HeadersPolicy defines how headers are managed during forwarding.
The Host
header is treated specially and if set in a HTTP response
will be used as the SNI server name when forwarding over TLS. It is an
error to attempt to set the Host
header in a HTTP response.
Field | Description |
---|---|
set []HeaderValue | (Optional) Set specifies a list of HTTP header values that will be set in the HTTP header. If the header does not exist it will be added, otherwise it will be overwritten with the new value. |
remove []string | (Optional) Remove specifies a list of HTTP header names to remove. |
Include
(Appears on: HTTPProxySpec)
Include describes a set of policies that can be applied to an HTTPProxy in a namespace.
Field | Description |
---|---|
name string | Name of the HTTPProxy |
namespace string | (Optional) Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied. |
conditions []MatchCondition | (Optional) Conditions are a set of rules that are applied to included HTTPProxies. In effect, they are added onto the Conditions of included HTTPProxy Route structs. When applied, they are merged using AND, with one exception: There can be only one Prefix MatchCondition per Conditions slice. More than one Prefix, or contradictory Conditions, will make the include invalid. |
LoadBalancerPolicy
(Appears on: Route, TCPProxy, ExtensionServiceSpec)
LoadBalancerPolicy defines the load balancing policy.
Field | Description |
---|---|
strategy string | Strategy specifies the policy used to balance requests
across the pool of backend pods. Valid policy names are
|
requestHashPolicies []RequestHashPolicy | RequestHashPolicies contains a list of hash policies to apply when the
|
LocalRateLimitPolicy
(Appears on: RateLimitPolicy)
LocalRateLimitPolicy defines local rate limiting parameters.
Field | Description |
---|---|
requests uint32 | Requests defines how many requests per unit of time should be allowed before rate limiting occurs. |
unit string | Unit defines the period of time within which requests over the limit will be rate limited. Valid values are “second”, “minute” and “hour”. |
burst uint32 | (Optional) Burst defines the number of requests above the requests per unit that should be allowed within a short period of time. |
responseStatusCode uint32 | (Optional) ResponseStatusCode is the HTTP status code to use for responses to rate-limited requests. Codes must be in the 400-599 range (inclusive). If not specified, the Envoy default of 429 (Too Many Requests) is used. |
responseHeadersToAdd []HeaderValue | (Optional) ResponseHeadersToAdd is an optional list of response headers to set when a request is rate-limited. |
MatchCondition
MatchCondition are a general holder for matching rules for HTTPProxies. One of Prefix or Header must be provided.
Field | Description |
---|---|
prefix string | (Optional) Prefix defines a prefix match for a request. |
header HeaderMatchCondition | (Optional) Header specifies the header condition to match. |
PathRewritePolicy
(Appears on: Route)
PathRewritePolicy specifies how a request URL path should be rewritten. This rewriting takes place after a request is routed and has no subsequent effects on the proxy’s routing decision. No HTTP headers or body content is rewritten.
Exactly one field in this struct may be specified.
Field | Description |
---|---|
replacePrefix []ReplacePrefix | (Optional) ReplacePrefix describes how the path prefix should be replaced. |
RateLimitDescriptor
(Appears on: GlobalRateLimitPolicy)
RateLimitDescriptor defines a list of key-value pair generators.
Field | Description |
---|---|
entries []RateLimitDescriptorEntry | Entries is the list of key-value pair generators. |
RateLimitDescriptorEntry
(Appears on: RateLimitDescriptor)
RateLimitDescriptorEntry is a key-value pair generator. Exactly one field on this struct must be non-nil.
Field | Description |
---|---|
genericKey GenericKeyDescriptor | (Optional) GenericKey defines a descriptor entry with a static key and value. |
requestHeader RequestHeaderDescriptor | (Optional) RequestHeader defines a descriptor entry that’s populated only if a given header is present on the request. The descriptor key is static, and the descriptor value is equal to the value of the header. |
requestHeaderValueMatch RequestHeaderValueMatchDescriptor | (Optional) RequestHeaderValueMatch defines a descriptor entry that’s populated if the request’s headers match a set of 1+ match criteria. The descriptor key is “header_match”, and the descriptor value is static. |
remoteAddress RemoteAddressDescriptor | (Optional) RemoteAddress defines a descriptor entry with a key of “remote_address” and a value equal to the client’s IP address (from x-forwarded-for). |
RateLimitPolicy
(Appears on: Route, VirtualHost)
RateLimitPolicy defines rate limiting parameters.
Field | Description |
---|---|
local LocalRateLimitPolicy | (Optional) Local defines local rate limiting parameters, i.e. parameters for rate limiting that occurs within each Envoy pod as requests are handled. |
global GlobalRateLimitPolicy | (Optional) Global defines global rate limiting parameters, i.e. parameters defining descriptors that are sent to an external rate limit service (RLS) for a rate limit decision on each request. |
RemoteAddressDescriptor
(Appears on: RateLimitDescriptorEntry)
RemoteAddressDescriptor defines a descriptor entry with a key of “remote_address” and a value equal to the client’s IP address (from x-forwarded-for).
ReplacePrefix
(Appears on: PathRewritePolicy)
ReplacePrefix describes a path prefix replacement.
Field | Description |
---|---|
prefix string | (Optional) Prefix specifies the URL path prefix to be replaced. If Prefix is specified, it must exactly match the MatchCondition prefix that is rendered by the chain of including HTTPProxies and only that path prefix will be replaced by Replacement. This allows HTTPProxies that are included through multiple roots to only replace specific path prefixes, leaving others unmodified. If Prefix is not specified, all routing prefixes rendered by the include chain will be replaced. |
replacement string | Replacement is the string that the routing path prefix will be replaced with. This must not be empty. |
RequestHashPolicy
(Appears on: LoadBalancerPolicy)
RequestHashPolicy contains configuration for an individual hash policy on a request attribute.
Field | Description |
---|---|
terminal bool | Terminal is a flag that allows for short-circuiting computing of a hash for a given request. If set to true, and the request attribute specified in the attribute hash options is present, no further hash policies will be used to calculate a hash for the request. |
headerHashOptions HeaderHashOptions | HeaderHashOptions should be set when request header hash based load balancing is desired. It must be the only hash option field set, otherwise this request hash policy object will be ignored. |
RequestHeaderDescriptor
(Appears on: RateLimitDescriptorEntry)
RequestHeaderDescriptor defines a descriptor entry that’s populated only if a given header is present on the request. The value of the descriptor entry is equal to the value of the header (if present).
Field | Description |
---|---|
headerName string | HeaderName defines the name of the header to look for on the request. |
descriptorKey string | DescriptorKey defines the key to use on the descriptor entry. |
RequestHeaderValueMatchDescriptor
(Appears on: RateLimitDescriptorEntry)
RequestHeaderValueMatchDescriptor defines a descriptor entry that’s populated if the request’s headers match a set of 1+ match criteria. The descriptor key is “header_match”, and the descriptor value is statically defined.
Field | Description |
---|---|
headers []HeaderMatchCondition | Headers is a list of 1+ match criteria to apply against the request to determine whether to populate the descriptor entry or not. |
expectMatch bool | ExpectMatch defines whether the request must positively match the match criteria in order to generate a descriptor entry (i.e. true), or not match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. |
value string | Value defines the value of the descriptor entry. |
RetryOn
(string
alias)
(Appears on: RetryPolicy)
RetryOn is a string type alias with validation to ensure that the value is valid.
RetryPolicy
(Appears on: Route)
RetryPolicy defines the attributes associated with retrying policy.
Field | Description |
---|---|
count int64 | (Optional) NumRetries is maximum allowed number of retries. If not supplied, the number of retries is one. |
perTryTimeout string | (Optional) PerTryTimeout specifies the timeout per retry attempt. Ignored if NumRetries is not supplied. |
retryOn []RetryOn | (Optional) RetryOn specifies the conditions on which to retry a request. Supported HTTP conditions:
Supported gRPC conditions:
|
retriableStatusCodes []uint32 | (Optional) RetriableStatusCodes specifies the HTTP status codes that should be retried. This field is only respected when you include |
Route
(Appears on: HTTPProxySpec)
Route contains the set of routes for a virtual host.
Field | Description |
---|---|
conditions []MatchCondition | (Optional) Conditions are a set of rules that are applied to a Route. When applied, they are merged using AND, with one exception: There can be only one Prefix MatchCondition per Conditions slice. More than one Prefix, or contradictory Conditions, will make the route invalid. |
services []Service | Services are the services to proxy traffic. |
enableWebsockets bool | (Optional) Enables websocket support for the route. |
permitInsecure bool | (Optional) Allow this path to respond to insecure requests over HTTP which are normally
not permitted when a |
authPolicy AuthorizationPolicy | (Optional) AuthPolicy updates the authorization policy that was set on the root HTTPProxy object for client requests that match this route. |
timeoutPolicy TimeoutPolicy | (Optional) The timeout policy for this route. |
retryPolicy RetryPolicy | (Optional) The retry policy for this route. |
healthCheckPolicy HTTPHealthCheckPolicy | (Optional) The health check policy for this route. |
loadBalancerPolicy LoadBalancerPolicy | (Optional) The load balancing policy for this route. |
pathRewritePolicy PathRewritePolicy | (Optional) The policy for rewriting the path of the request URL after the request has been routed to a Service. |
requestHeadersPolicy HeadersPolicy | (Optional) The policy for managing request headers during proxying. |
responseHeadersPolicy HeadersPolicy | (Optional) The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported. |
rateLimitPolicy RateLimitPolicy | (Optional) The policy for rate limiting on the route. |
Service
Service defines an Kubernetes Service to proxy traffic.
Field | Description |
---|---|
name string | Name is the name of Kubernetes service to proxy traffic. Names defined here will be used to look up corresponding endpoints which contain the ips to route. |
port int | Port (defined as Integer) to proxy traffic to since a service can have multiple defined. |
protocol string | (Optional) Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. |
weight int64 | (Optional) Weight defines percentage of traffic to balance traffic |
validation UpstreamValidation | (Optional) UpstreamValidation defines how to verify the backend service’s certificate |
mirror bool | If Mirror is true the Service will receive a read only mirror of the traffic for this route. |
requestHeadersPolicy HeadersPolicy | (Optional) The policy for managing request headers during proxying. Rewriting the ‘Host’ header is not supported. |
responseHeadersPolicy HeadersPolicy | (Optional) The policy for managing response headers during proxying. Rewriting the ‘Host’ header is not supported. |
SubCondition
(Appears on: DetailedCondition)
SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
It contains a subset of the Condition fields.
It is intended for warnings and errors, so type
names should use abnormal-true polarity,
that is, they should be of the form “ErrorPresent: true”.
The expected lifecycle for these errors is that they should only be present when the error or warning is, and should be removed when they are not relevant.
Field | Description |
---|---|
type string | Type of condition in This must be in abnormal-true polarity, that is, The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) |
status Kubernetes meta/v1.ConditionStatus | Status of the condition, one of True, False, Unknown. |
reason string | Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. |
message string | Message is a human readable message indicating details about the transition. This may be an empty string. |
TCPHealthCheckPolicy
(Appears on: TCPProxy)
TCPHealthCheckPolicy defines health checks on the upstream service.
Field | Description |
---|---|
intervalSeconds int64 | (Optional) The interval (seconds) between health checks |
timeoutSeconds int64 | (Optional) The time to wait (seconds) for a health check response |
unhealthyThresholdCount uint32 | (Optional) The number of unhealthy health checks required before a host is marked unhealthy |
healthyThresholdCount uint32 | (Optional) The number of healthy health checks required before a host is marked healthy |
TCPProxy
(Appears on: HTTPProxySpec)
TCPProxy contains the set of services to proxy TCP connections.
Field | Description |
---|---|
loadBalancerPolicy LoadBalancerPolicy | (Optional) The load balancing policy for the backend services. Note that the
|
services []Service | (Optional) Services are the services to proxy traffic |
include TCPProxyInclude | (Optional) Include specifies that this tcpproxy should be delegated to another HTTPProxy. |
includes TCPProxyInclude | (Optional) IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. Exists due to a mistake when developing HTTPProxy and the field was marked plural when it should have been singular. This field should stay to not break backwards compatibility to v1 users. |
healthCheckPolicy TCPHealthCheckPolicy | (Optional) The health check policy for this tcp proxy |
TCPProxyInclude
(Appears on: TCPProxy)
TCPProxyInclude describes a target HTTPProxy document which contains the TCPProxy details.
Field | Description |
---|---|
name string | Name of the child HTTPProxy |
namespace string | (Optional) Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied. |
TLS
(Appears on: VirtualHost)
TLS describes tls properties. The SNI names that will be matched on are described in the HTTPProxy’s Spec.VirtualHost.Fqdn field.
Field | Description |
---|---|
secretName string | SecretName is the name of a TLS secret in the current namespace. Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate for the virtual host’s FQDN. |
minimumProtocolVersion string | (Optional) MinimumProtocolVersion is the minimum TLS version this vhost should
negotiate. Valid options are |
passthrough bool | (Optional) Passthrough defines whether the encrypted TLS handshake will be passed through to the backing cluster. Either Passthrough or SecretName must be specified, but not both. |
clientValidation DownstreamValidation | (Optional) ClientValidation defines how to verify the client certificate when an external client establishes a TLS connection to Envoy. This setting:
Note: Setting client certificate validation to be skipped should be only used in conjunction with an external authorization server that performs client validation as Contour will ensure client certificates are passed along. |
enableFallbackCertificate bool | EnableFallbackCertificate defines if the vhost should allow a default certificate to be applied which handles all requests which don’t match the SNI defined in this vhost. |
TLSCertificateDelegationSpec
(Appears on: TLSCertificateDelegation)
TLSCertificateDelegationSpec defines the spec of the CRD
Field | Description |
---|---|
delegations []CertificateDelegation |
TLSCertificateDelegationStatus
(Appears on: TLSCertificateDelegation)
TLSCertificateDelegationStatus allows for the status of the delegation to be presented to the user.
Field | Description |
---|---|
conditions []DetailedCondition | (Optional) Conditions contains information about the current status of the HTTPProxy, in an upstream-friendly container. Contour will update a single condition, Contour will leave untouched any other Conditions set in this block, in case some other controller wants to add a Condition. If you are another controller owner and wish to add a condition, you should
namespace your condition with a label, like |
TimeoutPolicy
(Appears on: Route, ExtensionServiceSpec)
TimeoutPolicy configures timeouts that are used for handling network requests.
TimeoutPolicy durations are expressed in the Go Duration format. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. The string “infinity” is also a valid input and specifies no timeout. A value of “0s” will be treated as if the field were not set, i.e. by using Envoy’s default behavior.
Example input values: “300ms”, “5s”, “1m”.
Field | Description |
---|---|
response string | (Optional) Timeout for receiving a response from the server after processing a request from client. If not supplied, Envoy’s default value of 15s applies. |
idle string | (Optional) Timeout after which, if there are no active requests for this route, the connection between Envoy and the backend or Envoy and the external client will be closed. If not specified, there is no per-route idle timeout, though a connection manager-wide stream_idle_timeout default of 5m still applies. |
UpstreamValidation
(Appears on: Service, ExtensionServiceSpec)
UpstreamValidation defines how to verify the backend service’s certificate
Field | Description |
---|---|
caSecret string | Name of the Kubernetes secret be used to validate the certificate presented by the backend |
subjectName string | Key which is expected to be present in the ‘subjectAltName’ of the presented certificate |
VirtualHost
(Appears on: HTTPProxySpec)
VirtualHost appears at most once. If it is present, the object is considered to be a “root”.
Field | Description |
---|---|
fqdn string | The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn. |
tls TLS | (Optional) If present the fields describes TLS properties of the virtual host. The SNI names that will be matched on are described in fqdn, the tls.secretName secret must contain a certificate that itself contains a name that matches the FQDN. |
authorization AuthorizationServer | (Optional) This field configures an extension service to perform authorization for this virtual host. Authorization can only be configured on virtual hosts that have TLS enabled. If the TLS configuration requires client certificate validation, the client certificate is always included in the authentication check request. |
corsPolicy CORSPolicy | (Optional) Specifies the cross-origin policy to apply to the VirtualHost. |
rateLimitPolicy RateLimitPolicy | (Optional) The policy for rate limiting on the virtual host. |
projectcontour.io/v1alpha1
Package v1alpha1 contains API Schema definitions for the projectcontour.io v1alpha1 API group
Resource Types:ExtensionService
ExtensionService is the schema for the Contour extension services API. An ExtensionService resource binds a network service to the Contour API so that Contour API features can be implemented by collaborating components.
Field | Description | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersion string | projectcontour.io/v1alpha1 | ||||||||||||
kind string | ExtensionService | ||||||||||||
metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the
metadata field. | ||||||||||||
spec ExtensionServiceSpec |
| ||||||||||||
status ExtensionServiceStatus |
ExtensionProtocolVersion
(string
alias)
(Appears on: ExtensionServiceSpec)
ExtensionProtocolVersion is the version of the GRPC protocol used to access extension services. The only version currently supported is “v3”.
ExtensionServiceSpec
(Appears on: ExtensionService)
ExtensionServiceSpec defines the desired state of an ExtensionService resource.
Field | Description |
---|---|
services []ExtensionServiceTarget | Services specifies the set of Kubernetes Service resources that receive GRPC extension API requests. If no weights are specified for any of the entries in this array, traffic will be spread evenly across all the services. Otherwise, traffic is balanced proportionally to the Weight field in each entry. |
validation UpstreamValidation | (Optional) UpstreamValidation defines how to verify the backend service’s certificate |
protocol string | (Optional) Protocol may be used to specify (or override) the protocol used to reach this Service. Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. |
loadBalancerPolicy LoadBalancerPolicy | (Optional) The policy for load balancing GRPC service requests. Note that the
|
timeoutPolicy TimeoutPolicy | (Optional) The timeout policy for requests to the services. |
protocolVersion ExtensionProtocolVersion | (Optional) This field sets the version of the GRPC protocol that Envoy uses to send requests to the extension service. Since Contour always uses the v3 Envoy API, this is currently fixed at “v3”. However, other protocol options will be available in future. |
ExtensionServiceStatus
(Appears on: ExtensionService)
ExtensionServiceStatus defines the observed state of an ExtensionService resource.
Field | Description |
---|---|
conditions []DetailedCondition | (Optional) Conditions contains the current status of the ExtensionService resource. Contour will update a single condition, Contour will not modify any other Conditions set in this block, in case some other controller wants to add a Condition. |
ExtensionServiceTarget
(Appears on: ExtensionServiceSpec)
ExtensionServiceTarget defines an Kubernetes Service to target with extension service traffic.
Field | Description |
---|---|
name string | Name is the name of Kubernetes service that will accept service traffic. |
port int | Port (defined as Integer) to proxy traffic to since a service can have multiple defined. |
weight uint32 | (Optional) Weight defines proportion of traffic to balance to the Kubernetes Service. |
Generated with gen-crd-api-reference-docs
.