diff --git a/charts/contour/config b/charts/contour/config
index 49e6fefa3..8d678bf3a 100644
--- a/charts/contour/config
+++ b/charts/contour/config
@@ -3,7 +3,7 @@ export DAOCLOUD_REPO_PROJECT=addon
export REPO_URL=https://charts.bitnami.com/bitnami
export REPO_NAME=contour
export CHART_NAME=contour
-export VERSION=12.1.1
+export VERSION=19.0.3
export UPGRADE_METHOD=pr
export UPGRADE_REVIWER=lou-lan
diff --git a/charts/contour/contour/Chart.yaml b/charts/contour/contour/Chart.yaml
index c8b94d0ba..933dea504 100644
--- a/charts/contour/contour/Chart.yaml
+++ b/charts/contour/contour/Chart.yaml
@@ -1,8 +1,15 @@
annotations:
category: Infrastructure
+ images: |
+ - name: contour
+ image: docker.io/bitnami/contour:1.30.0-debian-12-r5
+ - name: envoy
+ image: docker.io/bitnami/envoy:1.31.0-debian-12-r3
+ - name: nginx
+ image: docker.io/bitnami/nginx:1.27.1-debian-12-r3
licenses: Apache-2.0
apiVersion: v2
-appVersion: 1.25.0
+appVersion: 1.30.0
description: Contour is an open source Kubernetes ingress controller that works by deploying the Envoy proxy as a reverse proxy and load balancer.
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/contour/img/contour-stack-220x234.png
@@ -12,13 +19,13 @@ keywords:
- envoy
- contour
maintainers:
- - name: VMware, Inc.
+ - name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: contour
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/contour
-version: 12.1.1
+version: 19.0.3
dependencies:
- name: contour
- version: "12.1.1"
+ version: "19.0.3"
repository: "https://charts.bitnami.com/bitnami"
diff --git a/charts/contour/contour/charts/contour/.helmignore b/charts/contour/contour/charts/contour/.helmignore
index 50af03172..d0e10845d 100644
--- a/charts/contour/contour/charts/contour/.helmignore
+++ b/charts/contour/contour/charts/contour/.helmignore
@@ -20,3 +20,7 @@
.idea/
*.tmproj
.vscode/
+# img folder
+img/
+# Changelog
+CHANGELOG.md
diff --git a/charts/contour/contour/charts/contour/Chart.lock b/charts/contour/contour/charts/contour/Chart.lock
index 964e9bba9..376e922a3 100644
--- a/charts/contour/contour/charts/contour/Chart.lock
+++ b/charts/contour/contour/charts/contour/Chart.lock
@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
- version: 2.4.0
-digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3
-generated: "2023-05-21T14:00:24.628000274Z"
+ version: 2.22.0
+digest: sha256:a8fb2fc887ead658a89598a48acde5324196fbc0509503a3eaed50a710fbfe74
+generated: "2024-09-05T22:23:54.376909996Z"
diff --git a/charts/contour/contour/charts/contour/Chart.yaml b/charts/contour/contour/charts/contour/Chart.yaml
index 6ae965fa9..aff083096 100644
--- a/charts/contour/contour/charts/contour/Chart.yaml
+++ b/charts/contour/contour/charts/contour/Chart.yaml
@@ -1,8 +1,15 @@
annotations:
category: Infrastructure
+ images: |
+ - name: contour
+ image: docker.io/bitnami/contour:1.30.0-debian-12-r5
+ - name: envoy
+ image: docker.io/bitnami/envoy:1.31.0-debian-12-r3
+ - name: nginx
+ image: docker.io/bitnami/nginx:1.27.1-debian-12-r3
licenses: Apache-2.0
apiVersion: v2
-appVersion: 1.25.0
+appVersion: 1.30.0
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
@@ -18,9 +25,9 @@ keywords:
- envoy
- contour
maintainers:
-- name: VMware, Inc.
+- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: contour
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/contour
-version: 12.1.1
+version: 19.0.3
diff --git a/charts/contour/contour/charts/contour/README.md b/charts/contour/contour/charts/contour/README.md
index 3640ec1cb..9b39cad82 100644
--- a/charts/contour/contour/charts/contour/README.md
+++ b/charts/contour/contour/charts/contour/README.md
@@ -1,6 +1,6 @@
-# Contour packaged by Bitnami
+# Bitnami package for Contour
Contour is an open source Kubernetes ingress controller that works by deploying the Envoy proxy as a reverse proxy and load balancer.
@@ -14,6 +14,8 @@ Trademarks: This software listing is packaged by Bitnami. The respective tradema
helm install my-release oci://registry-1.docker.io/bitnamicharts/contour
```
+Looking to use Contour in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
+
## Introduction
Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.
@@ -24,8 +26,8 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment
## Prerequisites
-- Kubernetes 1.19+
-- Helm 3.2.0+
+- Kubernetes 1.23+
+- Helm 3.8.0+
- An Operator for `ServiceType: LoadBalancer` like [MetalLB](https://github.com/bitnami/charts/tree/main/bitnami/metallb)
## Installing the Chart
@@ -33,418 +35,24 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment
To install the chart with the release name `my-release`:
```console
-helm install my-release oci://registry-1.docker.io/bitnamicharts/contour
+helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour
```
+> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
+
These commands deploy contour on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list` or `helm ls --all-namespaces`
-## Uninstalling the Chart
-
-:warning: Uninstalling this chart will also remove CRDs. Removing CRDs will **remove all instances of it's Custom Resources**. If you wish to retain your Custom Resources for the future, run the following commands before uninstalling.
-
-```console
-kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml
-```
-
-To uninstall/delete the `my-release` helm release:
-
-```console
-helm uninstall my-release
-```
-
-## Parameters
-
-### Global parameters
-
-| Name | Description | Value |
-| ------------------------- | ----------------------------------------------- | ----- |
-| `global.imageRegistry` | Global Docker image registry | `""` |
-| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
-| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
-
-### Common parameters
-
-| Name | Description | Value |
-| ------------------------ | --------------------------------------------------------------------------------------- | ------- |
-| `nameOverride` | String to partially override contour.fullname include (will maintain the release name) | `""` |
-| `fullnameOverride` | String to fully override contour.fullname template | `""` |
-| `namespaceOverride` | String to fully override common.names.namespace | `""` |
-| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
-| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
-| `commonLabels` | Labels to add to all deployed objects | `{}` |
-| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
-| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
-| `diagnosticMode.command` | Command to override all containers in the deployment | `[]` |
-| `diagnosticMode.args` | Args to override all containers in the deployment | `[]` |
-
-### Contour parameters
-
-| Name | Description | Value |
-| ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------- |
-| `existingConfigMap` | Specifies the name of an externally-defined ConfigMap to use as the configuration (this is mutually exclusive with `configInline`) | `""` |
-| `configInline` | Specifies Contour's configuration directly in YAML format | `{}` |
-| `contour.enabled` | Contour Deployment creation. | `true` |
-| `contour.image.registry` | Contour image registry | `docker.io` |
-| `contour.image.repository` | Contour image name | `bitnami/contour` |
-| `contour.image.tag` | Contour image tag | `1.25.0-debian-11-r13` |
-| `contour.image.digest` | Contour image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
-| `contour.image.pullPolicy` | Contour Image pull policy | `IfNotPresent` |
-| `contour.image.pullSecrets` | Contour Image pull secrets | `[]` |
-| `contour.image.debug` | Enable image debug mode | `false` |
-| `contour.replicaCount` | Number of Contour Pod replicas | `1` |
-| `contour.priorityClassName` | Priority class assigned to the pods | `""` |
-| `contour.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
-| `contour.terminationGracePeriodSeconds` | In seconds, time the given to the Contour pod needs to terminate gracefully | `""` |
-| `contour.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
-| `contour.containerPorts.xds` | Set xds port inside Contour pod | `8001` |
-| `contour.containerPorts.metrics` | Set metrics port inside Contour pod | `8000` |
-| `contour.hostAliases` | Add deployment host aliases | `[]` |
-| `contour.updateStrategy` | Strategy to use to update Pods | `{}` |
-| `contour.extraArgs` | Extra arguments passed to Contour container | `[]` |
-| `contour.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` |
-| `contour.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` |
-| `contour.manageCRDs` | Manage the creation, upgrade and deletion of Contour CRDs. | `true` |
-| `contour.envoyServiceNamespace` | Namespace of the envoy service to inspect for Ingress status details. | `""` |
-| `contour.envoyServiceName` | Name of the envoy service to inspect for Ingress status details. | `""` |
-| `contour.leaderElectionResourceName` | Name of the contour (Lease) leader election will lease. | `""` |
-| `contour.ingressStatusAddress` | Address to set in Ingress object status. It is exclusive with `envoyServiceName` and `envoyServiceNamespace`. | `""` |
-| `contour.podAffinityPreset` | Contour Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
-| `contour.podAntiAffinityPreset` | Contour Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
-| `contour.podLabels` | Extra labels for Contour pods | `{}` |
-| `contour.lifecycleHooks` | lifecycleHooks for the container to automate configuration before or after startup. | `{}` |
-| `contour.customLivenessProbe` | Override default liveness probe | `{}` |
-| `contour.customReadinessProbe` | Override default readiness probe | `{}` |
-| `contour.customStartupProbe` | Override default startup probe | `{}` |
-| `contour.nodeAffinityPreset.type` | Contour Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
-| `contour.nodeAffinityPreset.key` | Contour Node label key to match Ignored if `affinity` is set. | `""` |
-| `contour.nodeAffinityPreset.values` | Contour Node label values to match. Ignored if `affinity` is set. | `[]` |
-| `contour.command` | Override default command | `[]` |
-| `contour.args` | Override default args | `[]` |
-| `contour.affinity` | Affinity for Contour pod assignment | `{}` |
-| `contour.nodeSelector` | Node labels for Contour pod assignment | `{}` |
-| `contour.tolerations` | Tolerations for Contour pod assignment | `[]` |
-| `contour.podAnnotations` | Contour Pod annotations | `{}` |
-| `contour.serviceAccount.create` | Create a serviceAccount for the Contour pod | `true` |
-| `contour.serviceAccount.name` | Use the serviceAccount with the specified name, a name is generated using the fullname template | `""` |
-| `contour.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` |
-| `contour.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
-| `contour.podSecurityContext.enabled` | Default backend Pod securityContext | `true` |
-| `contour.podSecurityContext.fsGroup` | Set Default backend Pod's Security Context fsGroup | `1001` |
-| `contour.containerSecurityContext.enabled` | Envoy Container securityContext | `true` |
-| `contour.containerSecurityContext.runAsUser` | User ID for the Contour container (to change this, http and https containerPorts must be set to >1024) | `1001` |
-| `contour.containerSecurityContext.runAsNonRoot` | Run as non root | `true` |
-| `contour.livenessProbe.enabled` | Enable/disable the Liveness probe | `true` |
-| `contour.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `120` |
-| `contour.livenessProbe.periodSeconds` | How often to perform the probe | `20` |
-| `contour.livenessProbe.timeoutSeconds` | When the probe times out | `5` |
-| `contour.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` |
-| `contour.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `contour.readinessProbe.enabled` | Enable/disable the readiness probe | `true` |
-| `contour.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `15` |
-| `contour.readinessProbe.periodSeconds` | How often to perform the probe | `10` |
-| `contour.readinessProbe.timeoutSeconds` | When the probe times out | `5` |
-| `contour.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `contour.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `contour.startupProbe.enabled` | Enable/disable the startup probe | `false` |
-| `contour.startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `15` |
-| `contour.startupProbe.periodSeconds` | How often to perform the probe | `10` |
-| `contour.startupProbe.timeoutSeconds` | When the probe times out | `5` |
-| `contour.startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `contour.startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `contour.certgen.serviceAccount.create` | Create a serviceAccount for the Contour pod | `true` |
-| `contour.certgen.serviceAccount.name` | Use the serviceAccount with the specified name, a name is generated using the fullname template | `""` |
-| `contour.certgen.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` |
-| `contour.certgen.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
-| `contour.certgen.certificateLifetime` | Generated certificate lifetime (in days). | `365` |
-| `contour.tlsExistingSecret` | Name of the existingSecret to be use in Contour deployment. If it is not nil `contour.certgen` will be disabled. | `""` |
-| `contour.service.type` | Service type | `ClusterIP` |
-| `contour.service.ports.xds` | Contour service xds port | `8001` |
-| `contour.service.ports.metrics` | Contour service xds port | `8000` |
-| `contour.service.nodePorts.xds` | Node port for HTTP | `""` |
-| `contour.service.clusterIP` | Contour service Cluster IP | `""` |
-| `contour.service.loadBalancerIP` | Contour service Load Balancer IP | `""` |
-| `contour.service.loadBalancerSourceRanges` | Contour service Load Balancer sources | `[]` |
-| `contour.service.loadBalancerClass` | Contour service Load Balancer Class | `""` |
-| `contour.service.externalTrafficPolicy` | Contour service external traffic policy | `Cluster` |
-| `contour.service.annotations` | Additional custom annotations for Contour service | `{}` |
-| `contour.service.extraPorts` | Extra port to expose on Contour service | `[]` |
-| `contour.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
-| `contour.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
-| `contour.initContainers` | Attach additional init containers to Contour pods | `[]` |
-| `contour.sidecars` | Add additional sidecar containers to the Contour pods | `[]` |
-| `contour.extraVolumes` | Array to add extra volumes | `[]` |
-| `contour.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` |
-| `contour.extraEnvVars` | Array containing extra env vars to be added to all Contour containers | `[]` |
-| `contour.extraEnvVarsCM` | ConfigMap containing extra env vars to be added to all Contour containers | `""` |
-| `contour.extraEnvVarsSecret` | Secret containing extra env vars to be added to all Contour containers | `""` |
-| `contour.ingressClass.name` | Name of the ingress class to route through this controller. | `""` |
-| `contour.ingressClass.create` | Whether to create or not the IngressClass resource | `true` |
-| `contour.ingressClass.default` | Mark IngressClass resource as default for cluster | `true` |
-| `contour.debug` | Enable Contour debug log level | `false` |
-| `contour.logFormat` | Set contour log-format. Default text, either text or json. | `text` |
-| `contour.kubernetesDebug` | Contour kubernetes debug log level, Default 0, minimum 0, maximum 9. | `0` |
-| `contour.rootNamespaces` | Restrict Contour to searching these namespaces for root ingress routes. | `""` |
-| `contour.overloadManager.enabled` | Enable Overload Manager | `false` |
-| `contour.overloadManager.maxHeapBytes` | Overload Manager's maximum heap size in bytes | `2147483648` |
-
-### Envoy parameters
-
-| Name | Description | Value |
-| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| `envoy.enabled` | Envoy Proxy creation | `true` |
-| `envoy.image.registry` | Envoy Proxy image registry | `docker.io` |
-| `envoy.image.repository` | Envoy Proxy image repository | `bitnami/envoy` |
-| `envoy.image.tag` | Envoy Proxy image tag (immutable tags are recommended) | `1.26.2-debian-11-r4` |
-| `envoy.image.digest` | Envoy Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
-| `envoy.image.pullPolicy` | Envoy image pull policy | `IfNotPresent` |
-| `envoy.image.pullSecrets` | Envoy image pull secrets | `[]` |
-| `envoy.priorityClassName` | Priority class assigned to the pods | `""` |
-| `envoy.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
-| `envoy.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
-| `envoy.extraArgs` | Extra arguments passed to Envoy container | `[]` |
-| `envoy.hostAliases` | Add deployment host aliases | `[]` |
-| `envoy.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` |
-| `envoy.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` |
-| `envoy.command` | Override default command | `[]` |
-| `envoy.args` | Override default args | `[]` |
-| `envoy.shutdownManager.enabled` | Contour shutdownManager sidecar | `true` |
-| `envoy.shutdownManager.extraArgs` | Extra arguments passed to shutdown container | `[]` |
-| `envoy.shutdownManager.port` | Specify Port for shutdown container | `8090` |
-| `envoy.shutdownManager.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` |
-| `envoy.shutdownManager.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` |
-| `envoy.kind` | Install as deployment or daemonset | `daemonset` |
-| `envoy.replicaCount` | Desired number of Controller pods | `1` |
-| `envoy.lifecycleHooks` | lifecycleHooks for the container to automate configuration before or after startup. | `{}` |
-| `envoy.updateStrategy` | Strategy to use to update Pods | `{}` |
-| `envoy.minReadySeconds` | The minimum number of seconds for which a newly created Pod should be ready | `0` |
-| `envoy.revisionHistoryLimit` | The number of old history to retain to allow rollback | `10` |
-| `envoy.autoscaling.enabled` | Enable autoscaling for Controller | `false` |
-| `envoy.autoscaling.minReplicas` | Minimum number of Controller replicas | `1` |
-| `envoy.autoscaling.maxReplicas` | Maximum number of Controller replicas | `11` |
-| `envoy.autoscaling.targetCPU` | Target CPU utilization percentage | `""` |
-| `envoy.autoscaling.targetMemory` | Target Memory utilization percentage | `""` |
-| `envoy.podAffinityPreset` | Envoy Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
-| `envoy.podAntiAffinityPreset` | Envoy Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
-| `envoy.nodeAffinityPreset.type` | Envoy Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
-| `envoy.nodeAffinityPreset.key` | Envoy Node label key to match Ignored if `affinity` is set. | `""` |
-| `envoy.nodeAffinityPreset.values` | Envoy Node label values to match. Ignored if `affinity` is set. | `[]` |
-| `envoy.affinity` | Affinity for Envoy pod assignment | `{}` |
-| `envoy.nodeSelector` | Node labels for Envoy pod assignment | `{}` |
-| `envoy.tolerations` | Tolerations for Envoy pod assignment | `[]` |
-| `envoy.podAnnotations` | Envoy Pod annotations | `{}` |
-| `envoy.podLabels` | Extra labels for Envoy pods | `{}` |
-| `envoy.podSecurityContext.enabled` | Envoy Pod securityContext | `false` |
-| `envoy.podSecurityContext.fsGroup` | User ID for the for the mounted volumes | `0` |
-| `envoy.podSecurityContext.sysctls` | Array of sysctl options to allow | `[]` |
-| `envoy.containerSecurityContext.enabled` | Envoy Container securityContext | `true` |
-| `envoy.containerSecurityContext.runAsUser` | User ID for the Envoy container (to change this, http and https containerPorts must be set to >1024) | `1001` |
-| `envoy.containerSecurityContext.runAsNonRoot` | Run as non root | `true` |
-| `envoy.hostNetwork` | Envoy Pod host network access | `false` |
-| `envoy.dnsPolicy` | Envoy Pod Dns Policy's DNS Policy | `ClusterFirst` |
-| `envoy.tlsExistingSecret` | Name of the existingSecret to be use in Envoy deployment | `""` |
-| `envoy.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
-| `envoy.serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template | `""` |
-| `envoy.serviceAccount.automountServiceAccountToken` | Whether to auto mount API credentials for a service account | `false` |
-| `envoy.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
-| `envoy.livenessProbe.enabled` | Enable livenessProbe | `true` |
-| `envoy.livenessProbe.port` | LivenessProbe port | `8002` |
-| `envoy.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
-| `envoy.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` |
-| `envoy.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
-| `envoy.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
-| `envoy.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
-| `envoy.readinessProbe.enabled` | Enable/disable the readiness probe | `true` |
-| `envoy.readinessProbe.port` | ReadinessProbe port | `8002` |
-| `envoy.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `10` |
-| `envoy.readinessProbe.periodSeconds` | How often to perform the probe | `3` |
-| `envoy.readinessProbe.timeoutSeconds` | When the probe times out | `1` |
-| `envoy.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `envoy.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `envoy.startupProbe.enabled` | Enable/disable the startup probe | `false` |
-| `envoy.startupProbe.port` | StartupProbe port | `8002` |
-| `envoy.startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `15` |
-| `envoy.startupProbe.periodSeconds` | How often to perform the probe | `10` |
-| `envoy.startupProbe.timeoutSeconds` | When the probe times out | `5` |
-| `envoy.startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `envoy.startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `envoy.customLivenessProbe` | Override default liveness probe | `{}` |
-| `envoy.customReadinessProbe` | Override default readiness probe | `{}` |
-| `envoy.customStartupProbe` | Override default startup probe | `{}` |
-| `envoy.terminationGracePeriodSeconds` | Envoy termination grace period in seconds | `300` |
-| `envoy.logLevel` | Envoy log level | `info` |
-| `envoy.service.name` | envoy service name | `""` |
-| `envoy.service.targetPorts` | Map the controller service HTTP/HTTPS port | `{}` |
-| `envoy.service.type` | Type of Envoy service to create | `LoadBalancer` |
-| `envoy.service.externalTrafficPolicy` | Envoy Service external cluster policy. If `envoy.service.type` is NodePort or LoadBalancer | `Local` |
-| `envoy.service.labels` | Labels to add to te envoy service | `{}` |
-| `envoy.service.clusterIP` | Internal envoy cluster service IP | `""` |
-| `envoy.service.externalIPs` | Envoy service external IP addresses | `[]` |
-| `envoy.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` |
-| `envoy.service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` |
-| `envoy.service.loadBalancerClass` | Envoy service Load Balancer Class | `""` |
-| `envoy.service.ipFamilyPolicy` | , support SingleStack, PreferDualStack and RequireDualStack | `""` |
-| `envoy.service.annotations` | Annotations for Envoy service | `{}` |
-| `envoy.service.ports.http` | Sets service http port | `80` |
-| `envoy.service.ports.https` | Sets service https port | `443` |
-| `envoy.service.nodePorts.http` | HTTP Port. If `envoy.service.type` is NodePort and this is non-empty | `""` |
-| `envoy.service.nodePorts.https` | HTTPS Port. If `envoy.service.type` is NodePort and this is non-empty | `""` |
-| `envoy.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
-| `envoy.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
-| `envoy.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
-| `envoy.useHostPort` | Enable/disable `hostPort` for TCP/80 and TCP/443 | `true` |
-| `envoy.useHostIP` | Enable/disable `hostIP` | `false` |
-| `envoy.hostPorts.http` | Sets `hostPort` http port | `80` |
-| `envoy.hostPorts.https` | Sets `hostPort` https port | `443` |
-| `envoy.hostPorts.metrics` | Sets `hostPort` metrics port | `8002` |
-| `envoy.hostIPs.http` | Sets `hostIP` http IP | `127.0.0.1` |
-| `envoy.hostIPs.https` | Sets `hostIP` https IP | `127.0.0.1` |
-| `envoy.hostIPs.metrics` | Sets `hostIP` metrics IP | `127.0.0.1` |
-| `envoy.containerPorts.http` | Sets http port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | `8080` |
-| `envoy.containerPorts.https` | Sets https port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | `8443` |
-| `envoy.containerPorts.metrics` | Sets metrics port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | `8002` |
-| `envoy.initContainers` | Attach additional init containers to Envoy pods | `[]` |
-| `envoy.sidecars` | Add additional sidecar containers to the Envoy pods | `[]` |
-| `envoy.extraVolumes` | Array to add extra volumes | `[]` |
-| `envoy.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` |
-| `envoy.extraEnvVars` | Array containing extra env vars to be added to all Envoy containers | `[]` |
-| `envoy.extraEnvVarsCM` | ConfigMap containing extra env vars to be added to all Envoy containers | `""` |
-| `envoy.extraEnvVarsSecret` | Secret containing extra env vars to be added to all Envoy containers | `""` |
-
-### Default backend parameters
-
-| Name | Description | Value |
-| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------- | ------------------------ |
-| `defaultBackend.enabled` | Enable a default backend based on NGINX | `false` |
-| `defaultBackend.image.registry` | Default backend image registry | `docker.io` |
-| `defaultBackend.image.repository` | Default backend image name | `bitnami/nginx` |
-| `defaultBackend.image.tag` | Default backend image tag | `1.25.1-debian-11-r1` |
-| `defaultBackend.image.digest` | Default backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
-| `defaultBackend.image.pullPolicy` | Image pull policy | `IfNotPresent` |
-| `defaultBackend.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
-| `defaultBackend.extraArgs` | Additional command line arguments to pass to NGINX container | `{}` |
-| `defaultBackend.lifecycleHooks` | lifecycleHooks for the container to automate configuration before or after startup. | `{}` |
-| `defaultBackend.extraEnvVars` | Array containing extra env vars to be added to all Contour containers | `[]` |
-| `defaultBackend.extraEnvVarsCM` | ConfigMap containing extra env vars to be added to all Contour containers | `""` |
-| `defaultBackend.extraEnvVarsSecret` | Secret containing extra env vars to be added to all Contour containers | `""` |
-| `defaultBackend.extraVolumes` | Array to add extra volumes | `[]` |
-| `defaultBackend.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` |
-| `defaultBackend.initContainers` | Attach additional init containers to the http backend pods | `[]` |
-| `defaultBackend.sidecars` | Add additional sidecar containers to the default backend | `[]` |
-| `defaultBackend.containerPorts.http` | Set http port inside Contour pod | `8001` |
-| `defaultBackend.updateStrategy` | Strategy to use to update Pods | `{}` |
-| `defaultBackend.command` | Override default command | `[]` |
-| `defaultBackend.args` | Override default args | `[]` |
-| `defaultBackend.hostAliases` | Add deployment host aliases | `[]` |
-| `defaultBackend.replicaCount` | Desired number of default backend pods | `1` |
-| `defaultBackend.podSecurityContext.enabled` | Default backend Pod securityContext | `true` |
-| `defaultBackend.podSecurityContext.fsGroup` | Set Default backend Pod's Security Context fsGroup | `1001` |
-| `defaultBackend.containerSecurityContext.enabled` | Default backend container securityContext | `true` |
-| `defaultBackend.containerSecurityContext.runAsUser` | User ID for the Envoy container (to change this, http and https containerPorts must be set to >1024) | `1001` |
-| `defaultBackend.containerSecurityContext.runAsNonRoot` | Run as non root | `true` |
-| `defaultBackend.resources.limits` | The resources limits for the Default backend container | `{}` |
-| `defaultBackend.resources.requests` | The requested resources for the Default backend container | `{}` |
-| `defaultBackend.livenessProbe.enabled` | Enable livenessProbe | `true` |
-| `defaultBackend.livenessProbe.httpGet` | Path, port and scheme for the livenessProbe | `{}` |
-| `defaultBackend.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
-| `defaultBackend.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
-| `defaultBackend.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
-| `defaultBackend.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
-| `defaultBackend.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
-| `defaultBackend.readinessProbe.enabled` | Enable readinessProbe | `true` |
-| `defaultBackend.readinessProbe.httpGet` | Path, port and scheme for the readinessProbe | `{}` |
-| `defaultBackend.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
-| `defaultBackend.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
-| `defaultBackend.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
-| `defaultBackend.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
-| `defaultBackend.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
-| `defaultBackend.startupProbe.enabled` | Enable/disable the startup probe | `false` |
-| `defaultBackend.startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `15` |
-| `defaultBackend.startupProbe.periodSeconds` | How often to perform the probe | `10` |
-| `defaultBackend.startupProbe.timeoutSeconds` | When the probe times out | `5` |
-| `defaultBackend.startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `defaultBackend.startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `defaultBackend.customLivenessProbe` | Override default liveness probe, it overrides the default one (evaluated as a template) | `{}` |
-| `defaultBackend.customReadinessProbe` | Override default readiness probe, it overrides the default one (evaluated as a template) | `{}` |
-| `defaultBackend.customStartupProbe` | Override default startup probe | `{}` |
-| `defaultBackend.podLabels` | Extra labels for Controller pods | `{}` |
-| `defaultBackend.podAnnotations` | Annotations for Controller pods | `{}` |
-| `defaultBackend.priorityClassName` | Priority class assigned to the pods | `""` |
-| `defaultBackend.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
-| `defaultBackend.terminationGracePeriodSeconds` | In seconds, time the given to the default backend pod needs to terminate gracefully | `60` |
-| `defaultBackend.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
-| `defaultBackend.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
-| `defaultBackend.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
-| `defaultBackend.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
-| `defaultBackend.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
-| `defaultBackend.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
-| `defaultBackend.affinity` | Affinity for pod assignment. Evaluated as a template. | `{}` |
-| `defaultBackend.nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
-| `defaultBackend.tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` |
-| `defaultBackend.service.type` | Service type | `ClusterIP` |
-| `defaultBackend.service.ports.http` | Service port | `80` |
-| `defaultBackend.service.annotations` | Annotations to add to the service | `{}` |
-| `defaultBackend.pdb.create` | Enable Pod Disruption Budget configuration | `false` |
-| `defaultBackend.pdb.minAvailable` | Minimum number/percentage of Default backend pods that should remain scheduled | `1` |
-| `defaultBackend.pdb.maxUnavailable` | Maximum number/percentage of Default backend pods that should remain scheduled | `""` |
-| `ingress.enabled` | Ingress configuration enabled | `false` |
-| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
-| `ingress.certManager` | Add annotations for cert-manager | `false` |
-| `ingress.annotations` | Annotations to be added to the web ingress. | `{}` |
-| `ingress.hostname` | Hostname for the Ingress object | `contour.local` |
-| `ingress.path` | The Path to Concourse | `/` |
-| `ingress.rulesOverride` | Ingress rules override | `[]` |
-| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
-| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
-| `ingress.extraPaths` | Add additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` |
-| `ingress.tls` | TLS configuration. | `false` |
-| `ingress.pathType` | Ingress Path type | `ImplementationSpecific` |
-| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
-| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
-| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` |
-| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
-
-### Metrics parameters
-
-| Name | Description | Value |
-| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ |
-| `metrics.serviceMonitor.namespace` | Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart) | `""` |
-| `metrics.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `false` |
-| `metrics.serviceMonitor.jobLabel` | Specify the jobLabel to use for the prometheus-operator | `app.kubernetes.io/name` |
-| `metrics.serviceMonitor.interval` | Specify the scrape interval if not specified use default prometheus scrapeIntervall, the Prometheus default scrape interval is used. | `""` |
-| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics. | `[]` |
-| `metrics.serviceMonitor.relabelings` | Specify general relabeling. | `[]` |
-| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
-| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` |
-| `metrics.serviceMonitor.selector` | Specify honorLabels parameter to add the scrape endpoint | `{}` |
-| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
-| `metrics.prometheusRule.enabled` | Creates a Prometheus Operator prometheusRule | `false` |
-| `metrics.prometheusRule.namespace` | Namespace for the prometheusRule Resource (defaults to the Release Namespace) | `""` |
-| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRule will be discovered by Prometheus | `{}` |
-| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` |
-
-### Other parameters
-
-| Name | Description | Value |
-| ------------------- | -------------------------------------------------------------------------------------------------------------------- | ------ |
-| `rbac.create` | Create the RBAC roles for API accessibility | `true` |
-| `rbac.rules` | Custom RBAC rules to set | `[]` |
-| `tlsExistingSecret` | Name of the existingSecret to be use in both contour and envoy. If it is not nil `contour.certgen` will be disabled. | `""` |
-
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+## Configuration and installation details
-```console
-helm install my-release \
- --set envoy.readinessProbe.successThreshold=5 \
- oci://registry-1.docker.io/bitnamicharts/contour
-```
+### Resource requests and limits
-The above command sets the `envoy.readinessProbe.successThreshold` to `5`.
+Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
-## Configuration and installation details
+To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
-### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
+### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
@@ -471,11 +79,11 @@ configInline:
# disable ingressroute permitInsecure field
disablePermitInsecure: false
tls:
- # minimum TLS version that Contour will negotiate
- # minimum-protocol-version: "1.1"
- # Defines the Kubernetes name/namespace matching a secret to use
- # as the fallback certificate when requests which don't match the
- # SNI defined for a vhost.
+ # minimum TLS version that Contour will negotiate
+ # minimum-protocol-version: "1.1"
+ # Defines the Kubernetes name/namespace matching a secret to use
+ # as the fallback certificate when requests which don't match the
+ # SNI defined for a vhost.
fallback-certificate:
# name: fallback-secret-name
# namespace: projectcontour
@@ -552,6 +160,514 @@ This chart allows you to set your custom affinity using the `XXX.affinity` param
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
+## Parameters
+
+### Global parameters
+
+| Name | Description | Value |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `global.imageRegistry` | Global Docker image registry | `""` |
+| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
+| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
+| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
+| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
+
+### Common parameters
+
+| Name | Description | Value |
+| ------------------------ | --------------------------------------------------------------------------------------- | ------- |
+| `nameOverride` | String to partially override contour.fullname include (will maintain the release name) | `""` |
+| `fullnameOverride` | String to fully override contour.fullname template | `""` |
+| `namespaceOverride` | String to fully override common.names.namespace | `""` |
+| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
+| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
+| `commonLabels` | Labels to add to all deployed objects | `{}` |
+| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
+| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
+| `diagnosticMode.command` | Command to override all containers in the deployment | `[]` |
+| `diagnosticMode.args` | Args to override all containers in the deployment | `[]` |
+
+### Contour parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
+| `existingConfigMap` | Specifies the name of an externally-defined ConfigMap to use as the configuration (this is mutually exclusive with `configInline`) | `""` |
+| `configInline` | Specifies Contour's configuration directly in YAML format | `{}` |
+| `contour.enabled` | Contour Deployment creation. | `true` |
+| `contour.image.registry` | Contour image registry | `REGISTRY_NAME` |
+| `contour.image.repository` | Contour image name | `REPOSITORY_NAME/contour` |
+| `contour.image.digest` | Contour image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `contour.image.pullPolicy` | Contour Image pull policy | `IfNotPresent` |
+| `contour.image.pullSecrets` | Contour Image pull secrets | `[]` |
+| `contour.image.debug` | Enable image debug mode | `false` |
+| `contour.contourConfigName` | Contour Deployment with ContourConfiguration CRD. | `contour` |
+| `contour.configPath` | Contour Deployment with configmap. | `true` |
+| `contour.replicaCount` | Number of Contour Pod replicas | `1` |
+| `contour.priorityClassName` | Priority class assigned to the pods | `""` |
+| `contour.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
+| `contour.terminationGracePeriodSeconds` | In seconds, time the given to the Contour pod needs to terminate gracefully | `""` |
+| `contour.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
+| `contour.containerPorts.xds` | Set xds port inside Contour pod | `8001` |
+| `contour.containerPorts.metrics` | Set metrics port inside Contour pod | `8000` |
+| `contour.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
+| `contour.hostAliases` | Add deployment host aliases | `[]` |
+| `contour.updateStrategy` | Strategy to use to update Pods | `{}` |
+| `contour.extraArgs` | Extra arguments passed to Contour container | `[]` |
+| `contour.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production). | `nano` |
+| `contour.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `contour.manageCRDs` | Manage the creation, upgrade and deletion of Contour CRDs. | `true` |
+| `contour.envoyServiceNamespace` | Namespace of the envoy service to inspect for Ingress status details. | `""` |
+| `contour.envoyServiceName` | Name of the envoy service to inspect for Ingress status details. | `""` |
+| `contour.leaderElectionResourceName` | Name of the contour (Lease) leader election will lease. | `""` |
+| `contour.ingressStatusAddress` | Address to set in Ingress object status. It is exclusive with `envoyServiceName` and `envoyServiceNamespace`. | `""` |
+| `contour.podAffinityPreset` | Contour Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `contour.podAntiAffinityPreset` | Contour Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
+| `contour.podLabels` | Extra labels for Contour pods | `{}` |
+| `contour.lifecycleHooks` | lifecycleHooks for the container to automate configuration before or after startup. | `{}` |
+| `contour.customLivenessProbe` | Override default liveness probe | `{}` |
+| `contour.customReadinessProbe` | Override default readiness probe | `{}` |
+| `contour.customStartupProbe` | Override default startup probe | `{}` |
+| `contour.nodeAffinityPreset.type` | Contour Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `contour.nodeAffinityPreset.key` | Contour Node label key to match Ignored if `affinity` is set. | `""` |
+| `contour.nodeAffinityPreset.values` | Contour Node label values to match. Ignored if `affinity` is set. | `[]` |
+| `contour.command` | Override default command | `[]` |
+| `contour.args` | Override default args | `[]` |
+| `contour.affinity` | Affinity for Contour pod assignment | `{}` |
+| `contour.nodeSelector` | Node labels for Contour pod assignment | `{}` |
+| `contour.tolerations` | Tolerations for Contour pod assignment | `[]` |
+| `contour.podAnnotations` | Contour Pod annotations | `{}` |
+| `contour.serviceAccount.create` | Create a serviceAccount for the Contour pod | `true` |
+| `contour.serviceAccount.name` | Use the serviceAccount with the specified name, a name is generated using the fullname template | `""` |
+| `contour.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
+| `contour.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
+| `contour.podSecurityContext.enabled` | Default backend Pod securityContext | `true` |
+| `contour.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `contour.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `contour.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `contour.podSecurityContext.fsGroup` | Set Default backend Pod's Security Context fsGroup | `1001` |
+| `contour.containerSecurityContext.enabled` | Enabled contour containers' Security Context | `true` |
+| `contour.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
+| `contour.containerSecurityContext.runAsUser` | Set contour containers' Security Context runAsUser | `1001` |
+| `contour.containerSecurityContext.runAsGroup` | Set contour containers' Security Context runAsGroup | `1001` |
+| `contour.containerSecurityContext.runAsNonRoot` | Set contour containers' Security Context runAsNonRoot | `true` |
+| `contour.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
+| `contour.containerSecurityContext.privileged` | Set contour container's Security Context privileged | `false` |
+| `contour.containerSecurityContext.allowPrivilegeEscalation` | Set contour container's Security Context allowPrivilegeEscalation | `false` |
+| `contour.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `contour.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `contour.livenessProbe.enabled` | Enable/disable the Liveness probe | `true` |
+| `contour.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `120` |
+| `contour.livenessProbe.periodSeconds` | How often to perform the probe | `20` |
+| `contour.livenessProbe.timeoutSeconds` | When the probe times out | `5` |
+| `contour.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` |
+| `contour.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `contour.readinessProbe.enabled` | Enable/disable the readiness probe | `true` |
+| `contour.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `15` |
+| `contour.readinessProbe.periodSeconds` | How often to perform the probe | `10` |
+| `contour.readinessProbe.timeoutSeconds` | When the probe times out | `5` |
+| `contour.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `contour.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `contour.startupProbe.enabled` | Enable/disable the startup probe | `false` |
+| `contour.startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `15` |
+| `contour.startupProbe.periodSeconds` | How often to perform the probe | `10` |
+| `contour.startupProbe.timeoutSeconds` | When the probe times out | `5` |
+| `contour.startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `contour.startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `contour.certgen.serviceAccount.create` | Create a serviceAccount for the Contour pod | `true` |
+| `contour.certgen.serviceAccount.name` | Use the serviceAccount with the specified name, a name is generated using the fullname template | `""` |
+| `contour.certgen.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
+| `contour.certgen.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
+| `contour.certgen.certificateLifetime` | Generated certificate lifetime (in days). | `365` |
+| `contour.certgen.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
+| `contour.certgen.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
+| `contour.certgen.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
+| `contour.certgen.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
+| `contour.certgen.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
+| `contour.certgen.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `contour.certgen.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `contour.certgen.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
+| `contour.certgen.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
+| `contour.tlsExistingSecret` | Name of the existingSecret to be use in Contour deployment. If it is not nil `contour.certgen` will be disabled. | `""` |
+| `contour.service.type` | Service type | `ClusterIP` |
+| `contour.service.ports.xds` | Contour service xds port | `8001` |
+| `contour.service.ports.metrics` | Contour service xds port | `8000` |
+| `contour.service.nodePorts.xds` | Node port for HTTP | `""` |
+| `contour.service.clusterIP` | Contour service Cluster IP | `""` |
+| `contour.service.loadBalancerIP` | Contour service Load Balancer IP | `""` |
+| `contour.service.loadBalancerSourceRanges` | Contour service Load Balancer sources | `[]` |
+| `contour.service.loadBalancerClass` | Contour service Load Balancer Class | `""` |
+| `contour.service.externalTrafficPolicy` | Contour service external traffic policy | `Cluster` |
+| `contour.service.annotations` | Additional custom annotations for Contour service | `{}` |
+| `contour.service.extraPorts` | Extra port to expose on Contour service | `[]` |
+| `contour.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
+| `contour.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
+| `contour.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
+| `contour.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
+| `contour.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
+| `contour.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
+| `contour.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `contour.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `contour.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
+| `contour.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
+| `contour.initContainers` | Attach additional init containers to Contour pods | `[]` |
+| `contour.sidecars` | Add additional sidecar containers to the Contour pods | `[]` |
+| `contour.extraVolumes` | Array to add extra volumes | `[]` |
+| `contour.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` |
+| `contour.extraEnvVars` | Array containing extra env vars to be added to all Contour containers | `[]` |
+| `contour.extraEnvVarsCM` | ConfigMap containing extra env vars to be added to all Contour containers | `""` |
+| `contour.extraEnvVarsSecret` | Secret containing extra env vars to be added to all Contour containers | `""` |
+| `contour.ingressClass.name` | Name of the ingress class to route through this controller. | `""` |
+| `contour.ingressClass.create` | Whether to create or not the IngressClass resource | `true` |
+| `contour.ingressClass.default` | Mark IngressClass resource as default for cluster | `true` |
+| `contour.debug` | Enable Contour debug log level | `false` |
+| `contour.logFormat` | Set contour log-format. Default text, either text or json. | `text` |
+| `contour.kubernetesDebug` | Contour kubernetes debug log level, Default 0, minimum 0, maximum 9. | `0` |
+| `contour.rootNamespaces` | Restrict Contour to searching these namespaces for root ingress routes. | `""` |
+| `contour.overloadManager.enabled` | Enable Overload Manager | `false` |
+| `contour.overloadManager.maxHeapBytes` | Overload Manager's maximum heap size in bytes | `2147483648` |
+| `contour.pdb.create` | Enable Pod Disruption Budget configuration | `true` |
+| `contour.pdb.minAvailable` | Minimum number/percentage of Default backend pods that should remain scheduled | `""` |
+| `contour.pdb.maxUnavailable` | Maximum number/percentage of Default backend pods that should remain scheduled | `""` |
+
+### Envoy parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
+| `envoy.enabled` | Envoy Proxy creation | `true` |
+| `envoy.image.registry` | Envoy Proxy image registry | `REGISTRY_NAME` |
+| `envoy.image.repository` | Envoy Proxy image repository | `REPOSITORY_NAME/envoy` |
+| `envoy.image.digest` | Envoy Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `envoy.image.pullPolicy` | Envoy image pull policy | `IfNotPresent` |
+| `envoy.image.pullSecrets` | Envoy image pull secrets | `[]` |
+| `envoy.priorityClassName` | Priority class assigned to the pods | `""` |
+| `envoy.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
+| `envoy.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
+| `envoy.extraArgs` | Extra arguments passed to Envoy container | `[]` |
+| `envoy.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
+| `envoy.hostAliases` | Add deployment host aliases | `[]` |
+| `envoy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production). | `nano` |
+| `envoy.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `envoy.command` | Override default command | `[]` |
+| `envoy.args` | Override default args | `[]` |
+| `envoy.shutdownManager.enabled` | Contour shutdownManager sidecar | `true` |
+| `envoy.shutdownManager.extraArgs` | Extra arguments passed to shutdown container | `[]` |
+| `envoy.shutdownManager.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production). | `nano` |
+| `envoy.shutdownManager.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `envoy.shutdownManager.containerPorts.http` | Specify Port for shutdown container | `8090` |
+| `envoy.shutdownManager.lifecycleHooks` | lifecycleHooks for the container to automate configuration before or after startup. | `{}` |
+| `envoy.shutdownManager.containerSecurityContext.enabled` | Enabled envoy shutdownManager containers' Security Context | `true` |
+| `envoy.shutdownManager.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
+| `envoy.shutdownManager.containerSecurityContext.runAsUser` | Set envoy shutdownManager containers' Security Context runAsUser | `1001` |
+| `envoy.shutdownManager.containerSecurityContext.runAsGroup` | Set contour containers' Security Context runAsGroup | `1001` |
+| `envoy.shutdownManager.containerSecurityContext.runAsNonRoot` | Set envoy shutdownManager containers' Security Context runAsNonRoot | `true` |
+| `envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
+| `envoy.shutdownManager.containerSecurityContext.privileged` | Set envoy.shutdownManager container's Security Context privileged | `false` |
+| `envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation` | Set envoy shutdownManager container's Security Context allowPrivilegeEscalation | `false` |
+| `envoy.shutdownManager.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `envoy.shutdownManager.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `envoy.shutdownManager.livenessProbe.enabled` | Enable livenessProbe | `true` |
+| `envoy.shutdownManager.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
+| `envoy.shutdownManager.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` |
+| `envoy.shutdownManager.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `envoy.shutdownManager.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `envoy.shutdownManager.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `envoy.shutdownManager.readinessProbe.enabled` | Enable/disable the readiness probe | `true` |
+| `envoy.shutdownManager.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `10` |
+| `envoy.shutdownManager.readinessProbe.periodSeconds` | How often to perform the probe | `3` |
+| `envoy.shutdownManager.readinessProbe.timeoutSeconds` | When the probe times out | `1` |
+| `envoy.shutdownManager.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `envoy.shutdownManager.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `envoy.shutdownManager.startupProbe.enabled` | Enable/disable the startup probe | `false` |
+| `envoy.shutdownManager.startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `15` |
+| `envoy.shutdownManager.startupProbe.periodSeconds` | How often to perform the probe | `10` |
+| `envoy.shutdownManager.startupProbe.timeoutSeconds` | When the probe times out | `5` |
+| `envoy.shutdownManager.startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `envoy.shutdownManager.startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `envoy.shutdownManager.customLivenessProbe` | Override default liveness probe | `{}` |
+| `envoy.shutdownManager.customReadinessProbe` | Override default readiness probe | `{}` |
+| `envoy.shutdownManager.customStartupProbe` | Override default startup probe | `{}` |
+| `envoy.initConfig.containerSecurityContext.enabled` | Enabled envoy initConfig containers' Security Context | `true` |
+| `envoy.initConfig.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
+| `envoy.initConfig.containerSecurityContext.runAsUser` | Set envoy initConfig containers' Security Context runAsUser | `1001` |
+| `envoy.initConfig.containerSecurityContext.runAsGroup` | Set envoy initConfig containers' Security Context runAsUser | `1001` |
+| `envoy.initConfig.containerSecurityContext.runAsNonRoot` | Set envoy initConfig containers' Security Context runAsNonRoot | `true` |
+| `envoy.initConfig.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
+| `envoy.initConfig.containerSecurityContext.privileged` | Set contraller container's Security Context privileged | `false` |
+| `envoy.initConfig.containerSecurityContext.allowPrivilegeEscalation` | Set contraller container's Security Context allowPrivilegeEscalation | `false` |
+| `envoy.initConfig.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `envoy.initConfig.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `envoy.kind` | Install as deployment or daemonset | `daemonset` |
+| `envoy.replicaCount` | Desired number of Controller pods | `1` |
+| `envoy.lifecycleHooks` | lifecycleHooks for the container to automate configuration before or after startup. | `{}` |
+| `envoy.updateStrategy` | Strategy to use to update Pods | `{}` |
+| `envoy.minReadySeconds` | The minimum number of seconds for which a newly created Pod should be ready | `0` |
+| `envoy.revisionHistoryLimit` | The number of old history to retain to allow rollback | `10` |
+| `envoy.autoscaling.enabled` | Enable autoscaling for Controller | `false` |
+| `envoy.autoscaling.minReplicas` | Minimum number of Controller replicas | `1` |
+| `envoy.autoscaling.maxReplicas` | Maximum number of Controller replicas | `11` |
+| `envoy.autoscaling.targetCPU` | Target CPU utilization percentage | `""` |
+| `envoy.autoscaling.targetMemory` | Target Memory utilization percentage | `""` |
+| `envoy.autoscaling.behavior` | HPA Behavior | `{}` |
+| `envoy.podAffinityPreset` | Envoy Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `envoy.podAntiAffinityPreset` | Envoy Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `envoy.nodeAffinityPreset.type` | Envoy Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `envoy.nodeAffinityPreset.key` | Envoy Node label key to match Ignored if `affinity` is set. | `""` |
+| `envoy.nodeAffinityPreset.values` | Envoy Node label values to match. Ignored if `affinity` is set. | `[]` |
+| `envoy.affinity` | Affinity for Envoy pod assignment | `{}` |
+| `envoy.nodeSelector` | Node labels for Envoy pod assignment | `{}` |
+| `envoy.tolerations` | Tolerations for Envoy pod assignment | `[]` |
+| `envoy.podAnnotations` | Envoy Pod annotations | `{}` |
+| `envoy.podLabels` | Extra labels for Envoy pods | `{}` |
+| `envoy.podSecurityContext.enabled` | Envoy Pod securityContext | `true` |
+| `envoy.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `envoy.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `envoy.podSecurityContext.fsGroup` | User ID for the for the mounted volumes | `0` |
+| `envoy.podSecurityContext.sysctls` | Array of sysctl options to allow | `[]` |
+| `envoy.containerSecurityContext.enabled` | Enabled envoy containers' Security Context | `true` |
+| `envoy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
+| `envoy.containerSecurityContext.runAsUser` | Set envoy containers' Security Context runAsUser | `1001` |
+| `envoy.containerSecurityContext.runAsGroup` | Set envoy containers' Security Context runAsGroup | `1001` |
+| `envoy.containerSecurityContext.runAsNonRoot` | Set envoy containers' Security Context runAsNonRoot | `true` |
+| `envoy.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
+| `envoy.containerSecurityContext.privileged` | Set envoy container's Security Context privileged | `false` |
+| `envoy.containerSecurityContext.allowPrivilegeEscalation` | Set envoy container's Security Context allowPrivilegeEscalation | `false` |
+| `envoy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `envoy.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `envoy.hostNetwork` | Envoy Pod host network access | `false` |
+| `envoy.dnsPolicy` | Envoy Pod Dns Policy's DNS Policy | `ClusterFirst` |
+| `envoy.tlsExistingSecret` | Name of the existingSecret to be use in Envoy deployment | `""` |
+| `envoy.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
+| `envoy.serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template | `""` |
+| `envoy.serviceAccount.automountServiceAccountToken` | Whether to auto mount API credentials for a service account | `false` |
+| `envoy.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
+| `envoy.livenessProbe.enabled` | Enable livenessProbe | `true` |
+| `envoy.livenessProbe.port` | LivenessProbe port | `8002` |
+| `envoy.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
+| `envoy.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` |
+| `envoy.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `envoy.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `envoy.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `envoy.readinessProbe.enabled` | Enable/disable the readiness probe | `true` |
+| `envoy.readinessProbe.port` | ReadinessProbe port | `8002` |
+| `envoy.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `10` |
+| `envoy.readinessProbe.periodSeconds` | How often to perform the probe | `3` |
+| `envoy.readinessProbe.timeoutSeconds` | When the probe times out | `1` |
+| `envoy.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `envoy.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `envoy.startupProbe.enabled` | Enable/disable the startup probe | `false` |
+| `envoy.startupProbe.port` | StartupProbe port | `8002` |
+| `envoy.startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `15` |
+| `envoy.startupProbe.periodSeconds` | How often to perform the probe | `10` |
+| `envoy.startupProbe.timeoutSeconds` | When the probe times out | `5` |
+| `envoy.startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `envoy.startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `envoy.customLivenessProbe` | Override default liveness probe | `{}` |
+| `envoy.customReadinessProbe` | Override default readiness probe | `{}` |
+| `envoy.customStartupProbe` | Override default startup probe | `{}` |
+| `envoy.terminationGracePeriodSeconds` | Envoy termination grace period in seconds | `300` |
+| `envoy.logLevel` | Envoy log level | `info` |
+| `envoy.service.name` | envoy service name | `""` |
+| `envoy.service.multiAz.enabled` | enables the rendering of the multiple services | `false` |
+| `envoy.service.multiAz.zones` | defines different zones their annotations and loadBalancerIPs | `[]` |
+| `envoy.service.targetPorts` | Map the controller service HTTP/HTTPS port | `{}` |
+| `envoy.service.type` | Type of Envoy service to create | `LoadBalancer` |
+| `envoy.service.externalTrafficPolicy` | Envoy Service external cluster policy. If `envoy.service.type` is NodePort or LoadBalancer | `Local` |
+| `envoy.service.labels` | Labels to add to te envoy service | `{}` |
+| `envoy.service.clusterIP` | Internal envoy cluster service IP | `""` |
+| `envoy.service.externalIPs` | Envoy service external IP addresses | `[]` |
+| `envoy.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` |
+| `envoy.service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` |
+| `envoy.service.loadBalancerClass` | Envoy service Load Balancer Class | `""` |
+| `envoy.service.ipFamilyPolicy` | , support SingleStack, PreferDualStack and RequireDualStack | `""` |
+| `envoy.service.ipFamilies` | List of IP families (e.g. IPv4, IPv6) assigned to the service. | `[]` |
+| `envoy.service.annotations` | Annotations for Envoy service | `{}` |
+| `envoy.service.ports.http` | Sets service http port | `80` |
+| `envoy.service.ports.https` | Sets service https port | `443` |
+| `envoy.service.ports.metrics` | Sets service metrics port | `8002` |
+| `envoy.service.nodePorts.http` | HTTP Port. If `envoy.service.type` is NodePort and this is non-empty | `""` |
+| `envoy.service.nodePorts.https` | HTTPS Port. If `envoy.service.type` is NodePort and this is non-empty | `""` |
+| `envoy.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
+| `envoy.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
+| `envoy.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
+| `envoy.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
+| `envoy.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
+| `envoy.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
+| `envoy.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `envoy.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `envoy.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
+| `envoy.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
+| `envoy.useHostPort.http` | Enable/disable `hostPort` for TCP/80 | `false` |
+| `envoy.useHostPort.https` | Enable/disable `hostPort` TCP/443 | `false` |
+| `envoy.useHostPort.metrics` | Enable/disable `hostPort` for TCP/8002 | `false` |
+| `envoy.useHostIP` | Enable/disable `hostIP` | `false` |
+| `envoy.hostPorts.http` | Sets `hostPort` http port | `80` |
+| `envoy.hostPorts.https` | Sets `hostPort` https port | `443` |
+| `envoy.hostPorts.metrics` | Sets `hostPort` metrics port | `8002` |
+| `envoy.hostIPs.http` | Sets `hostIP` http IP | `127.0.0.1` |
+| `envoy.hostIPs.https` | Sets `hostIP` https IP | `127.0.0.1` |
+| `envoy.hostIPs.metrics` | Sets `hostIP` metrics IP | `127.0.0.1` |
+| `envoy.containerPorts.http` | Sets http port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | `8080` |
+| `envoy.containerPorts.https` | Sets https port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | `8443` |
+| `envoy.containerPorts.metrics` | Sets metrics port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | `8002` |
+| `envoy.initContainers` | Attach additional init containers to Envoy pods | `[]` |
+| `envoy.sidecars` | Add additional sidecar containers to the Envoy pods | `[]` |
+| `envoy.extraVolumes` | Array to add extra volumes | `[]` |
+| `envoy.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` |
+| `envoy.extraEnvVars` | Array containing extra env vars to be added to all Envoy containers | `[]` |
+| `envoy.extraEnvVarsCM` | ConfigMap containing extra env vars to be added to all Envoy containers | `""` |
+| `envoy.extraEnvVarsSecret` | Secret containing extra env vars to be added to all Envoy containers | `""` |
+| `envoy.pdb.create` | Enable Pod Disruption Budget configuration | `true` |
+| `envoy.pdb.minAvailable` | Minimum number/percentage of Default backend pods that should remain scheduled | `""` |
+| `envoy.pdb.maxUnavailable` | Maximum number/percentage of Default backend pods that should remain scheduled | `""` |
+
+### Default backend parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
+| `defaultBackend.enabled` | Enable a default backend based on NGINX | `false` |
+| `defaultBackend.image.registry` | Default backend image registry | `REGISTRY_NAME` |
+| `defaultBackend.image.repository` | Default backend image name | `REPOSITORY_NAME/nginx` |
+| `defaultBackend.image.digest` | Default backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `defaultBackend.image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `defaultBackend.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
+| `defaultBackend.extraArgs` | Additional command line arguments to pass to NGINX container | `{}` |
+| `defaultBackend.lifecycleHooks` | lifecycleHooks for the container to automate configuration before or after startup. | `{}` |
+| `defaultBackend.extraEnvVars` | Array containing extra env vars to be added to all Contour containers | `[]` |
+| `defaultBackend.extraEnvVarsCM` | ConfigMap containing extra env vars to be added to all Contour containers | `""` |
+| `defaultBackend.extraEnvVarsSecret` | Secret containing extra env vars to be added to all Contour containers | `""` |
+| `defaultBackend.extraVolumes` | Array to add extra volumes | `[]` |
+| `defaultBackend.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` |
+| `defaultBackend.initContainers` | Attach additional init containers to the http backend pods | `[]` |
+| `defaultBackend.sidecars` | Add additional sidecar containers to the default backend | `[]` |
+| `defaultBackend.containerPorts.http` | Set http port inside Contour pod | `8001` |
+| `defaultBackend.updateStrategy` | Strategy to use to update Pods | `{}` |
+| `defaultBackend.command` | Override default command | `[]` |
+| `defaultBackend.args` | Override default args | `[]` |
+| `defaultBackend.hostAliases` | Add deployment host aliases | `[]` |
+| `defaultBackend.replicaCount` | Desired number of default backend pods | `1` |
+| `defaultBackend.podSecurityContext.enabled` | Default backend Pod securityContext | `true` |
+| `defaultBackend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `defaultBackend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `defaultBackend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `defaultBackend.podSecurityContext.fsGroup` | Set Default backend Pod's Security Context fsGroup | `1001` |
+| `defaultBackend.containerSecurityContext.enabled` | Enabled defaultBackend containers' Security Context | `true` |
+| `defaultBackend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
+| `defaultBackend.containerSecurityContext.runAsUser` | Set defaultBackend containers' Security Context runAsUser | `1001` |
+| `defaultBackend.containerSecurityContext.runAsGroup` | Set defaultBackend containers' Security Context runAsGroup | `1001` |
+| `defaultBackend.containerSecurityContext.runAsNonRoot` | Set defaultBackend containers' Security Context runAsNonRoot | `true` |
+| `defaultBackend.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
+| `defaultBackend.containerSecurityContext.privileged` | Set defaultBackend container's Security Context privileged | `false` |
+| `defaultBackend.containerSecurityContext.allowPrivilegeEscalation` | Set defaultBackend container's Security Context allowPrivilegeEscalation | `false` |
+| `defaultBackend.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `defaultBackend.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `defaultBackend.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production). | `nano` |
+| `defaultBackend.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `defaultBackend.livenessProbe.enabled` | Enable livenessProbe | `true` |
+| `defaultBackend.livenessProbe.httpGet` | Path, port and scheme for the livenessProbe | `{}` |
+| `defaultBackend.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
+| `defaultBackend.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `defaultBackend.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `defaultBackend.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
+| `defaultBackend.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `defaultBackend.readinessProbe.enabled` | Enable readinessProbe | `true` |
+| `defaultBackend.readinessProbe.httpGet` | Path, port and scheme for the readinessProbe | `{}` |
+| `defaultBackend.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
+| `defaultBackend.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
+| `defaultBackend.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
+| `defaultBackend.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `defaultBackend.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `defaultBackend.startupProbe.enabled` | Enable/disable the startup probe | `false` |
+| `defaultBackend.startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `15` |
+| `defaultBackend.startupProbe.periodSeconds` | How often to perform the probe | `10` |
+| `defaultBackend.startupProbe.timeoutSeconds` | When the probe times out | `5` |
+| `defaultBackend.startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `defaultBackend.startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `defaultBackend.customLivenessProbe` | Override default liveness probe, it overrides the default one (evaluated as a template) | `{}` |
+| `defaultBackend.customReadinessProbe` | Override default readiness probe, it overrides the default one (evaluated as a template) | `{}` |
+| `defaultBackend.customStartupProbe` | Override default startup probe | `{}` |
+| `defaultBackend.podLabels` | Extra labels for Controller pods | `{}` |
+| `defaultBackend.podAnnotations` | Annotations for Controller pods | `{}` |
+| `defaultBackend.priorityClassName` | Priority class assigned to the pods | `""` |
+| `defaultBackend.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
+| `defaultBackend.terminationGracePeriodSeconds` | In seconds, time the given to the default backend pod needs to terminate gracefully | `60` |
+| `defaultBackend.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
+| `defaultBackend.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `defaultBackend.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
+| `defaultBackend.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `defaultBackend.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
+| `defaultBackend.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
+| `defaultBackend.affinity` | Affinity for pod assignment. Evaluated as a template. | `{}` |
+| `defaultBackend.nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
+| `defaultBackend.tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` |
+| `defaultBackend.service.type` | Service type | `ClusterIP` |
+| `defaultBackend.service.ports.http` | Service port | `80` |
+| `defaultBackend.service.annotations` | Annotations to add to the service | `{}` |
+| `defaultBackend.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
+| `defaultBackend.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
+| `defaultBackend.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
+| `defaultBackend.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `defaultBackend.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `defaultBackend.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
+| `defaultBackend.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
+| `defaultBackend.pdb.create` | Enable Pod Disruption Budget configuration | `true` |
+| `defaultBackend.pdb.minAvailable` | Minimum number/percentage of Default backend pods that should remain scheduled | `""` |
+| `defaultBackend.pdb.maxUnavailable` | Maximum number/percentage of Default backend pods that should remain scheduled | `""` |
+| `ingress.enabled` | Ingress configuration enabled | `false` |
+| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
+| `ingress.certManager` | Add annotations for cert-manager | `false` |
+| `ingress.annotations` | Annotations to be added to the web ingress. | `{}` |
+| `ingress.hostname` | Hostname for the Ingress object | `contour.local` |
+| `ingress.path` | The Path to Concourse | `/` |
+| `ingress.rulesOverride` | Ingress rules override | `[]` |
+| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
+| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
+| `ingress.extraPaths` | Add additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` |
+| `ingress.tls` | TLS configuration. | `false` |
+| `ingress.pathType` | Ingress Path type | `ImplementationSpecific` |
+| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
+| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
+| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` |
+| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
+
+### Metrics parameters
+
+| Name | Description | Value |
+| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ |
+| `metrics.serviceMonitor.namespace` | Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart) | `""` |
+| `metrics.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `false` |
+| `metrics.serviceMonitor.jobLabel` | Specify the jobLabel to use for the prometheus-operator | `app.kubernetes.io/name` |
+| `metrics.serviceMonitor.interval` | Specify the scrape interval if not specified use default prometheus scrapeIntervall, the Prometheus default scrape interval is used. | `""` |
+| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics. | `[]` |
+| `metrics.serviceMonitor.relabelings` | Specify general relabeling. | `[]` |
+| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
+| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` |
+| `metrics.serviceMonitor.selector` | Specify honorLabels parameter to add the scrape endpoint | `{}` |
+| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
+| `metrics.prometheusRule.enabled` | Creates a Prometheus Operator prometheusRule | `false` |
+| `metrics.prometheusRule.namespace` | Namespace for the prometheusRule Resource (defaults to the Release Namespace) | `""` |
+| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRule will be discovered by Prometheus | `{}` |
+| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` |
+
+### Other parameters
+
+| Name | Description | Value |
+| ------------------- | -------------------------------------------------------------------------------------------------------------------- | ------ |
+| `rbac.create` | Create the RBAC roles for API accessibility | `true` |
+| `rbac.rules` | Custom RBAC rules to set | `[]` |
+| `tlsExistingSecret` | Name of the existingSecret to be use in both contour and envoy. If it is not nil `contour.certgen` will be disabled. | `""` |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+helm install my-release \
+ --set envoy.readinessProbe.successThreshold=5 \
+ oci://REGISTRY_NAME/REPOSITORY_NAME/contour
+```
+
+> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
+
+The above command sets the `envoy.readinessProbe.successThreshold` to `5`.
+
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
@@ -560,6 +676,23 @@ Find more information about how to deal with common errors related to Bitnami's
Please carefully read through the guide "Upgrading Contour" at .
+### To 15.0.0
+
+This major bump changes the following security defaults:
+
+- `runAsGroup` is changed from `0` to `1001`
+- `readOnlyRootFilesystem` is set to `true`
+- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
+- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
+- `envoy.useHostPort.*` are changed from `true` to `false`.
+- Added missing liveness and readiness probes in components like shutdown-manager
+
+This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
+
+### To 14.0.0
+
+This major release adds support for Kubernetes PSA restricted mode out of the box. In order to do so, `hostNetwork` is disabled by default in envoy. In order to maintain `hostNetwork` in your current installation set `envoy.useHostNetwork=true`.
+
### To 7.0.0
This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository.
@@ -619,7 +752,7 @@ If required, back up your existing Custom Resources:
kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml
```
-Delete the existing Contour CRDs. Note that this step will *also delete* the associated CRs and impact availability until the upgrade is complete and the backup restored:
+Delete the existing Contour CRDs. Note that this step will _also delete_ the associated CRs and impact availability until the upgrade is complete and the backup restored:
```console
kubectl delete extensionservices.projectcontour.io
@@ -630,9 +763,11 @@ kubectl delete tlscertificatedelegations.projectcontour.io
Upgrade the Contour chart with the release name `my-release`:
```console
-helm upgrade my-release oci://registry-1.docker.io/bitnamicharts/contour
+helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour
```
+> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
+
If you made a backup earlier, restore the objects:
```console
@@ -646,9 +781,9 @@ kubectl apply -f backup.yaml
#### What changes were introduced in 3.0.0?
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
-- Move dependency information from the *requirements.yaml* to the *Chart.yaml*
-- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock*
-- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
+- Move dependency information from the _requirements.yaml_ to the _Chart.yaml_
+- After running `helm dependency update`, a _Chart.lock_ file is generated containing the same structure used in the previous _requirements.lock_
+- The different fields present in the _Chart.yaml_ file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
#### Considerations when upgrading to 3.0.0
@@ -658,7 +793,7 @@ kubectl apply -f backup.yaml
#### Useful links
--
+-
-
-
@@ -678,7 +813,7 @@ This version also introduces `bitnami/common`, a [library chart](https://helm.sh
## License
-Copyright © 2023 VMware, Inc.
+Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/charts/contour/contour/charts/contour/charts/common/.helmignore b/charts/contour/contour/charts/contour/charts/common/.helmignore
index 50af03172..d0e10845d 100644
--- a/charts/contour/contour/charts/contour/charts/common/.helmignore
+++ b/charts/contour/contour/charts/contour/charts/common/.helmignore
@@ -20,3 +20,7 @@
.idea/
*.tmproj
.vscode/
+# img folder
+img/
+# Changelog
+CHANGELOG.md
diff --git a/charts/contour/contour/charts/contour/charts/common/Chart.yaml b/charts/contour/contour/charts/contour/charts/common/Chart.yaml
index 4fc56bbb7..0c8fdb526 100644
--- a/charts/contour/contour/charts/contour/charts/common/Chart.yaml
+++ b/charts/contour/contour/charts/contour/charts/common/Chart.yaml
@@ -2,7 +2,7 @@ annotations:
category: Infrastructure
licenses: Apache-2.0
apiVersion: v2
-appVersion: 2.4.0
+appVersion: 2.22.0
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://bitnami.com
@@ -14,10 +14,10 @@ keywords:
- function
- bitnami
maintainers:
-- name: VMware, Inc.
+- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: common
sources:
-- https://github.com/bitnami/charts
+- https://github.com/bitnami/charts/tree/main/bitnami/common
type: library
-version: 2.4.0
+version: 2.22.0
diff --git a/charts/contour/contour/charts/contour/charts/common/README.md b/charts/contour/contour/charts/contour/charts/common/README.md
index 72fca33da..fee26c991 100644
--- a/charts/contour/contour/charts/contour/charts/common/README.md
+++ b/charts/contour/contour/charts/contour/charts/common/README.md
@@ -2,14 +2,12 @@
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
-Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
-
## TL;DR
```yaml
dependencies:
- name: common
- version: 1.x.x
+ version: 2.x.x
repository: oci://registry-1.docker.io/bitnamicharts
```
@@ -26,6 +24,8 @@ data:
myvalue: "Hello World"
```
+Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
+
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
@@ -34,8 +34,8 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment
## Prerequisites
-- Kubernetes 1.19+
-- Helm 3.2.0+
+- Kubernetes 1.23+
+- Helm 3.8.0+
## Parameters
@@ -214,13 +214,13 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
#### Useful links
--
+-
-
-
## License
-Copyright © 2023 Bitnami
+Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_affinities.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_affinities.tpl
index 81902a681..c2d290792 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_affinities.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_affinities.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
@@ -55,15 +60,17 @@ Return a topologyKey definition
{{/*
Return a soft podAffinity/podAntiAffinity definition
-{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}}
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
- matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
@@ -72,18 +79,33 @@ preferredDuringSchedulingIgnoredDuringExecution:
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
weight: 1
+ {{- range $extraPodAffinityTerms }}
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ weight: {{ .weight | default 1 -}}
+ {{- end -}}
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
-{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}}
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
@@ -91,6 +113,17 @@ requiredDuringSchedulingIgnoredDuringExecution:
{{ $key }}: {{ $value | quote }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- range $extraPodAffinityTerms }}
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- end -}}
{{- end -}}
{{/*
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_capabilities.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_capabilities.tpl
index 697486a31..2fe81d32d 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_capabilities.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_capabilities.tpl
@@ -1,25 +1,23 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "common.capabilities.kubeVersion" -}}
-{{- if .Values.global }}
- {{- if .Values.global.kubeVersion }}
- {{- .Values.global.kubeVersion -}}
- {{- else }}
- {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
- {{- end -}}
-{{- else }}
-{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
-{{- end -}}
+{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "common.capabilities.policy.apiVersion" -}}
-{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
@@ -30,7 +28,8 @@ Return the appropriate apiVersion for poddisruptionbudget.
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
-{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
@@ -41,7 +40,8 @@ Return the appropriate apiVersion for networkpolicy.
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "common.capabilities.cronjob.apiVersion" -}}
-{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}}
{{- print "batch/v1beta1" -}}
{{- else -}}
{{- print "batch/v1" -}}
@@ -52,7 +52,8 @@ Return the appropriate apiVersion for cronjob.
Return the appropriate apiVersion for daemonset.
*/}}
{{- define "common.capabilities.daemonset.apiVersion" -}}
-{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
@@ -63,7 +64,8 @@ Return the appropriate apiVersion for daemonset.
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
-{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
@@ -74,7 +76,8 @@ Return the appropriate apiVersion for deployment.
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
-{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
@@ -85,30 +88,24 @@ Return the appropriate apiVersion for statefulset.
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
-{{- if .Values.ingress -}}
-{{- if .Values.ingress.apiVersion -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if (.Values.ingress).apiVersion -}}
{{- .Values.ingress.apiVersion -}}
-{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
-{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
-{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
-{{- print "extensions/v1beta1" -}}
-{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
-{{- print "networking.k8s.io/v1beta1" -}}
-{{- else -}}
-{{- print "networking.k8s.io/v1" -}}
-{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for RBAC resources.
*/}}
{{- define "common.capabilities.rbac.apiVersion" -}}
-{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}}
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "rbac.authorization.k8s.io/v1" -}}
@@ -119,7 +116,8 @@ Return the appropriate apiVersion for RBAC resources.
Return the appropriate apiVersion for CRDs.
*/}}
{{- define "common.capabilities.crd.apiVersion" -}}
-{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}}
{{- print "apiextensions.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiextensions.k8s.io/v1" -}}
@@ -130,7 +128,8 @@ Return the appropriate apiVersion for CRDs.
Return the appropriate apiVersion for APIService.
*/}}
{{- define "common.capabilities.apiService.apiVersion" -}}
-{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}}
{{- print "apiregistration.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiregistration.k8s.io/v1" -}}
@@ -141,7 +140,8 @@ Return the appropriate apiVersion for APIService.
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
*/}}
{{- define "common.capabilities.hpa.apiVersion" -}}
-{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
@@ -156,7 +156,8 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler.
Return the appropriate apiVersion for Vertical Pod Autoscaler.
*/}}
{{- define "common.capabilities.vpa.apiVersion" -}}
-{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
@@ -167,6 +168,54 @@ Return the appropriate apiVersion for Vertical Pod Autoscaler.
{{- end -}}
{{- end -}}
+{{/*
+Returns true if PodSecurityPolicy is supported
+*/}}
+{{- define "common.capabilities.psp.supported" -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if AdmissionConfiguration is supported
+*/}}
+{{- define "common.capabilities.admissionConfiguration.supported" -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for AdmissionConfiguration.
+*/}}
+{{- define "common.capabilities.admissionConfiguration.apiVersion" -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
+{{- print "apiserver.config.k8s.io/v1alpha1" -}}
+{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
+{{- print "apiserver.config.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiserver.config.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for PodSecurityConfiguration.
+*/}}
+{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}}
+{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
+{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
+{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}}
+{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
+{{- print "pod-security.admission.config.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "pod-security.admission.config.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
{{/*
Returns true if the used Helm version is 3.3+.
A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_compatibility.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_compatibility.tpl
new file mode 100644
index 000000000..eb4061d7d
--- /dev/null
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_compatibility.tpl
@@ -0,0 +1,42 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "common.compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "common.compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+
+{{- if (((.context.Values.global).compatibility).openshift) -}}
+ {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
+ {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+ {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+ {{- if not .secContext.seLinuxOptions -}}
+ {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+ {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{/* Remove fields that are disregarded when running the container in privileged mode */}}
+{{- if $adaptedContext.privileged -}}
+ {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_errors.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_errors.tpl
index a79cc2e32..e96536519 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_errors.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_errors.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_images.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_images.tpl
index d60c22e25..76bb7ce44 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_images.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_images.tpl
@@ -1,17 +1,24 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
-Return the proper image name
-{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
+Return the proper image name.
+If image tag and digest are not defined, termination fallbacks to chart appVersion.
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }}
*/}}
{{- define "common.images.image" -}}
-{{- $registryName := .imageRoot.registry -}}
+{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $separator := ":" -}}
{{- $termination := .imageRoot.tag | toString -}}
-{{- if .global }}
- {{- if .global.imageRegistry }}
- {{- $registryName = .global.imageRegistry -}}
- {{- end -}}
+
+{{- if not .imageRoot.tag }}
+ {{- if .chart }}
+ {{- $termination = .chart.AppVersion | toString -}}
+ {{- end -}}
{{- end -}}
{{- if .imageRoot.digest }}
{{- $separator = "@" -}}
@@ -31,19 +38,25 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
- {{- if .global }}
- {{- range .global.imagePullSecrets -}}
+ {{- range ((.global).imagePullSecrets) -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets .name -}}
+ {{- else -}}
{{- $pullSecrets = append $pullSecrets . -}}
- {{- end -}}
+ {{- end }}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
- {{- $pullSecrets = append $pullSecrets . -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets .name -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
{{- end -}}
{{- end -}}
- {{- if (not (empty $pullSecrets)) }}
+ {{- if (not (empty $pullSecrets)) -}}
imagePullSecrets:
{{- range $pullSecrets | uniq }}
- name: {{ . }}
@@ -59,22 +72,44 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa
{{- $pullSecrets := list }}
{{- $context := .context }}
- {{- if $context.Values.global }}
- {{- range $context.Values.global.imagePullSecrets -}}
+ {{- range (($context.Values.global).imagePullSecrets) -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
+ {{- else -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
- {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
{{- end -}}
{{- end -}}
- {{- if (not (empty $pullSecrets)) }}
+ {{- if (not (empty $pullSecrets)) -}}
imagePullSecrets:
{{- range $pullSecrets | uniq }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
+
+{{/*
+Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
+{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
+*/}}
+{{- define "common.images.version" -}}
+{{- $imageTag := .imageRoot.tag | toString -}}
+{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
+{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
+ {{- $version := semver $imageTag -}}
+ {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
+{{- else -}}
+ {{- print .chart.AppVersion -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_ingress.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_ingress.tpl
index 831da9caa..7d2b87985 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_ingress.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_ingress.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_labels.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_labels.tpl
index 252066c7e..0a0cc5488 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_labels.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_labels.tpl
@@ -1,18 +1,46 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
+
{{/*
Kubernetes standard labels
+{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}}
*/}}
{{- define "common.labels.standard" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}}
+{{- with .context.Chart.AppVersion -}}
+{{- $_ := set $default "app.kubernetes.io/version" . -}}
+{{- end -}}
+{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }}
+{{- else -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Chart.AppVersion }}
+app.kubernetes.io/version: {{ . | quote }}
+{{- end -}}
+{{- end -}}
{{- end -}}
{{/*
-Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
+Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector
+{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}}
+
+We don't want to loop over custom labels appending them to the selector
+since it's very likely that it will break deployments, services, etc.
+However, it's important to overwrite the standard labels if the user
+overwrote them on metadata.labels fields.
*/}}
{{- define "common.labels.matchLabels" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
+{{- else -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
+{{- end -}}
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_names.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_names.tpl
index 617a23489..ba8395685 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_names.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_names.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_resources.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_resources.tpl
new file mode 100644
index 000000000..d8a43e1c2
--- /dev/null
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_resources.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "common.resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "common.resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
+{{- $presets := dict
+ "nano" (dict
+ "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi")
+ )
+ "micro" (dict
+ "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
+ )
+ "small" (dict
+ "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi")
+ )
+ "medium" (dict
+ "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi")
+ )
+ "large" (dict
+ "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi")
+ )
+ "xlarge" (dict
+ "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi")
+ )
+ "2xlarge" (dict
+ "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi")
+ )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_secrets.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_secrets.tpl
index a1708b2e8..801918ce3 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_secrets.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_secrets.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
@@ -72,7 +77,9 @@ Params:
- strong - Boolean - Optional - Whether to add symbols to the generated random password.
- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
- context - Context - Required - Parent context.
-
+ - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
+ - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
+ - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
The order in which this function returns a secret password:
1. Already existing 'Secret' resource
(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
@@ -93,33 +100,45 @@ The order in which this function returns a secret password:
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
{{- if $secretData }}
{{- if hasKey $secretData .key }}
- {{- $password = index $secretData .key | quote }}
- {{- else }}
+ {{- $password = index $secretData .key | b64dec }}
+ {{- else if not (eq .failOnNew false) }}
{{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
{{- end -}}
-{{- else if $providedPasswordValue }}
- {{- $password = $providedPasswordValue | toString | b64enc | quote }}
-{{- else }}
+{{- end }}
- {{- if .context.Values.enabled }}
- {{- $subchart = $chartName }}
- {{- end -}}
-
- {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
- {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
- {{- $passwordValidationErrors := list $requiredPasswordError -}}
- {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
-
- {{- if .strong }}
- {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
- {{- $password = randAscii $passwordLength }}
- {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
- {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
+{{- if not $password }}
+ {{- if $providedPasswordValue }}
+ {{- $password = $providedPasswordValue | toString }}
{{- else }}
- {{- $password = randAlphaNum $passwordLength | b64enc | quote }}
- {{- end }}
+ {{- if .context.Values.enabled }}
+ {{- $subchart = $chartName }}
+ {{- end -}}
+
+ {{- if not (eq .failOnNew false) }}
+ {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
+ {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
+ {{- $passwordValidationErrors := list $requiredPasswordError -}}
+ {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
+ {{- end }}
+
+ {{- if .strong }}
+ {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
+ {{- $password = randAscii $passwordLength }}
+ {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
+ {{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
+ {{- else }}
+ {{- $password = randAlphaNum $passwordLength }}
+ {{- end }}
+ {{- end -}}
+{{- end -}}
+{{- if not .skipB64enc }}
+{{- $password = $password | b64enc }}
{{- end -}}
+{{- if .skipQuote -}}
{{- printf "%s" $password -}}
+{{- else -}}
+{{- printf "%s" $password | quote -}}
+{{- end -}}
{{- end -}}
{{/*
@@ -137,15 +156,16 @@ Params:
*/}}
{{- define "common.secrets.lookup" -}}
{{- $value := "" -}}
-{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}}
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
{{- if and $secretData (hasKey $secretData .key) -}}
{{- $value = index $secretData .key -}}
-{{- else -}}
- {{- $value = $defaultValue | toString | b64enc -}}
+{{- else if .defaultValue -}}
+ {{- $value = .defaultValue | toString | b64enc -}}
{{- end -}}
+{{- if $value -}}
{{- printf "%s" $value -}}
{{- end -}}
+{{- end -}}
{{/*
Returns whether a previous generated secret already exists
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_storage.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_storage.tpl
index 60e2a844f..aa75856c0 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_storage.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_storage.tpl
@@ -1,23 +1,21 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
+
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
-
-{{- $storageClass := .persistence.storageClass -}}
-{{- if .global -}}
- {{- if .global.storageClass -}}
- {{- $storageClass = .global.storageClass -}}
- {{- end -}}
-{{- end -}}
-
+{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
- {{- else }}
+ {{- else -}}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
-
{{- end -}}
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_tplvalues.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_tplvalues.tpl
index 2db166851..c84d72c80 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_tplvalues.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_tplvalues.tpl
@@ -1,13 +1,38 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
-Renders a value that contains template.
+Renders a value that contains template perhaps with scope if the scope is present.
Usage:
-{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
*/}}
{{- define "common.tplvalues.render" -}}
- {{- if typeIs "string" .value }}
- {{- tpl .value .context }}
- {{- else }}
- {{- tpl (.value | toYaml) .context }}
- {{- end }}
+{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
+{{- if contains "{{" (toJson .value) }}
+ {{- if .scope }}
+ {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
+ {{- else }}
+ {{- tpl $value .context }}
+ {{- end }}
+{{- else }}
+ {{- $value }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Merge a list of values that contains template after rendering them.
+Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge
+Usage:
+{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
+*/}}
+{{- define "common.tplvalues.merge" -}}
+{{- $dst := dict -}}
+{{- range .values -}}
+{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}}
+{{- end -}}
+{{ $dst | toYaml }}
{{- end -}}
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_utils.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_utils.tpl
index b1ead50cf..d53c74aa2 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_utils.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_utils.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Print instructions to get a secret value.
@@ -60,3 +65,13 @@ Usage:
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}
+
+{{/*
+Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376).
+Usage:
+{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }}
+*/}}
+{{- define "common.utils.checksumTemplate" -}}
+{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}}
+{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }}
+{{- end -}}
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/_warnings.tpl b/charts/contour/contour/charts/contour/charts/common/templates/_warnings.tpl
index ae10fa41e..e4dbecde2 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/_warnings.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/_warnings.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
@@ -8,7 +13,97 @@ Usage:
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
-+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
++info https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html
{{- end }}
+{{- end -}}
+{{/*
+Warning about replaced images from the original.
+Usage:
+{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
+*/}}
+{{- define "common.warnings.modifiedImages" -}}
+{{- $affectedImages := list -}}
+{{- $printMessage := false -}}
+{{- $originalImages := .context.Chart.Annotations.images -}}
+{{- range .images -}}
+ {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}}
+ {{- if not (contains $fullImageName $originalImages) }}
+ {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+{{- end -}}
+{{- if $printMessage }}
+
+âš SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.
+
+Substituted images detected:
+{{- range $affectedImages }}
+ - {{ . }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Warning about not setting the resource object in all deployments.
+Usage:
+{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
+Example:
+{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
+The list in the example assumes that the following values exist:
+ - csiProvider.provider.resources
+ - server.resources
+ - volumePermissions.resources
+ - resources
+*/}}
+{{- define "common.warnings.resources" -}}
+{{- $values := .context.Values -}}
+{{- $printMessage := false -}}
+{{ $affectedSections := list -}}
+{{- range .sections -}}
+ {{- if eq . "" -}}
+ {{/* Case where the resources section is at the root (one main deployment in the chart) */}}
+ {{- if not (index $values "resources") -}}
+ {{- $affectedSections = append $affectedSections "resources" -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else -}}
+ {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
+ {{- $keys := split "." . -}}
+ {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
+ {{- $section := $values -}}
+ {{- range $keys -}}
+ {{- $section = index $section . -}}
+ {{- end -}}
+ {{- if not (index $section "resources") -}}
+ {{/* If the section has enabled=false or replicaCount=0, do not include it */}}
+ {{- if and (hasKey $section "enabled") -}}
+ {{- if index $section "enabled" -}}
+ {{/* enabled=true */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else if and (hasKey $section "replicaCount") -}}
+ {{/* We need a casting to int because number 0 is not treated as an int by default */}}
+ {{- if (gt (index $section "replicaCount" | int) 0) -}}
+ {{/* replicaCount > 0 */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else -}}
+ {{/* Default case, add it to the affected sections */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- if $printMessage }}
+
+WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
+{{- range $affectedSections }}
+ - {{ . }}
+{{- end }}
++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+{{- end -}}
{{- end -}}
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/validations/_cassandra.tpl b/charts/contour/contour/charts/contour/charts/common/templates/validations/_cassandra.tpl
index ded1ae3bc..3f41ff8fc 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/validations/_cassandra.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/validations/_cassandra.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Cassandra required passwords are not empty.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/validations/_mariadb.tpl b/charts/contour/contour/charts/contour/charts/common/templates/validations/_mariadb.tpl
index b6906ff77..6ea8c0f45 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/validations/_mariadb.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/validations/_mariadb.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MariaDB required passwords are not empty.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/validations/_mongodb.tpl b/charts/contour/contour/charts/contour/charts/common/templates/validations/_mongodb.tpl
index f820ec107..d4cd38cbb 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/validations/_mongodb.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/validations/_mongodb.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MongoDB® required passwords are not empty.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/validations/_mysql.tpl b/charts/contour/contour/charts/contour/charts/common/templates/validations/_mysql.tpl
index 74472a061..924812a93 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/validations/_mysql.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/validations/_mysql.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MySQL required passwords are not empty.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/validations/_postgresql.tpl b/charts/contour/contour/charts/contour/charts/common/templates/validations/_postgresql.tpl
index 164ec0d01..0fa0b1467 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/validations/_postgresql.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/validations/_postgresql.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Validate PostgreSQL required passwords are not empty.
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/validations/_redis.tpl b/charts/contour/contour/charts/contour/charts/common/templates/validations/_redis.tpl
index dcccfc1ae..f4778256d 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/validations/_redis.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/validations/_redis.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
diff --git a/charts/contour/contour/charts/contour/charts/common/templates/validations/_validations.tpl b/charts/contour/contour/charts/contour/charts/common/templates/validations/_validations.tpl
index 9a814cf40..7cdee6170 100644
--- a/charts/contour/contour/charts/contour/charts/common/templates/validations/_validations.tpl
+++ b/charts/contour/contour/charts/contour/charts/common/templates/validations/_validations.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.
diff --git a/charts/contour/contour/charts/contour/charts/common/values.yaml b/charts/contour/contour/charts/contour/charts/common/values.yaml
index f2df68e5e..de2cac57d 100644
--- a/charts/contour/contour/charts/contour/charts/common/values.yaml
+++ b/charts/contour/contour/charts/contour/charts/common/values.yaml
@@ -1,3 +1,6 @@
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
## bitnami/common
## It is required by CI/CD tools and processes.
## @skip exampleValue
diff --git a/charts/contour/contour/charts/contour/resources/contourconfiguration.yaml b/charts/contour/contour/charts/contour/resources/contourconfiguration.yaml
deleted file mode 100644
index 4b6e5ed40..000000000
--- a/charts/contour/contour/charts/contour/resources/contourconfiguration.yaml
+++ /dev/null
@@ -1,966 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.11.4
- name: contourconfigurations.projectcontour.io
-spec:
- preserveUnknownFields: false
- group: projectcontour.io
- names:
- kind: ContourConfiguration
- listKind: ContourConfigurationList
- plural: contourconfigurations
- shortNames:
- - contourconfig
- singular: contourconfiguration
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ContourConfiguration is the schema for a Contour instance.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: ContourConfigurationSpec represents a configuration of a
- Contour controller. It contains most of all the options that can be
- customized, the other remaining options being command line flags.
- properties:
- debug:
- description: Debug contains parameters to enable debug logging and
- debug interfaces inside Contour.
- properties:
- address:
- description: "Defines the Contour debug address interface. \n
- Contour's default is \"127.0.0.1\"."
- type: string
- port:
- description: "Defines the Contour debug address port. \n Contour's
- default is 6060."
- type: integer
- type: object
- enableExternalNameService:
- description: "EnableExternalNameService allows processing of ExternalNameServices
- \n Contour's default is false for security reasons."
- type: boolean
- envoy:
- description: Envoy contains parameters for Envoy as well as how to
- optionally configure a managed Envoy fleet.
- properties:
- clientCertificate:
- description: ClientCertificate defines the namespace/name of the
- Kubernetes secret containing the client certificate and private
- key to be used when establishing TLS connection to upstream
- cluster.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- cluster:
- description: Cluster holds various configurable Envoy cluster
- values that can be set in the config file.
- properties:
- dnsLookupFamily:
- description: "DNSLookupFamily defines how external names are
- looked up When configured as V4, the DNS resolver will only
- perform a lookup for addresses in the IPv4 family. If V6
- is configured, the DNS resolver will only perform a lookup
- for addresses in the IPv6 family. If AUTO is configured,
- the DNS resolver will first perform a lookup for addresses
- in the IPv6 family and fallback to a lookup for addresses
- in the IPv4 family. If ALL is specified, the DNS resolver
- will perform a lookup for both IPv4 and IPv6 families, and
- return all resolved addresses. When this is used, Happy
- Eyeballs will be enabled for upstream connections. Refer
- to Happy Eyeballs Support for more information. Note: This
- only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
- for more information. \n Values: `auto` (default), `v4`,
- `v6`, `all`. \n Other values will produce an error."
- type: string
- type: object
- defaultHTTPVersions:
- description: "DefaultHTTPVersions defines the default set of HTTPS
- versions the proxy should accept. HTTP versions are strings
- of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\"
- and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both).
- \n Other values will produce an error."
- items:
- description: HTTPVersionType is the name of a supported HTTP
- version.
- type: string
- type: array
- health:
- description: "Health defines the endpoint Envoy uses to serve
- health checks. \n Contour's default is { address: \"0.0.0.0\",
- port: 8002 }."
- properties:
- address:
- description: Defines the health address interface.
- minLength: 1
- type: string
- port:
- description: Defines the health port.
- type: integer
- type: object
- http:
- description: "Defines the HTTP Listener for Envoy. \n Contour's
- default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\"
- }."
- properties:
- accessLog:
- description: AccessLog defines where Envoy logs are outputted
- for this listener.
- type: string
- address:
- description: Defines an Envoy Listener Address.
- minLength: 1
- type: string
- port:
- description: Defines an Envoy listener Port.
- type: integer
- type: object
- https:
- description: "Defines the HTTPS Listener for Envoy. \n Contour's
- default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\"
- }."
- properties:
- accessLog:
- description: AccessLog defines where Envoy logs are outputted
- for this listener.
- type: string
- address:
- description: Defines an Envoy Listener Address.
- minLength: 1
- type: string
- port:
- description: Defines an Envoy listener Port.
- type: integer
- type: object
- listener:
- description: Listener hold various configurable Envoy listener
- values.
- properties:
- connectionBalancer:
- description: "ConnectionBalancer. If the value is exact, the
- listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
- for more information. \n Values: (empty string): use the
- default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
- \n Other values will produce an error."
- type: string
- disableAllowChunkedLength:
- description: "DisableAllowChunkedLength disables the RFC-compliant
- Envoy behavior to strip the \"Content-Length\" header if
- \"Transfer-Encoding: chunked\" is also set. This is an emergency
- off-switch to revert back to Envoy's default behavior in
- case of failures. Please file an issue if failures are encountered.
- See: https://github.com/projectcontour/contour/issues/3221
- \n Contour's default is false."
- type: boolean
- disableMergeSlashes:
- description: "DisableMergeSlashes disables Envoy's non-standard
- merge_slashes path transformation option which strips duplicate
- slashes from request URL paths. \n Contour's default is
- false."
- type: boolean
- serverHeaderTransformation:
- description: "Defines the action to be applied to the Server
- header on the response path. When configured as overwrite,
- overwrites any Server header with \"envoy\". When configured
- as append_if_absent, if a Server header is present, pass
- it through, otherwise set it to \"envoy\". When configured
- as pass_through, pass through the value of the Server header,
- and do not append a header if none is present. \n Values:
- `overwrite` (default), `append_if_absent`, `pass_through`
- \n Other values will produce an error. Contour's default
- is overwrite."
- type: string
- tls:
- description: TLS holds various configurable Envoy TLS listener
- values.
- properties:
- cipherSuites:
- description: "CipherSuites defines the TLS ciphers to
- be supported by Envoy TLS listeners when negotiating
- TLS 1.2. Ciphers are validated against the set that
- Envoy supports by default. This parameter should only
- be used by advanced users. Note that these will be ignored
- when TLS 1.3 is in use. \n This field is optional; when
- it is undefined, a Contour-managed ciphersuite list
- will be used, which may be updated to keep it secure.
- \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
- \n Ciphers provided are validated against the following
- list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" -
- \"AES256-SHA\" \n Contour recommends leaving this undefined
- unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
- Note: This list is a superset of what is valid for stock
- Envoy builds and those using BoringSSL FIPS."
- items:
- type: string
- type: array
- minimumProtocolVersion:
- description: "MinimumProtocolVersion is the minimum TLS
- version this vhost should negotiate. \n Values: `1.2`
- (default), `1.3`. \n Other values will produce an error."
- type: string
- type: object
- useProxyProtocol:
- description: "Use PROXY protocol for all listeners. \n Contour's
- default is false."
- type: boolean
- type: object
- logging:
- description: Logging defines how Envoy's logs can be configured.
- properties:
- accessLogFormat:
- description: "AccessLogFormat sets the global access log format.
- \n Values: `envoy` (default), `json`. \n Other values will
- produce an error."
- type: string
- accessLogFormatString:
- description: AccessLogFormatString sets the access log format
- when format is set to `envoy`. When empty, Envoy's default
- format is used.
- type: string
- accessLogJSONFields:
- description: AccessLogJSONFields sets the fields that JSON
- logging will output when AccessLogFormat is json.
- items:
- type: string
- type: array
- accessLogLevel:
- description: "AccessLogLevel sets the verbosity level of the
- access log. \n Values: `info` (default, meaning all requests
- are logged), `error` and `disabled`. \n Other values will
- produce an error."
- type: string
- type: object
- metrics:
- description: "Metrics defines the endpoint Envoy uses to serve
- metrics. \n Contour's default is { address: \"0.0.0.0\", port:
- 8002 }."
- properties:
- address:
- description: Defines the metrics address interface.
- maxLength: 253
- minLength: 1
- type: string
- port:
- description: Defines the metrics port.
- type: integer
- tls:
- description: TLS holds TLS file config details. Metrics and
- health endpoints cannot have same port number when metrics
- is served over HTTPS.
- properties:
- caFile:
- description: CA filename.
- type: string
- certFile:
- description: Client certificate filename.
- type: string
- keyFile:
- description: Client key filename.
- type: string
- type: object
- type: object
- network:
- description: Network holds various configurable Envoy network
- values.
- properties:
- adminPort:
- description: "Configure the port used to access the Envoy
- Admin interface. If configured to port \"0\" then the admin
- interface is disabled. \n Contour's default is 9001."
- type: integer
- numTrustedHops:
- description: "XffNumTrustedHops defines the number of additional
- ingress proxy hops from the right side of the x-forwarded-for
- HTTP header to trust when determining the origin client’s
- IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
- for more information. \n Contour's default is 0."
- format: int32
- type: integer
- type: object
- service:
- description: "Service holds Envoy service parameters for setting
- Ingress status. \n Contour's default is { namespace: \"projectcontour\",
- name: \"envoy\" }."
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- timeouts:
- description: Timeouts holds various configurable timeouts that
- can be set in the config file.
- properties:
- connectTimeout:
- description: "ConnectTimeout defines how long the proxy should
- wait when establishing connection to upstream service. If
- not set, a default value of 2 seconds will be used. \n See
- https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
- for more information."
- type: string
- connectionIdleTimeout:
- description: "ConnectionIdleTimeout defines how long the proxy
- should wait while there are no active requests (for HTTP/1.1)
- or streams (for HTTP/2) before terminating an HTTP connection.
- Set to \"infinity\" to disable the timeout entirely. \n
- See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
- for more information."
- type: string
- connectionShutdownGracePeriod:
- description: "ConnectionShutdownGracePeriod defines how long
- the proxy will wait between sending an initial GOAWAY frame
- and a second, final GOAWAY frame when terminating an HTTP/2
- connection. During this grace period, the proxy will continue
- to respond to new streams. After the final GOAWAY frame
- has been sent, the proxy will refuse new streams. \n See
- https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
- for more information."
- type: string
- delayedCloseTimeout:
- description: "DelayedCloseTimeout defines how long envoy will
- wait, once connection close processing has been initiated,
- for the downstream peer to close the connection before Envoy
- closes the socket associated with the connection. \n Setting
- this timeout to 'infinity' will disable it, equivalent to
- setting it to '0' in Envoy. Leaving it unset will result
- in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
- for more information."
- type: string
- maxConnectionDuration:
- description: "MaxConnectionDuration defines the maximum period
- of time after an HTTP connection has been established from
- the client to the proxy before it is closed by the proxy,
- regardless of whether there has been activity or not. Omit
- or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
- for more information."
- type: string
- requestTimeout:
- description: "RequestTimeout sets the client request timeout
- globally for Contour. Note that this is a timeout for the
- entire request, not an idle timeout. Omit or set to \"infinity\"
- to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
- for more information."
- type: string
- streamIdleTimeout:
- description: "StreamIdleTimeout defines how long the proxy
- should wait while there is no request activity (for HTTP/1.1)
- or stream activity (for HTTP/2) before terminating the HTTP
- request or stream. Set to \"infinity\" to disable the timeout
- entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
- for more information."
- type: string
- type: object
- type: object
- gateway:
- description: Gateway contains parameters for the gateway-api Gateway
- that Contour is configured to serve traffic.
- properties:
- controllerName:
- description: ControllerName is used to determine whether Contour
- should reconcile a GatewayClass. The string takes the form of
- "projectcontour.io//contour". If unset, the gatewayclass
- controller will not be started. Exactly one of ControllerName
- or GatewayRef must be set.
- type: string
- gatewayRef:
- description: GatewayRef defines a specific Gateway that this Contour
- instance corresponds to. If set, Contour will reconcile only
- this gateway, and will not reconcile any gateway classes. Exactly
- one of ControllerName or GatewayRef must be set.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- globalExtAuth:
- description: GlobalExternalAuthorization allows envoys external authorization
- filter to be enabled for all virtual hosts.
- properties:
- authPolicy:
- description: AuthPolicy sets a default authorization policy for
- client requests. This policy will be used unless overridden
- by individual routes.
- properties:
- context:
- additionalProperties:
- type: string
- description: Context is a set of key/value pairs that are
- sent to the authentication server in the check request.
- If a context is provided at an enclosing scope, the entries
- are merged such that the inner scope overrides matching
- keys from the outer scope.
- type: object
- disabled:
- description: When true, this field disables client request
- authentication for the scope of the policy.
- type: boolean
- type: object
- extensionRef:
- description: ExtensionServiceRef specifies the extension resource
- that will authorize client requests.
- properties:
- apiVersion:
- description: API version of the referent. If this field is
- not specified, the default "projectcontour.io/v1alpha1"
- will be used
- minLength: 1
- type: string
- name:
- description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
- minLength: 1
- type: string
- namespace:
- description: "Namespace of the referent. If this field is
- not specifies, the namespace of the resource that targets
- the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
- minLength: 1
- type: string
- type: object
- failOpen:
- description: If FailOpen is true, the client request is forwarded
- to the upstream service even if the authorization server fails
- to respond. This field should not be set in most cases. It is
- intended for use only while migrating applications from internal
- authorization to Contour external authorization.
- type: boolean
- responseTimeout:
- description: ResponseTimeout configures maximum time to wait for
- a check response from the authorization server. Timeout durations
- are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
- The string "infinity" is also a valid input and specifies no
- timeout.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- withRequestBody:
- description: WithRequestBody specifies configuration for sending
- the client request's body to authorization server.
- properties:
- allowPartialMessage:
- description: If AllowPartialMessage is true, then Envoy will
- buffer the body until MaxRequestBytes are reached.
- type: boolean
- maxRequestBytes:
- default: 1024
- description: MaxRequestBytes sets the maximum size of message
- body ExtAuthz filter will hold in-memory.
- format: int32
- minimum: 1
- type: integer
- packAsBytes:
- description: If PackAsBytes is true, the body sent to Authorization
- Server is in raw bytes.
- type: boolean
- type: object
- type: object
- health:
- description: "Health defines the endpoints Contour uses to serve health
- checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000
- }."
- properties:
- address:
- description: Defines the health address interface.
- minLength: 1
- type: string
- port:
- description: Defines the health port.
- type: integer
- type: object
- httpproxy:
- description: HTTPProxy defines parameters on HTTPProxy.
- properties:
- disablePermitInsecure:
- description: "DisablePermitInsecure disables the use of the permitInsecure
- field in HTTPProxy. \n Contour's default is false."
- type: boolean
- fallbackCertificate:
- description: FallbackCertificate defines the namespace/name of
- the Kubernetes secret to use as fallback when a non-SNI request
- is received.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- rootNamespaces:
- description: Restrict Contour to searching these namespaces for
- root ingress routes.
- items:
- type: string
- type: array
- type: object
- ingress:
- description: Ingress contains parameters for ingress options.
- properties:
- classNames:
- description: Ingress Class Names Contour should use.
- items:
- type: string
- type: array
- statusAddress:
- description: Address to set in Ingress object status.
- type: string
- type: object
- metrics:
- description: "Metrics defines the endpoint Contour uses to serve metrics.
- \n Contour's default is { address: \"0.0.0.0\", port: 8000 }."
- properties:
- address:
- description: Defines the metrics address interface.
- maxLength: 253
- minLength: 1
- type: string
- port:
- description: Defines the metrics port.
- type: integer
- tls:
- description: TLS holds TLS file config details. Metrics and health
- endpoints cannot have same port number when metrics is served
- over HTTPS.
- properties:
- caFile:
- description: CA filename.
- type: string
- certFile:
- description: Client certificate filename.
- type: string
- keyFile:
- description: Client key filename.
- type: string
- type: object
- type: object
- policy:
- description: Policy specifies default policy applied if not overridden
- by the user
- properties:
- applyToIngress:
- description: "ApplyToIngress determines if the Policies will apply
- to ingress objects \n Contour's default is false."
- type: boolean
- requestHeaders:
- description: RequestHeadersPolicy defines the request headers
- set/removed on all routes
- properties:
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- responseHeaders:
- description: ResponseHeadersPolicy defines the response headers
- set/removed on all routes
- properties:
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- rateLimitService:
- description: RateLimitService optionally holds properties of the Rate
- Limit Service to be used for global rate limiting.
- properties:
- domain:
- description: Domain is passed to the Rate Limit Service.
- type: string
- enableResourceExhaustedCode:
- description: EnableResourceExhaustedCode enables translating error
- code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's
- translated to UNAVAILABLE
- type: boolean
- enableXRateLimitHeaders:
- description: "EnableXRateLimitHeaders defines whether to include
- the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
- and X-RateLimit-Reset (as defined by the IETF Internet-Draft
- linked below), on responses to clients when the Rate Limit Service
- is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html"
- type: boolean
- extensionService:
- description: ExtensionService identifies the extension service
- defining the RLS.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- failOpen:
- description: FailOpen defines whether to allow requests to proceed
- when the Rate Limit Service fails to respond with a valid rate
- limit decision within the timeout defined on the extension service.
- type: boolean
- required:
- - extensionService
- type: object
- tracing:
- description: Tracing defines properties for exporting trace data to
- OpenTelemetry.
- properties:
- customTags:
- description: CustomTags defines a list of custom tags with unique
- tag name.
- items:
- description: CustomTag defines custom tags with unique tag name
- to create tags for the active span.
- properties:
- literal:
- description: Literal is a static custom tag value. Precisely
- one of Literal, RequestHeaderName must be set.
- type: string
- requestHeaderName:
- description: RequestHeaderName indicates which request header
- the label value is obtained from. Precisely one of Literal,
- RequestHeaderName must be set.
- type: string
- tagName:
- description: TagName is the unique name of the custom tag.
- type: string
- required:
- - tagName
- type: object
- type: array
- extensionService:
- description: ExtensionService identifies the extension service
- defining the otel-collector.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- includePodDetail:
- description: 'IncludePodDetail defines a flag. If it is true,
- contour will add the pod name and namespace to the span of the
- trace. the default is true. Note: The Envoy pods MUST have the
- HOSTNAME and CONTOUR_NAMESPACE environment variables set for
- this to work properly.'
- type: boolean
- maxPathTagLength:
- description: MaxPathTagLength defines maximum length of the request
- path to extract and include in the HttpUrl tag. contour's default
- is 256.
- format: int32
- type: integer
- overallSampling:
- description: OverallSampling defines the sampling rate of trace
- data. contour's default is 100.
- type: string
- serviceName:
- description: ServiceName defines the name for the service. contour's
- default is contour.
- type: string
- required:
- - extensionService
- type: object
- xdsServer:
- description: XDSServer contains parameters for the xDS server.
- properties:
- address:
- description: "Defines the xDS gRPC API address which Contour will
- serve. \n Contour's default is \"0.0.0.0\"."
- minLength: 1
- type: string
- port:
- description: "Defines the xDS gRPC API port which Contour will
- serve. \n Contour's default is 8001."
- type: integer
- tls:
- description: "TLS holds TLS file config details. \n Contour's
- default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\",
- keyFile: \"/certs/tls.key\", insecure: false }."
- properties:
- caFile:
- description: CA filename.
- type: string
- certFile:
- description: Client certificate filename.
- type: string
- insecure:
- description: Allow serving the xDS gRPC API without TLS.
- type: boolean
- keyFile:
- description: Client key filename.
- type: string
- type: object
- type:
- description: "Defines the XDSServer to use for `contour serve`.
- \n Values: `contour` (default), `envoy`. \n Other values will
- produce an error."
- type: string
- type: object
- type: object
- status:
- description: ContourConfigurationStatus defines the observed state of
- a ContourConfiguration resource.
- properties:
- conditions:
- description: "Conditions contains the current status of the Contour
- resource. \n Contour will update a single condition, `Valid`, that
- is in normal-true polarity. \n Contour will not modify any other
- Conditions set in this block, in case some other controller wants
- to add a Condition."
- items:
- description: "DetailedCondition is an extension of the normal Kubernetes
- conditions, with two extra fields to hold sub-conditions, which
- provide more detailed reasons for the state (True or False) of
- the condition. \n `errors` holds information about sub-conditions
- which are fatal to that condition and render its state False.
- \n `warnings` holds information about sub-conditions which are
- not fatal to that condition and do not force the state to be False.
- \n Remember that Conditions have a type, a status, and a reason.
- \n The type is the type of the condition, the most important one
- in this CRD set is `Valid`. `Valid` is a positive-polarity condition:
- when it is `status: true` there are no problems. \n In more detail,
- `status: true` means that the object is has been ingested into
- Contour with no errors. `warnings` may still be present, and will
- be indicated in the Reason field. There must be zero entries in
- the `errors` slice in this case. \n `Valid`, `status: false` means
- that the object has had one or more fatal errors during processing
- into Contour. The details of the errors will be present under
- the `errors` field. There must be at least one error in the `errors`
- slice if `status` is `false`. \n For DetailedConditions of types
- other than `Valid`, the Condition must be in the negative polarity.
- When they have `status` `true`, there is an error. There must
- be at least one entry in the `errors` Subcondition slice. When
- they have `status` `false`, there are no serious errors, and there
- must be zero entries in the `errors` slice. In either case, there
- may be entries in the `warnings` slice. \n Regardless of the polarity,
- the `reason` and `message` fields must be updated with either
- the detail of the reason (if there is one and only one entry in
- total across both the `errors` and `warnings` slices), or `MultipleReasons`
- if there is more than one entry."
- properties:
- errors:
- description: "Errors contains a slice of relevant error subconditions
- for this object. \n Subconditions are expected to appear when
- relevant (when there is a error), and disappear when not relevant.
- An empty slice here indicates no errors."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- warnings:
- description: "Warnings contains a slice of relevant warning
- subconditions for this object. \n Subconditions are expected
- to appear when relevant (when there is a warning), and disappear
- when not relevant. An empty slice here indicates no warnings."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/charts/contour/contour/charts/contour/resources/contourdeployments.yaml b/charts/contour/contour/charts/contour/resources/contourdeployments.yaml
deleted file mode 100644
index bc68a2775..000000000
--- a/charts/contour/contour/charts/contour/resources/contourdeployments.yaml
+++ /dev/null
@@ -1,3035 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.11.4
- name: contourdeployments.projectcontour.io
-spec:
- preserveUnknownFields: false
- group: projectcontour.io
- names:
- kind: ContourDeployment
- listKind: ContourDeploymentList
- plural: contourdeployments
- shortNames:
- - contourdeploy
- singular: contourdeployment
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ContourDeployment is the schema for a Contour Deployment.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: ContourDeploymentSpec specifies options for how a Contour
- instance should be provisioned.
- properties:
- contour:
- description: Contour specifies deployment-time settings for the Contour
- part of the installation, i.e. the xDS server/control plane and
- associated resources, including things like replica count for the
- Deployment, and node placement constraints for the pods.
- properties:
- deployment:
- description: Deployment describes the settings for running contour
- as a `Deployment`.
- properties:
- replicas:
- description: Replicas is the desired number of replicas.
- format: int32
- minimum: 0
- type: integer
- strategy:
- description: Strategy describes the deployment strategy to
- use to replace existing pods with new pods.
- properties:
- rollingUpdate:
- description: 'Rolling update config params. Present only
- if DeploymentStrategyType = RollingUpdate. --- TODO:
- Update this to follow our convention for oneOf, whatever
- we decide it to be.'
- properties:
- maxSurge:
- anyOf:
- - type: integer
- - type: string
- description: 'The maximum number of pods that can
- be scheduled above the desired number of pods. Value
- can be an absolute number (ex: 5) or a percentage
- of desired pods (ex: 10%). This can not be 0 if
- MaxUnavailable is 0. Absolute number is calculated
- from percentage by rounding up. Defaults to 25%.
- Example: when this is set to 30%, the new ReplicaSet
- can be scaled up immediately when the rolling update
- starts, such that the total number of old and new
- pods do not exceed 130% of desired pods. Once old
- pods have been killed, new ReplicaSet can be scaled
- up further, ensuring that total number of pods running
- at any time during the update is at most 130% of
- desired pods.'
- x-kubernetes-int-or-string: true
- maxUnavailable:
- anyOf:
- - type: integer
- - type: string
- description: 'The maximum number of pods that can
- be unavailable during the update. Value can be an
- absolute number (ex: 5) or a percentage of desired
- pods (ex: 10%). Absolute number is calculated from
- percentage by rounding down. This can not be 0 if
- MaxSurge is 0. Defaults to 25%. Example: when this
- is set to 30%, the old ReplicaSet can be scaled
- down to 70% of desired pods immediately when the
- rolling update starts. Once new pods are ready,
- old ReplicaSet can be scaled down further, followed
- by scaling up the new ReplicaSet, ensuring that
- the total number of pods available at all times
- during the update is at least 70% of desired pods.'
- x-kubernetes-int-or-string: true
- type: object
- type:
- description: Type of deployment. Can be "Recreate" or
- "RollingUpdate". Default is RollingUpdate.
- type: string
- type: object
- type: object
- kubernetesLogLevel:
- description: KubernetesLogLevel Enable Kubernetes client debug
- logging with log level. If unset, defaults to 0.
- maximum: 9
- minimum: 0
- type: integer
- logLevel:
- description: LogLevel sets the log level for Contour Allowed values
- are "info", "debug".
- type: string
- nodePlacement:
- description: NodePlacement describes node scheduling configuration
- of Contour pods.
- properties:
- nodeSelector:
- additionalProperties:
- type: string
- description: "NodeSelector is the simplest recommended form
- of node selection constraint and specifies a map of key-value
- pairs. For the pod to be eligible to run on a node, the
- node must have each of the indicated key-value pairs as
- labels (it can have additional labels as well). \n If unset,
- the pod(s) will be scheduled to any available node."
- type: object
- tolerations:
- description: "Tolerations work with taints to ensure that
- pods are not scheduled onto inappropriate nodes. One or
- more taints are applied to a node; this marks that the node
- should not accept any pods that do not tolerate the taints.
- \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
- for additional details."
- items:
- description: The pod this Toleration is attached to tolerates
- any taint that matches the triple using
- the matching operator .
- properties:
- effect:
- description: Effect indicates the taint effect to match.
- Empty means match all taint effects. When specified,
- allowed values are NoSchedule, PreferNoSchedule and
- NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration
- applies to. Empty means match all taint keys. If the
- key is empty, operator must be Exists; this combination
- means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship
- to the value. Valid operators are Exists and Equal.
- Defaults to Equal. Exists is equivalent to wildcard
- for value, so that a pod can tolerate all taints of
- a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period
- of time the toleration (which must be of effect NoExecute,
- otherwise this field is ignored) tolerates the taint.
- By default, it is not set, which means tolerate the
- taint forever (do not evict). Zero and negative values
- will be treated as 0 (evict immediately) by the system.
- format: int64
- type: integer
- value:
- description: Value is the taint value the toleration
- matches to. If the operator is Exists, the value should
- be empty, otherwise just a regular string.
- type: string
- type: object
- type: array
- type: object
- replicas:
- description: "Deprecated: Use `DeploymentSettings.Replicas` instead.
- \n Replicas is the desired number of Contour replicas. If if
- unset, defaults to 2. \n if both `DeploymentSettings.Replicas`
- and this one is set, use `DeploymentSettings.Replicas`."
- format: int32
- minimum: 0
- type: integer
- resources:
- description: 'Compute Resources required by contour container.
- Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- properties:
- claims:
- description: "Claims lists the names of resources, defined
- in spec.resourceClaims, that are used by this container.
- \n This is an alpha field and requires enabling the DynamicResourceAllocation
- feature gate. \n This field is immutable. It can only be
- set for containers."
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: Name must match the name of one entry in
- pod.spec.resourceClaims of the Pod where this field
- is used. It makes that resource available inside a
- container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount of compute
- resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount of compute
- resources required. If Requests is omitted for a container,
- it defaults to Limits if that is explicitly specified, otherwise
- to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- type: object
- type: object
- envoy:
- description: Envoy specifies deployment-time settings for the Envoy
- part of the installation, i.e. the xDS client/data plane and associated
- resources, including things like the workload type to use (DaemonSet
- or Deployment), node placement constraints for the pods, and various
- options for the Envoy service.
- properties:
- daemonSet:
- description: DaemonSet describes the settings for running envoy
- as a `DaemonSet`. if `WorkloadType` is `Deployment`,it's must
- be nil
- properties:
- updateStrategy:
- description: Strategy describes the deployment strategy to
- use to replace existing DaemonSet pods with new pods.
- properties:
- rollingUpdate:
- description: 'Rolling update config params. Present only
- if type = "RollingUpdate". --- TODO: Update this to
- follow our convention for oneOf, whatever we decide
- it to be. Same as Deployment `strategy.rollingUpdate`.
- See https://github.com/kubernetes/kubernetes/issues/35345'
- properties:
- maxSurge:
- anyOf:
- - type: integer
- - type: string
- description: 'The maximum number of nodes with an
- existing available DaemonSet pod that can have an
- updated DaemonSet pod during during an update. Value
- can be an absolute number (ex: 5) or a percentage
- of desired pods (ex: 10%). This can not be 0 if
- MaxUnavailable is 0. Absolute number is calculated
- from percentage by rounding up to a minimum of 1.
- Default value is 0. Example: when this is set to
- 30%, at most 30% of the total number of nodes that
- should be running the daemon pod (i.e. status.desiredNumberScheduled)
- can have their a new pod created before the old
- pod is marked as deleted. The update starts by launching
- new pods on 30% of nodes. Once an updated pod is
- available (Ready for at least minReadySeconds) the
- old DaemonSet pod on that node is marked deleted.
- If the old pod becomes unavailable for any reason
- (Ready transitions to false, is evicted, or is drained)
- an updated pod is immediatedly created on that node
- without considering surge limits. Allowing surge
- implies the possibility that the resources consumed
- by the daemonset on any given node can double if
- the readiness check fails, and so resource intensive
- daemonsets should take into account that they may
- cause evictions during disruption.'
- x-kubernetes-int-or-string: true
- maxUnavailable:
- anyOf:
- - type: integer
- - type: string
- description: 'The maximum number of DaemonSet pods
- that can be unavailable during the update. Value
- can be an absolute number (ex: 5) or a percentage
- of total number of DaemonSet pods at the start of
- the update (ex: 10%). Absolute number is calculated
- from percentage by rounding up. This cannot be 0
- if MaxSurge is 0 Default value is 1. Example: when
- this is set to 30%, at most 30% of the total number
- of nodes that should be running the daemon pod (i.e.
- status.desiredNumberScheduled) can have their pods
- stopped for an update at any given time. The update
- starts by stopping at most 30% of those DaemonSet
- pods and then brings up new DaemonSet pods in their
- place. Once the new pods are available, it then
- proceeds onto other DaemonSet pods, thus ensuring
- that at least 70% of original number of DaemonSet
- pods are available at all times during the update.'
- x-kubernetes-int-or-string: true
- type: object
- type:
- description: Type of daemon set update. Can be "RollingUpdate"
- or "OnDelete". Default is RollingUpdate.
- type: string
- type: object
- type: object
- deployment:
- description: Deployment describes the settings for running envoy
- as a `Deployment`. if `WorkloadType` is `DaemonSet`,it's must
- be nil
- properties:
- replicas:
- description: Replicas is the desired number of replicas.
- format: int32
- minimum: 0
- type: integer
- strategy:
- description: Strategy describes the deployment strategy to
- use to replace existing pods with new pods.
- properties:
- rollingUpdate:
- description: 'Rolling update config params. Present only
- if DeploymentStrategyType = RollingUpdate. --- TODO:
- Update this to follow our convention for oneOf, whatever
- we decide it to be.'
- properties:
- maxSurge:
- anyOf:
- - type: integer
- - type: string
- description: 'The maximum number of pods that can
- be scheduled above the desired number of pods. Value
- can be an absolute number (ex: 5) or a percentage
- of desired pods (ex: 10%). This can not be 0 if
- MaxUnavailable is 0. Absolute number is calculated
- from percentage by rounding up. Defaults to 25%.
- Example: when this is set to 30%, the new ReplicaSet
- can be scaled up immediately when the rolling update
- starts, such that the total number of old and new
- pods do not exceed 130% of desired pods. Once old
- pods have been killed, new ReplicaSet can be scaled
- up further, ensuring that total number of pods running
- at any time during the update is at most 130% of
- desired pods.'
- x-kubernetes-int-or-string: true
- maxUnavailable:
- anyOf:
- - type: integer
- - type: string
- description: 'The maximum number of pods that can
- be unavailable during the update. Value can be an
- absolute number (ex: 5) or a percentage of desired
- pods (ex: 10%). Absolute number is calculated from
- percentage by rounding down. This can not be 0 if
- MaxSurge is 0. Defaults to 25%. Example: when this
- is set to 30%, the old ReplicaSet can be scaled
- down to 70% of desired pods immediately when the
- rolling update starts. Once new pods are ready,
- old ReplicaSet can be scaled down further, followed
- by scaling up the new ReplicaSet, ensuring that
- the total number of pods available at all times
- during the update is at least 70% of desired pods.'
- x-kubernetes-int-or-string: true
- type: object
- type:
- description: Type of deployment. Can be "Recreate" or
- "RollingUpdate". Default is RollingUpdate.
- type: string
- type: object
- type: object
- extraVolumeMounts:
- description: ExtraVolumeMounts holds the extra volume mounts to
- add (normally used with extraVolumes).
- items:
- description: VolumeMount describes a mounting of a Volume within
- a container.
- properties:
- mountPath:
- description: Path within the container at which the volume
- should be mounted. Must not contain ':'.
- type: string
- mountPropagation:
- description: mountPropagation determines how mounts are
- propagated from the host to container and the other way
- around. When not set, MountPropagationNone is used. This
- field is beta in 1.10.
- type: string
- name:
- description: This must match the Name of a Volume.
- type: string
- readOnly:
- description: Mounted read-only if true, read-write otherwise
- (false or unspecified). Defaults to false.
- type: boolean
- subPath:
- description: Path within the volume from which the container's
- volume should be mounted. Defaults to "" (volume's root).
- type: string
- subPathExpr:
- description: Expanded path within the volume from which
- the container's volume should be mounted. Behaves similarly
- to SubPath but environment variable references $(VAR_NAME)
- are expanded using the container's environment. Defaults
- to "" (volume's root). SubPathExpr and SubPath are mutually
- exclusive.
- type: string
- required:
- - mountPath
- - name
- type: object
- type: array
- extraVolumes:
- description: ExtraVolumes holds the extra volumes to add.
- items:
- description: Volume represents a named volume in a pod that
- may be accessed by any container in the pod.
- properties:
- awsElasticBlockStore:
- description: 'awsElasticBlockStore represents an AWS Disk
- resource that is attached to a kubelet''s host machine
- and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
- properties:
- fsType:
- description: 'fsType is the filesystem type of the volume
- that you want to mount. Tip: Ensure that the filesystem
- type is supported by the host operating system. Examples:
- "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4"
- if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the filesystem from
- compromising the machine'
- type: string
- partition:
- description: 'partition is the partition in the volume
- that you want to mount. If omitted, the default is
- to mount by volume name. Examples: For volume /dev/sda1,
- you specify the partition as "1". Similarly, the volume
- partition for /dev/sda is "0" (or you can leave the
- property empty).'
- format: int32
- type: integer
- readOnly:
- description: 'readOnly value true will force the readOnly
- setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
- type: boolean
- volumeID:
- description: 'volumeID is unique ID of the persistent
- disk resource in AWS (Amazon EBS volume). More info:
- https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
- type: string
- required:
- - volumeID
- type: object
- azureDisk:
- description: azureDisk represents an Azure Data Disk mount
- on the host and bind mount to the pod.
- properties:
- cachingMode:
- description: 'cachingMode is the Host Caching mode:
- None, Read Only, Read Write.'
- type: string
- diskName:
- description: diskName is the Name of the data disk in
- the blob storage
- type: string
- diskURI:
- description: diskURI is the URI of data disk in the
- blob storage
- type: string
- fsType:
- description: fsType is Filesystem type to mount. Must
- be a filesystem type supported by the host operating
- system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred
- to be "ext4" if unspecified.
- type: string
- kind:
- description: 'kind expected values are Shared: multiple
- blob disks per storage account Dedicated: single
- blob disk per storage account Managed: azure managed
- data disk (only in managed availability set). defaults
- to shared'
- type: string
- readOnly:
- description: readOnly Defaults to false (read/write).
- ReadOnly here will force the ReadOnly setting in VolumeMounts.
- type: boolean
- required:
- - diskName
- - diskURI
- type: object
- azureFile:
- description: azureFile represents an Azure File Service
- mount on the host and bind mount to the pod.
- properties:
- readOnly:
- description: readOnly defaults to false (read/write).
- ReadOnly here will force the ReadOnly setting in VolumeMounts.
- type: boolean
- secretName:
- description: secretName is the name of secret that
- contains Azure Storage Account Name and Key
- type: string
- shareName:
- description: shareName is the azure share Name
- type: string
- required:
- - secretName
- - shareName
- type: object
- cephfs:
- description: cephFS represents a Ceph FS mount on the host
- that shares a pod's lifetime
- properties:
- monitors:
- description: 'monitors is Required: Monitors is a collection
- of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
- items:
- type: string
- type: array
- path:
- description: 'path is Optional: Used as the mounted
- root, rather than the full Ceph tree, default is /'
- type: string
- readOnly:
- description: 'readOnly is Optional: Defaults to false
- (read/write). ReadOnly here will force the ReadOnly
- setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
- type: boolean
- secretFile:
- description: 'secretFile is Optional: SecretFile is
- the path to key ring for User, default is /etc/ceph/user.secret
- More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
- type: string
- secretRef:
- description: 'secretRef is Optional: SecretRef is reference
- to the authentication secret for User, default is
- empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- user:
- description: 'user is optional: User is the rados user
- name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
- type: string
- required:
- - monitors
- type: object
- cinder:
- description: 'cinder represents a cinder volume attached
- and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
- properties:
- fsType:
- description: 'fsType is the filesystem type to mount.
- Must be a filesystem type supported by the host operating
- system. Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
- type: string
- readOnly:
- description: 'readOnly defaults to false (read/write).
- ReadOnly here will force the ReadOnly setting in VolumeMounts.
- More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
- type: boolean
- secretRef:
- description: 'secretRef is optional: points to a secret
- object containing parameters used to connect to OpenStack.'
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- volumeID:
- description: 'volumeID used to identify the volume in
- cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
- type: string
- required:
- - volumeID
- type: object
- configMap:
- description: configMap represents a configMap that should
- populate this volume
- properties:
- defaultMode:
- description: 'defaultMode is optional: mode bits used
- to set permissions on created files by default. Must
- be an octal value between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts both octal and
- decimal values, JSON requires decimal values for mode
- bits. Defaults to 0644. Directories within the path
- are not affected by this setting. This might be in
- conflict with other options that affect the file mode,
- like fsGroup, and the result can be other mode bits
- set.'
- format: int32
- type: integer
- items:
- description: items if unspecified, each key-value pair
- in the Data field of the referenced ConfigMap will
- be projected into the volume as a file whose name
- is the key and content is the value. If specified,
- the listed keys will be projected into the specified
- paths, and unlisted keys will not be present. If a
- key is specified which is not present in the ConfigMap,
- the volume setup will error unless it is marked optional.
- Paths must be relative and may not contain the '..'
- path or start with '..'.
- items:
- description: Maps a string key to a path within a
- volume.
- properties:
- key:
- description: key is the key to project.
- type: string
- mode:
- description: 'mode is Optional: mode bits used
- to set permissions on this file. Must be an
- octal value between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts both octal
- and decimal values, JSON requires decimal values
- for mode bits. If not specified, the volume
- defaultMode will be used. This might be in conflict
- with other options that affect the file mode,
- like fsGroup, and the result can be other mode
- bits set.'
- format: int32
- type: integer
- path:
- description: path is the relative path of the
- file to map the key to. May not be an absolute
- path. May not contain the path element '..'.
- May not start with the string '..'.
- type: string
- required:
- - key
- - path
- type: object
- type: array
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- optional:
- description: optional specify whether the ConfigMap
- or its keys must be defined
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- csi:
- description: csi (Container Storage Interface) represents
- ephemeral storage that is handled by certain external
- CSI drivers (Beta feature).
- properties:
- driver:
- description: driver is the name of the CSI driver that
- handles this volume. Consult with your admin for the
- correct name as registered in the cluster.
- type: string
- fsType:
- description: fsType to mount. Ex. "ext4", "xfs", "ntfs".
- If not provided, the empty value is passed to the
- associated CSI driver which will determine the default
- filesystem to apply.
- type: string
- nodePublishSecretRef:
- description: nodePublishSecretRef is a reference to
- the secret object containing sensitive information
- to pass to the CSI driver to complete the CSI NodePublishVolume
- and NodeUnpublishVolume calls. This field is optional,
- and may be empty if no secret is required. If the
- secret object contains more than one secret, all secret
- references are passed.
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- readOnly:
- description: readOnly specifies a read-only configuration
- for the volume. Defaults to false (read/write).
- type: boolean
- volumeAttributes:
- additionalProperties:
- type: string
- description: volumeAttributes stores driver-specific
- properties that are passed to the CSI driver. Consult
- your driver's documentation for supported values.
- type: object
- required:
- - driver
- type: object
- downwardAPI:
- description: downwardAPI represents downward API about the
- pod that should populate this volume
- properties:
- defaultMode:
- description: 'Optional: mode bits to use on created
- files by default. Must be a Optional: mode bits used
- to set permissions on created files by default. Must
- be an octal value between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts both octal and
- decimal values, JSON requires decimal values for mode
- bits. Defaults to 0644. Directories within the path
- are not affected by this setting. This might be in
- conflict with other options that affect the file mode,
- like fsGroup, and the result can be other mode bits
- set.'
- format: int32
- type: integer
- items:
- description: Items is a list of downward API volume
- file
- items:
- description: DownwardAPIVolumeFile represents information
- to create the file containing the pod field
- properties:
- fieldRef:
- description: 'Required: Selects a field of the
- pod: only annotations, labels, name and namespace
- are supported.'
- properties:
- apiVersion:
- description: Version of the schema the FieldPath
- is written in terms of, defaults to "v1".
- type: string
- fieldPath:
- description: Path of the field to select in
- the specified API version.
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- mode:
- description: 'Optional: mode bits used to set
- permissions on this file, must be an octal value
- between 0000 and 0777 or a decimal value between
- 0 and 511. YAML accepts both octal and decimal
- values, JSON requires decimal values for mode
- bits. If not specified, the volume defaultMode
- will be used. This might be in conflict with
- other options that affect the file mode, like
- fsGroup, and the result can be other mode bits
- set.'
- format: int32
- type: integer
- path:
- description: 'Required: Path is the relative
- path name of the file to be created. Must not
- be absolute or contain the ''..'' path. Must
- be utf-8 encoded. The first item of the relative
- path must not start with ''..'''
- type: string
- resourceFieldRef:
- description: 'Selects a resource of the container:
- only resources limits and requests (limits.cpu,
- limits.memory, requests.cpu and requests.memory)
- are currently supported.'
- properties:
- containerName:
- description: 'Container name: required for
- volumes, optional for env vars'
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- description: Specifies the output format of
- the exposed resources, defaults to "1"
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- description: 'Required: resource to select'
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- required:
- - path
- type: object
- type: array
- type: object
- emptyDir:
- description: 'emptyDir represents a temporary directory
- that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
- properties:
- medium:
- description: 'medium represents what type of storage
- medium should back this directory. The default is
- "" which means to use the node''s default medium.
- Must be an empty string (default) or Memory. More
- info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
- type: string
- sizeLimit:
- anyOf:
- - type: integer
- - type: string
- description: 'sizeLimit is the total amount of local
- storage required for this EmptyDir volume. The size
- limit is also applicable for memory medium. The maximum
- usage on memory medium EmptyDir would be the minimum
- value between the SizeLimit specified here and the
- sum of memory limits of all containers in a pod. The
- default is nil which means that the limit is undefined.
- More info: http://kubernetes.io/docs/user-guide/volumes#emptydir'
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- ephemeral:
- description: "ephemeral represents a volume that is handled
- by a cluster storage driver. The volume's lifecycle is
- tied to the pod that defines it - it will be created before
- the pod starts, and deleted when the pod is removed. \n
- Use this if: a) the volume is only needed while the pod
- runs, b) features of normal volumes like restoring from
- snapshot or capacity tracking are needed, c) the storage
- driver is specified through a storage class, and d) the
- storage driver supports dynamic volume provisioning through
- a PersistentVolumeClaim (see EphemeralVolumeSource for
- more information on the connection between this volume
- type and PersistentVolumeClaim). \n Use PersistentVolumeClaim
- or one of the vendor-specific APIs for volumes that persist
- for longer than the lifecycle of an individual pod. \n
- Use CSI for light-weight local ephemeral volumes if the
- CSI driver is meant to be used that way - see the documentation
- of the driver for more information. \n A pod can use both
- types of ephemeral volumes and persistent volumes at the
- same time."
- properties:
- volumeClaimTemplate:
- description: "Will be used to create a stand-alone PVC
- to provision the volume. The pod in which this EphemeralVolumeSource
- is embedded will be the owner of the PVC, i.e. the
- PVC will be deleted together with the pod. The name
- of the PVC will be `-` where
- `` is the name from the `PodSpec.Volumes`
- array entry. Pod validation will reject the pod if
- the concatenated name is not valid for a PVC (for
- example, too long). \n An existing PVC with that name
- that is not owned by the pod will *not* be used for
- the pod to avoid using an unrelated volume by mistake.
- Starting the pod is then blocked until the unrelated
- PVC is removed. If such a pre-created PVC is meant
- to be used by the pod, the PVC has to updated with
- an owner reference to the pod once the pod exists.
- Normally this should not be necessary, but it may
- be useful when manually reconstructing a broken cluster.
- \n This field is read-only and no changes will be
- made by Kubernetes to the PVC after it has been created.
- \n Required, must not be nil."
- properties:
- metadata:
- description: May contain labels and annotations
- that will be copied into the PVC when creating
- it. No other fields are allowed and will be rejected
- during validation.
- type: object
- spec:
- description: The specification for the PersistentVolumeClaim.
- The entire content is copied unchanged into the
- PVC that gets created from this template. The
- same fields as in a PersistentVolumeClaim are
- also valid here.
- properties:
- accessModes:
- description: 'accessModes contains the desired
- access modes the volume should have. More
- info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
- items:
- type: string
- type: array
- dataSource:
- description: 'dataSource field can be used to
- specify either: * An existing VolumeSnapshot
- object (snapshot.storage.k8s.io/VolumeSnapshot)
- * An existing PVC (PersistentVolumeClaim)
- If the provisioner or an external controller
- can support the specified data source, it
- will create a new volume based on the contents
- of the specified data source. When the AnyVolumeDataSource
- feature gate is enabled, dataSource contents
- will be copied to dataSourceRef, and dataSourceRef
- contents will be copied to dataSource when
- dataSourceRef.namespace is not specified.
- If the namespace is specified, then dataSourceRef
- will not be copied to dataSource.'
- properties:
- apiGroup:
- description: APIGroup is the group for the
- resource being referenced. If APIGroup
- is not specified, the specified Kind must
- be in the core API group. For any other
- third-party types, APIGroup is required.
- type: string
- kind:
- description: Kind is the type of resource
- being referenced
- type: string
- name:
- description: Name is the name of resource
- being referenced
- type: string
- required:
- - kind
- - name
- type: object
- x-kubernetes-map-type: atomic
- dataSourceRef:
- description: 'dataSourceRef specifies the object
- from which to populate the volume with data,
- if a non-empty volume is desired. This may
- be any object from a non-empty API group (non
- core object) or a PersistentVolumeClaim object.
- When this field is specified, volume binding
- will only succeed if the type of the specified
- object matches some installed volume populator
- or dynamic provisioner. This field will replace
- the functionality of the dataSource field
- and as such if both fields are non-empty,
- they must have the same value. For backwards
- compatibility, when namespace isn''t specified
- in dataSourceRef, both fields (dataSource
- and dataSourceRef) will be set to the same
- value automatically if one of them is empty
- and the other is non-empty. When namespace
- is specified in dataSourceRef, dataSource
- isn''t set to the same value and must be empty.
- There are three important differences between
- dataSource and dataSourceRef: * While dataSource
- only allows two specific types of objects,
- dataSourceRef allows any non-core object,
- as well as PersistentVolumeClaim objects.
- * While dataSource ignores disallowed values
- (dropping them), dataSourceRef preserves all
- values, and generates an error if a disallowed
- value is specified. * While dataSource only
- allows local objects, dataSourceRef allows
- objects in any namespaces. (Beta) Using this
- field requires the AnyVolumeDataSource feature
- gate to be enabled. (Alpha) Using the namespace
- field of dataSourceRef requires the CrossNamespaceVolumeDataSource
- feature gate to be enabled.'
- properties:
- apiGroup:
- description: APIGroup is the group for the
- resource being referenced. If APIGroup
- is not specified, the specified Kind must
- be in the core API group. For any other
- third-party types, APIGroup is required.
- type: string
- kind:
- description: Kind is the type of resource
- being referenced
- type: string
- name:
- description: Name is the name of resource
- being referenced
- type: string
- namespace:
- description: Namespace is the namespace
- of resource being referenced Note that
- when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant
- object is required in the referent namespace
- to allow that namespace's owner to accept
- the reference. See the ReferenceGrant
- documentation for details. (Alpha) This
- field requires the CrossNamespaceVolumeDataSource
- feature gate to be enabled.
- type: string
- required:
- - kind
- - name
- type: object
- resources:
- description: 'resources represents the minimum
- resources the volume should have. If RecoverVolumeExpansionFailure
- feature is enabled users are allowed to specify
- resource requirements that are lower than
- previous value but must still be higher than
- capacity recorded in the status field of the
- claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
- properties:
- claims:
- description: "Claims lists the names of
- resources, defined in spec.resourceClaims,
- that are used by this container. \n This
- is an alpha field and requires enabling
- the DynamicResourceAllocation feature
- gate. \n This field is immutable. It can
- only be set for containers."
- items:
- description: ResourceClaim references
- one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: Name must match the name
- of one entry in pod.spec.resourceClaims
- of the Pod where this field is used.
- It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum
- amount of compute resources allowed. More
- info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum
- amount of compute resources required.
- If Requests is omitted for a container,
- it defaults to Limits if that is explicitly
- specified, otherwise to an implementation-defined
- value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- type: object
- selector:
- description: selector is a label query over
- volumes to consider for binding.
- properties:
- matchExpressions:
- description: matchExpressions is a list
- of label selector requirements. The requirements
- are ANDed.
- items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
- properties:
- key:
- description: key is the label key
- that the selector applies to.
- type: string
- operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- storageClassName:
- description: 'storageClassName is the name of
- the StorageClass required by the claim. More
- info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
- type: string
- volumeMode:
- description: volumeMode defines what type of
- volume is required by the claim. Value of
- Filesystem is implied when not included in
- claim spec.
- type: string
- volumeName:
- description: volumeName is the binding reference
- to the PersistentVolume backing this claim.
- type: string
- type: object
- required:
- - spec
- type: object
- type: object
- fc:
- description: fc represents a Fibre Channel resource that
- is attached to a kubelet's host machine and then exposed
- to the pod.
- properties:
- fsType:
- description: 'fsType is the filesystem type to mount.
- Must be a filesystem type supported by the host operating
- system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred
- to be "ext4" if unspecified. TODO: how do we prevent
- errors in the filesystem from compromising the machine'
- type: string
- lun:
- description: 'lun is Optional: FC target lun number'
- format: int32
- type: integer
- readOnly:
- description: 'readOnly is Optional: Defaults to false
- (read/write). ReadOnly here will force the ReadOnly
- setting in VolumeMounts.'
- type: boolean
- targetWWNs:
- description: 'targetWWNs is Optional: FC target worldwide
- names (WWNs)'
- items:
- type: string
- type: array
- wwids:
- description: 'wwids Optional: FC volume world wide identifiers
- (wwids) Either wwids or combination of targetWWNs
- and lun must be set, but not both simultaneously.'
- items:
- type: string
- type: array
- type: object
- flexVolume:
- description: flexVolume represents a generic volume resource
- that is provisioned/attached using an exec based plugin.
- properties:
- driver:
- description: driver is the name of the driver to use
- for this volume.
- type: string
- fsType:
- description: fsType is the filesystem type to mount.
- Must be a filesystem type supported by the host operating
- system. Ex. "ext4", "xfs", "ntfs". The default filesystem
- depends on FlexVolume script.
- type: string
- options:
- additionalProperties:
- type: string
- description: 'options is Optional: this field holds
- extra command options if any.'
- type: object
- readOnly:
- description: 'readOnly is Optional: defaults to false
- (read/write). ReadOnly here will force the ReadOnly
- setting in VolumeMounts.'
- type: boolean
- secretRef:
- description: 'secretRef is Optional: secretRef is reference
- to the secret object containing sensitive information
- to pass to the plugin scripts. This may be empty if
- no secret object is specified. If the secret object
- contains more than one secret, all secrets are passed
- to the plugin scripts.'
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - driver
- type: object
- flocker:
- description: flocker represents a Flocker volume attached
- to a kubelet's host machine. This depends on the Flocker
- control service being running
- properties:
- datasetName:
- description: datasetName is Name of the dataset stored
- as metadata -> name on the dataset for Flocker should
- be considered as deprecated
- type: string
- datasetUUID:
- description: datasetUUID is the UUID of the dataset.
- This is unique identifier of a Flocker dataset
- type: string
- type: object
- gcePersistentDisk:
- description: 'gcePersistentDisk represents a GCE Disk resource
- that is attached to a kubelet''s host machine and then
- exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
- properties:
- fsType:
- description: 'fsType is filesystem type of the volume
- that you want to mount. Tip: Ensure that the filesystem
- type is supported by the host operating system. Examples:
- "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4"
- if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the filesystem from
- compromising the machine'
- type: string
- partition:
- description: 'partition is the partition in the volume
- that you want to mount. If omitted, the default is
- to mount by volume name. Examples: For volume /dev/sda1,
- you specify the partition as "1". Similarly, the volume
- partition for /dev/sda is "0" (or you can leave the
- property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
- format: int32
- type: integer
- pdName:
- description: 'pdName is unique name of the PD resource
- in GCE. Used to identify the disk in GCE. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
- type: string
- readOnly:
- description: 'readOnly here will force the ReadOnly
- setting in VolumeMounts. Defaults to false. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
- type: boolean
- required:
- - pdName
- type: object
- gitRepo:
- description: 'gitRepo represents a git repository at a particular
- revision. DEPRECATED: GitRepo is deprecated. To provision
- a container with a git repo, mount an EmptyDir into an
- InitContainer that clones the repo using git, then mount
- the EmptyDir into the Pod''s container.'
- properties:
- directory:
- description: directory is the target directory name.
- Must not contain or start with '..'. If '.' is supplied,
- the volume directory will be the git repository. Otherwise,
- if specified, the volume will contain the git repository
- in the subdirectory with the given name.
- type: string
- repository:
- description: repository is the URL
- type: string
- revision:
- description: revision is the commit hash for the specified
- revision.
- type: string
- required:
- - repository
- type: object
- glusterfs:
- description: 'glusterfs represents a Glusterfs mount on
- the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md'
- properties:
- endpoints:
- description: 'endpoints is the endpoint name that details
- Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
- type: string
- path:
- description: 'path is the Glusterfs volume path. More
- info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
- type: string
- readOnly:
- description: 'readOnly here will force the Glusterfs
- volume to be mounted with read-only permissions. Defaults
- to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
- type: boolean
- required:
- - endpoints
- - path
- type: object
- hostPath:
- description: 'hostPath represents a pre-existing file or
- directory on the host machine that is directly exposed
- to the container. This is generally used for system agents
- or other privileged things that are allowed to see the
- host machine. Most containers will NOT need this. More
- info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- --- TODO(jonesdl) We need to restrict who can use host
- directory mounts and who can/can not mount host directories
- as read/write.'
- properties:
- path:
- description: 'path of the directory on the host. If
- the path is a symlink, it will follow the link to
- the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
- type: string
- type:
- description: 'type for HostPath Volume Defaults to ""
- More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
- type: string
- required:
- - path
- type: object
- iscsi:
- description: 'iscsi represents an ISCSI Disk resource that
- is attached to a kubelet''s host machine and then exposed
- to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md'
- properties:
- chapAuthDiscovery:
- description: chapAuthDiscovery defines whether support
- iSCSI Discovery CHAP authentication
- type: boolean
- chapAuthSession:
- description: chapAuthSession defines whether support
- iSCSI Session CHAP authentication
- type: boolean
- fsType:
- description: 'fsType is the filesystem type of the volume
- that you want to mount. Tip: Ensure that the filesystem
- type is supported by the host operating system. Examples:
- "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4"
- if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the filesystem from
- compromising the machine'
- type: string
- initiatorName:
- description: initiatorName is the custom iSCSI Initiator
- Name. If initiatorName is specified with iscsiInterface
- simultaneously, new iSCSI interface : will be created for the connection.
- type: string
- iqn:
- description: iqn is the target iSCSI Qualified Name.
- type: string
- iscsiInterface:
- description: iscsiInterface is the interface Name that
- uses an iSCSI transport. Defaults to 'default' (tcp).
- type: string
- lun:
- description: lun represents iSCSI Target Lun number.
- format: int32
- type: integer
- portals:
- description: portals is the iSCSI Target Portal List.
- The portal is either an IP or ip_addr:port if the
- port is other than default (typically TCP ports 860
- and 3260).
- items:
- type: string
- type: array
- readOnly:
- description: readOnly here will force the ReadOnly setting
- in VolumeMounts. Defaults to false.
- type: boolean
- secretRef:
- description: secretRef is the CHAP Secret for iSCSI
- target and initiator authentication
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- targetPortal:
- description: targetPortal is iSCSI Target Portal. The
- Portal is either an IP or ip_addr:port if the port
- is other than default (typically TCP ports 860 and
- 3260).
- type: string
- required:
- - iqn
- - lun
- - targetPortal
- type: object
- name:
- description: 'name of the volume. Must be a DNS_LABEL and
- unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- nfs:
- description: 'nfs represents an NFS mount on the host that
- shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
- properties:
- path:
- description: 'path that is exported by the NFS server.
- More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
- type: string
- readOnly:
- description: 'readOnly here will force the NFS export
- to be mounted with read-only permissions. Defaults
- to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
- type: boolean
- server:
- description: 'server is the hostname or IP address of
- the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
- type: string
- required:
- - path
- - server
- type: object
- persistentVolumeClaim:
- description: 'persistentVolumeClaimVolumeSource represents
- a reference to a PersistentVolumeClaim in the same namespace.
- More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
- properties:
- claimName:
- description: 'claimName is the name of a PersistentVolumeClaim
- in the same namespace as the pod using this volume.
- More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
- type: string
- readOnly:
- description: readOnly Will force the ReadOnly setting
- in VolumeMounts. Default false.
- type: boolean
- required:
- - claimName
- type: object
- photonPersistentDisk:
- description: photonPersistentDisk represents a PhotonController
- persistent disk attached and mounted on kubelets host
- machine
- properties:
- fsType:
- description: fsType is the filesystem type to mount.
- Must be a filesystem type supported by the host operating
- system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred
- to be "ext4" if unspecified.
- type: string
- pdID:
- description: pdID is the ID that identifies Photon Controller
- persistent disk
- type: string
- required:
- - pdID
- type: object
- portworxVolume:
- description: portworxVolume represents a portworx volume
- attached and mounted on kubelets host machine
- properties:
- fsType:
- description: fSType represents the filesystem type to
- mount Must be a filesystem type supported by the host
- operating system. Ex. "ext4", "xfs". Implicitly inferred
- to be "ext4" if unspecified.
- type: string
- readOnly:
- description: readOnly defaults to false (read/write).
- ReadOnly here will force the ReadOnly setting in VolumeMounts.
- type: boolean
- volumeID:
- description: volumeID uniquely identifies a Portworx
- volume
- type: string
- required:
- - volumeID
- type: object
- projected:
- description: projected items for all in one resources secrets,
- configmaps, and downward API
- properties:
- defaultMode:
- description: defaultMode are the mode bits used to set
- permissions on created files by default. Must be an
- octal value between 0000 and 0777 or a decimal value
- between 0 and 511. YAML accepts both octal and decimal
- values, JSON requires decimal values for mode bits.
- Directories within the path are not affected by this
- setting. This might be in conflict with other options
- that affect the file mode, like fsGroup, and the result
- can be other mode bits set.
- format: int32
- type: integer
- sources:
- description: sources is the list of volume projections
- items:
- description: Projection that may be projected along
- with other supported volume types
- properties:
- configMap:
- description: configMap information about the configMap
- data to project
- properties:
- items:
- description: items if unspecified, each key-value
- pair in the Data field of the referenced
- ConfigMap will be projected into the volume
- as a file whose name is the key and content
- is the value. If specified, the listed keys
- will be projected into the specified paths,
- and unlisted keys will not be present. If
- a key is specified which is not present
- in the ConfigMap, the volume setup will
- error unless it is marked optional. Paths
- must be relative and may not contain the
- '..' path or start with '..'.
- items:
- description: Maps a string key to a path
- within a volume.
- properties:
- key:
- description: key is the key to project.
- type: string
- mode:
- description: 'mode is Optional: mode
- bits used to set permissions on this
- file. Must be an octal value between
- 0000 and 0777 or a decimal value between
- 0 and 511. YAML accepts both octal
- and decimal values, JSON requires
- decimal values for mode bits. If not
- specified, the volume defaultMode
- will be used. This might be in conflict
- with other options that affect the
- file mode, like fsGroup, and the result
- can be other mode bits set.'
- format: int32
- type: integer
- path:
- description: path is the relative path
- of the file to map the key to. May
- not be an absolute path. May not contain
- the path element '..'. May not start
- with the string '..'.
- type: string
- required:
- - key
- - path
- type: object
- type: array
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
- type: string
- optional:
- description: optional specify whether the
- ConfigMap or its keys must be defined
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- downwardAPI:
- description: downwardAPI information about the
- downwardAPI data to project
- properties:
- items:
- description: Items is a list of DownwardAPIVolume
- file
- items:
- description: DownwardAPIVolumeFile represents
- information to create the file containing
- the pod field
- properties:
- fieldRef:
- description: 'Required: Selects a field
- of the pod: only annotations, labels,
- name and namespace are supported.'
- properties:
- apiVersion:
- description: Version of the schema
- the FieldPath is written in terms
- of, defaults to "v1".
- type: string
- fieldPath:
- description: Path of the field to
- select in the specified API version.
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- mode:
- description: 'Optional: mode bits used
- to set permissions on this file, must
- be an octal value between 0000 and
- 0777 or a decimal value between 0
- and 511. YAML accepts both octal and
- decimal values, JSON requires decimal
- values for mode bits. If not specified,
- the volume defaultMode will be used.
- This might be in conflict with other
- options that affect the file mode,
- like fsGroup, and the result can be
- other mode bits set.'
- format: int32
- type: integer
- path:
- description: 'Required: Path is the
- relative path name of the file to
- be created. Must not be absolute or
- contain the ''..'' path. Must be utf-8
- encoded. The first item of the relative
- path must not start with ''..'''
- type: string
- resourceFieldRef:
- description: 'Selects a resource of
- the container: only resources limits
- and requests (limits.cpu, limits.memory,
- requests.cpu and requests.memory)
- are currently supported.'
- properties:
- containerName:
- description: 'Container name: required
- for volumes, optional for env
- vars'
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- description: Specifies the output
- format of the exposed resources,
- defaults to "1"
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- description: 'Required: resource
- to select'
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- required:
- - path
- type: object
- type: array
- type: object
- secret:
- description: secret information about the secret
- data to project
- properties:
- items:
- description: items if unspecified, each key-value
- pair in the Data field of the referenced
- Secret will be projected into the volume
- as a file whose name is the key and content
- is the value. If specified, the listed keys
- will be projected into the specified paths,
- and unlisted keys will not be present. If
- a key is specified which is not present
- in the Secret, the volume setup will error
- unless it is marked optional. Paths must
- be relative and may not contain the '..'
- path or start with '..'.
- items:
- description: Maps a string key to a path
- within a volume.
- properties:
- key:
- description: key is the key to project.
- type: string
- mode:
- description: 'mode is Optional: mode
- bits used to set permissions on this
- file. Must be an octal value between
- 0000 and 0777 or a decimal value between
- 0 and 511. YAML accepts both octal
- and decimal values, JSON requires
- decimal values for mode bits. If not
- specified, the volume defaultMode
- will be used. This might be in conflict
- with other options that affect the
- file mode, like fsGroup, and the result
- can be other mode bits set.'
- format: int32
- type: integer
- path:
- description: path is the relative path
- of the file to map the key to. May
- not be an absolute path. May not contain
- the path element '..'. May not start
- with the string '..'.
- type: string
- required:
- - key
- - path
- type: object
- type: array
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
- type: string
- optional:
- description: optional field specify whether
- the Secret or its key must be defined
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- serviceAccountToken:
- description: serviceAccountToken is information
- about the serviceAccountToken data to project
- properties:
- audience:
- description: audience is the intended audience
- of the token. A recipient of a token must
- identify itself with an identifier specified
- in the audience of the token, and otherwise
- should reject the token. The audience defaults
- to the identifier of the apiserver.
- type: string
- expirationSeconds:
- description: expirationSeconds is the requested
- duration of validity of the service account
- token. As the token approaches expiration,
- the kubelet volume plugin will proactively
- rotate the service account token. The kubelet
- will start trying to rotate the token if
- the token is older than 80 percent of its
- time to live or if the token is older than
- 24 hours.Defaults to 1 hour and must be
- at least 10 minutes.
- format: int64
- type: integer
- path:
- description: path is the path relative to
- the mount point of the file to project the
- token into.
- type: string
- required:
- - path
- type: object
- type: object
- type: array
- type: object
- quobyte:
- description: quobyte represents a Quobyte mount on the host
- that shares a pod's lifetime
- properties:
- group:
- description: group to map volume access to Default is
- no group
- type: string
- readOnly:
- description: readOnly here will force the Quobyte volume
- to be mounted with read-only permissions. Defaults
- to false.
- type: boolean
- registry:
- description: registry represents a single or multiple
- Quobyte Registry services specified as a string as
- host:port pair (multiple entries are separated with
- commas) which acts as the central registry for volumes
- type: string
- tenant:
- description: tenant owning the given Quobyte volume
- in the Backend Used with dynamically provisioned Quobyte
- volumes, value is set by the plugin
- type: string
- user:
- description: user to map volume access to Defaults to
- serivceaccount user
- type: string
- volume:
- description: volume is a string that references an already
- created Quobyte volume by name.
- type: string
- required:
- - registry
- - volume
- type: object
- rbd:
- description: 'rbd represents a Rados Block Device mount
- on the host that shares a pod''s lifetime. More info:
- https://examples.k8s.io/volumes/rbd/README.md'
- properties:
- fsType:
- description: 'fsType is the filesystem type of the volume
- that you want to mount. Tip: Ensure that the filesystem
- type is supported by the host operating system. Examples:
- "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4"
- if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the filesystem from
- compromising the machine'
- type: string
- image:
- description: 'image is the rados image name. More info:
- https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
- type: string
- keyring:
- description: 'keyring is the path to key ring for RBDUser.
- Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
- type: string
- monitors:
- description: 'monitors is a collection of Ceph monitors.
- More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
- items:
- type: string
- type: array
- pool:
- description: 'pool is the rados pool name. Default is
- rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
- type: string
- readOnly:
- description: 'readOnly here will force the ReadOnly
- setting in VolumeMounts. Defaults to false. More info:
- https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
- type: boolean
- secretRef:
- description: 'secretRef is name of the authentication
- secret for RBDUser. If provided overrides keyring.
- Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- user:
- description: 'user is the rados user name. Default is
- admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
- type: string
- required:
- - image
- - monitors
- type: object
- scaleIO:
- description: scaleIO represents a ScaleIO persistent volume
- attached and mounted on Kubernetes nodes.
- properties:
- fsType:
- description: fsType is the filesystem type to mount.
- Must be a filesystem type supported by the host operating
- system. Ex. "ext4", "xfs", "ntfs". Default is "xfs".
- type: string
- gateway:
- description: gateway is the host address of the ScaleIO
- API Gateway.
- type: string
- protectionDomain:
- description: protectionDomain is the name of the ScaleIO
- Protection Domain for the configured storage.
- type: string
- readOnly:
- description: readOnly Defaults to false (read/write).
- ReadOnly here will force the ReadOnly setting in VolumeMounts.
- type: boolean
- secretRef:
- description: secretRef references to the secret for
- ScaleIO user and other sensitive information. If this
- is not provided, Login operation will fail.
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- sslEnabled:
- description: sslEnabled Flag enable/disable SSL communication
- with Gateway, default false
- type: boolean
- storageMode:
- description: storageMode indicates whether the storage
- for a volume should be ThickProvisioned or ThinProvisioned.
- Default is ThinProvisioned.
- type: string
- storagePool:
- description: storagePool is the ScaleIO Storage Pool
- associated with the protection domain.
- type: string
- system:
- description: system is the name of the storage system
- as configured in ScaleIO.
- type: string
- volumeName:
- description: volumeName is the name of a volume already
- created in the ScaleIO system that is associated with
- this volume source.
- type: string
- required:
- - gateway
- - secretRef
- - system
- type: object
- secret:
- description: 'secret represents a secret that should populate
- this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
- properties:
- defaultMode:
- description: 'defaultMode is Optional: mode bits used
- to set permissions on created files by default. Must
- be an octal value between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts both octal and
- decimal values, JSON requires decimal values for mode
- bits. Defaults to 0644. Directories within the path
- are not affected by this setting. This might be in
- conflict with other options that affect the file mode,
- like fsGroup, and the result can be other mode bits
- set.'
- format: int32
- type: integer
- items:
- description: items If unspecified, each key-value pair
- in the Data field of the referenced Secret will be
- projected into the volume as a file whose name is
- the key and content is the value. If specified, the
- listed keys will be projected into the specified paths,
- and unlisted keys will not be present. If a key is
- specified which is not present in the Secret, the
- volume setup will error unless it is marked optional.
- Paths must be relative and may not contain the '..'
- path or start with '..'.
- items:
- description: Maps a string key to a path within a
- volume.
- properties:
- key:
- description: key is the key to project.
- type: string
- mode:
- description: 'mode is Optional: mode bits used
- to set permissions on this file. Must be an
- octal value between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts both octal
- and decimal values, JSON requires decimal values
- for mode bits. If not specified, the volume
- defaultMode will be used. This might be in conflict
- with other options that affect the file mode,
- like fsGroup, and the result can be other mode
- bits set.'
- format: int32
- type: integer
- path:
- description: path is the relative path of the
- file to map the key to. May not be an absolute
- path. May not contain the path element '..'.
- May not start with the string '..'.
- type: string
- required:
- - key
- - path
- type: object
- type: array
- optional:
- description: optional field specify whether the Secret
- or its keys must be defined
- type: boolean
- secretName:
- description: 'secretName is the name of the secret in
- the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
- type: string
- type: object
- storageos:
- description: storageOS represents a StorageOS volume attached
- and mounted on Kubernetes nodes.
- properties:
- fsType:
- description: fsType is the filesystem type to mount.
- Must be a filesystem type supported by the host operating
- system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred
- to be "ext4" if unspecified.
- type: string
- readOnly:
- description: readOnly defaults to false (read/write).
- ReadOnly here will force the ReadOnly setting in VolumeMounts.
- type: boolean
- secretRef:
- description: secretRef specifies the secret to use for
- obtaining the StorageOS API credentials. If not specified,
- default values will be attempted.
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- type: object
- x-kubernetes-map-type: atomic
- volumeName:
- description: volumeName is the human-readable name of
- the StorageOS volume. Volume names are only unique
- within a namespace.
- type: string
- volumeNamespace:
- description: volumeNamespace specifies the scope of
- the volume within StorageOS. If no namespace is specified
- then the Pod's namespace will be used. This allows
- the Kubernetes name scoping to be mirrored within
- StorageOS for tighter integration. Set VolumeName
- to any name to override the default behaviour. Set
- to "default" if you are not using namespaces within
- StorageOS. Namespaces that do not pre-exist within
- StorageOS will be created.
- type: string
- type: object
- vsphereVolume:
- description: vsphereVolume represents a vSphere volume attached
- and mounted on kubelets host machine
- properties:
- fsType:
- description: fsType is filesystem type to mount. Must
- be a filesystem type supported by the host operating
- system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred
- to be "ext4" if unspecified.
- type: string
- storagePolicyID:
- description: storagePolicyID is the storage Policy Based
- Management (SPBM) profile ID associated with the StoragePolicyName.
- type: string
- storagePolicyName:
- description: storagePolicyName is the storage Policy
- Based Management (SPBM) profile name.
- type: string
- volumePath:
- description: volumePath is the path that identifies
- vSphere volume vmdk
- type: string
- required:
- - volumePath
- type: object
- required:
- - name
- type: object
- type: array
- logLevel:
- description: LogLevel sets the log level for Envoy. Allowed values
- are "trace", "debug", "info", "warn", "error", "critical", "off".
- type: string
- networkPublishing:
- description: NetworkPublishing defines how to expose Envoy to
- a network.
- properties:
- externalTrafficPolicy:
- description: "ExternalTrafficPolicy describes how nodes distribute
- service traffic they receive on one of the Service's \"externally-facing\"
- addresses (NodePorts, ExternalIPs, and LoadBalancer IPs).
- \n If unset, defaults to \"Local\"."
- type: string
- serviceAnnotations:
- additionalProperties:
- type: string
- description: ServiceAnnotations is the annotations to add
- to the provisioned Envoy service.
- type: object
- type:
- description: "NetworkPublishingType is the type of publishing
- strategy to use. Valid values are: \n * LoadBalancerService
- \n In this configuration, network endpoints for Envoy use
- container networking. A Kubernetes LoadBalancer Service
- is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
- \n * NodePortService \n Publishes Envoy network endpoints
- using a Kubernetes NodePort Service. \n In this configuration,
- Envoy network endpoints use container networking. A Kubernetes
- NodePort Service is created to publish the network endpoints.
- \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
- \n NOTE: When provisioning an Envoy `NodePortService`, use
- Gateway Listeners' port numbers to populate the Service's
- node port values, there's no way to auto-allocate them.
- \n See: https://github.com/projectcontour/contour/issues/4499
- \n * ClusterIPService \n Publishes Envoy network endpoints
- using a Kubernetes ClusterIP Service. \n In this configuration,
- Envoy network endpoints use container networking. A Kubernetes
- ClusterIP Service is created to publish the network endpoints.
- \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
- \n If unset, defaults to LoadBalancerService."
- type: string
- type: object
- nodePlacement:
- description: NodePlacement describes node scheduling configuration
- of Envoy pods.
- properties:
- nodeSelector:
- additionalProperties:
- type: string
- description: "NodeSelector is the simplest recommended form
- of node selection constraint and specifies a map of key-value
- pairs. For the pod to be eligible to run on a node, the
- node must have each of the indicated key-value pairs as
- labels (it can have additional labels as well). \n If unset,
- the pod(s) will be scheduled to any available node."
- type: object
- tolerations:
- description: "Tolerations work with taints to ensure that
- pods are not scheduled onto inappropriate nodes. One or
- more taints are applied to a node; this marks that the node
- should not accept any pods that do not tolerate the taints.
- \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
- for additional details."
- items:
- description: The pod this Toleration is attached to tolerates
- any taint that matches the triple using
- the matching operator .
- properties:
- effect:
- description: Effect indicates the taint effect to match.
- Empty means match all taint effects. When specified,
- allowed values are NoSchedule, PreferNoSchedule and
- NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration
- applies to. Empty means match all taint keys. If the
- key is empty, operator must be Exists; this combination
- means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship
- to the value. Valid operators are Exists and Equal.
- Defaults to Equal. Exists is equivalent to wildcard
- for value, so that a pod can tolerate all taints of
- a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period
- of time the toleration (which must be of effect NoExecute,
- otherwise this field is ignored) tolerates the taint.
- By default, it is not set, which means tolerate the
- taint forever (do not evict). Zero and negative values
- will be treated as 0 (evict immediately) by the system.
- format: int64
- type: integer
- value:
- description: Value is the taint value the toleration
- matches to. If the operator is Exists, the value should
- be empty, otherwise just a regular string.
- type: string
- type: object
- type: array
- type: object
- podAnnotations:
- additionalProperties:
- type: string
- description: PodAnnotations defines annotations to add to the
- Envoy pods.
- type: object
- replicas:
- description: "Deprecated: Use `DeploymentSettings.Replicas` instead.
- \n Replicas is the desired number of Envoy replicas. If WorkloadType
- is not \"Deployment\", this field is ignored. Otherwise, if
- unset, defaults to 2. \n if both `DeploymentSettings.Replicas`
- and this one is set, use `DeploymentSettings.Replicas`."
- format: int32
- minimum: 0
- type: integer
- resources:
- description: 'Compute Resources required by envoy container. Cannot
- be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- properties:
- claims:
- description: "Claims lists the names of resources, defined
- in spec.resourceClaims, that are used by this container.
- \n This is an alpha field and requires enabling the DynamicResourceAllocation
- feature gate. \n This field is immutable. It can only be
- set for containers."
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: Name must match the name of one entry in
- pod.spec.resourceClaims of the Pod where this field
- is used. It makes that resource available inside a
- container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount of compute
- resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount of compute
- resources required. If Requests is omitted for a container,
- it defaults to Limits if that is explicitly specified, otherwise
- to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- type: object
- workloadType:
- description: WorkloadType is the type of workload to install Envoy
- as. Choices are DaemonSet and Deployment. If unset, defaults
- to DaemonSet.
- type: string
- type: object
- resourceLabels:
- additionalProperties:
- type: string
- description: ResourceLabels is a set of labels to add to the provisioned
- Contour resources.
- type: object
- runtimeSettings:
- description: RuntimeSettings is a ContourConfiguration spec to be
- used when provisioning a Contour instance that will influence aspects
- of the Contour instance's runtime behavior.
- properties:
- debug:
- description: Debug contains parameters to enable debug logging
- and debug interfaces inside Contour.
- properties:
- address:
- description: "Defines the Contour debug address interface.
- \n Contour's default is \"127.0.0.1\"."
- type: string
- port:
- description: "Defines the Contour debug address port. \n Contour's
- default is 6060."
- type: integer
- type: object
- enableExternalNameService:
- description: "EnableExternalNameService allows processing of ExternalNameServices
- \n Contour's default is false for security reasons."
- type: boolean
- envoy:
- description: Envoy contains parameters for Envoy as well as how
- to optionally configure a managed Envoy fleet.
- properties:
- clientCertificate:
- description: ClientCertificate defines the namespace/name
- of the Kubernetes secret containing the client certificate
- and private key to be used when establishing TLS connection
- to upstream cluster.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- cluster:
- description: Cluster holds various configurable Envoy cluster
- values that can be set in the config file.
- properties:
- dnsLookupFamily:
- description: "DNSLookupFamily defines how external names
- are looked up When configured as V4, the DNS resolver
- will only perform a lookup for addresses in the IPv4
- family. If V6 is configured, the DNS resolver will only
- perform a lookup for addresses in the IPv6 family. If
- AUTO is configured, the DNS resolver will first perform
- a lookup for addresses in the IPv6 family and fallback
- to a lookup for addresses in the IPv4 family. If ALL
- is specified, the DNS resolver will perform a lookup
- for both IPv4 and IPv6 families, and return all resolved
- addresses. When this is used, Happy Eyeballs will be
- enabled for upstream connections. Refer to Happy Eyeballs
- Support for more information. Note: This only applies
- to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
- for more information. \n Values: `auto` (default), `v4`,
- `v6`, `all`. \n Other values will produce an error."
- type: string
- type: object
- defaultHTTPVersions:
- description: "DefaultHTTPVersions defines the default set
- of HTTPS versions the proxy should accept. HTTP versions
- are strings of the form \"HTTP/xx\". Supported versions
- are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`,
- `HTTP/2` (default: both). \n Other values will produce an
- error."
- items:
- description: HTTPVersionType is the name of a supported
- HTTP version.
- type: string
- type: array
- health:
- description: "Health defines the endpoint Envoy uses to serve
- health checks. \n Contour's default is { address: \"0.0.0.0\",
- port: 8002 }."
- properties:
- address:
- description: Defines the health address interface.
- minLength: 1
- type: string
- port:
- description: Defines the health port.
- type: integer
- type: object
- http:
- description: "Defines the HTTP Listener for Envoy. \n Contour's
- default is { address: \"0.0.0.0\", port: 8080, accessLog:
- \"/dev/stdout\" }."
- properties:
- accessLog:
- description: AccessLog defines where Envoy logs are outputted
- for this listener.
- type: string
- address:
- description: Defines an Envoy Listener Address.
- minLength: 1
- type: string
- port:
- description: Defines an Envoy listener Port.
- type: integer
- type: object
- https:
- description: "Defines the HTTPS Listener for Envoy. \n Contour's
- default is { address: \"0.0.0.0\", port: 8443, accessLog:
- \"/dev/stdout\" }."
- properties:
- accessLog:
- description: AccessLog defines where Envoy logs are outputted
- for this listener.
- type: string
- address:
- description: Defines an Envoy Listener Address.
- minLength: 1
- type: string
- port:
- description: Defines an Envoy listener Port.
- type: integer
- type: object
- listener:
- description: Listener hold various configurable Envoy listener
- values.
- properties:
- connectionBalancer:
- description: "ConnectionBalancer. If the value is exact,
- the listener will use the exact connection balancer
- See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
- for more information. \n Values: (empty string): use
- the default ConnectionBalancer, `exact`: use the Exact
- ConnectionBalancer. \n Other values will produce an
- error."
- type: string
- disableAllowChunkedLength:
- description: "DisableAllowChunkedLength disables the RFC-compliant
- Envoy behavior to strip the \"Content-Length\" header
- if \"Transfer-Encoding: chunked\" is also set. This
- is an emergency off-switch to revert back to Envoy's
- default behavior in case of failures. Please file an
- issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221
- \n Contour's default is false."
- type: boolean
- disableMergeSlashes:
- description: "DisableMergeSlashes disables Envoy's non-standard
- merge_slashes path transformation option which strips
- duplicate slashes from request URL paths. \n Contour's
- default is false."
- type: boolean
- serverHeaderTransformation:
- description: "Defines the action to be applied to the
- Server header on the response path. When configured
- as overwrite, overwrites any Server header with \"envoy\".
- When configured as append_if_absent, if a Server header
- is present, pass it through, otherwise set it to \"envoy\".
- When configured as pass_through, pass through the value
- of the Server header, and do not append a header if
- none is present. \n Values: `overwrite` (default), `append_if_absent`,
- `pass_through` \n Other values will produce an error.
- Contour's default is overwrite."
- type: string
- tls:
- description: TLS holds various configurable Envoy TLS
- listener values.
- properties:
- cipherSuites:
- description: "CipherSuites defines the TLS ciphers
- to be supported by Envoy TLS listeners when negotiating
- TLS 1.2. Ciphers are validated against the set that
- Envoy supports by default. This parameter should
- only be used by advanced users. Note that these
- will be ignored when TLS 1.3 is in use. \n This
- field is optional; when it is undefined, a Contour-managed
- ciphersuite list will be used, which may be updated
- to keep it secure. \n Contour's default list is:
- - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
- \n Ciphers provided are validated against the following
- list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\"
- - \"AES256-SHA\" \n Contour recommends leaving this
- undefined unless you are sure you must. \n See:
- https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
- Note: This list is a superset of what is valid for
- stock Envoy builds and those using BoringSSL FIPS."
- items:
- type: string
- type: array
- minimumProtocolVersion:
- description: "MinimumProtocolVersion is the minimum
- TLS version this vhost should negotiate. \n Values:
- `1.2` (default), `1.3`. \n Other values will produce
- an error."
- type: string
- type: object
- useProxyProtocol:
- description: "Use PROXY protocol for all listeners. \n
- Contour's default is false."
- type: boolean
- type: object
- logging:
- description: Logging defines how Envoy's logs can be configured.
- properties:
- accessLogFormat:
- description: "AccessLogFormat sets the global access log
- format. \n Values: `envoy` (default), `json`. \n Other
- values will produce an error."
- type: string
- accessLogFormatString:
- description: AccessLogFormatString sets the access log
- format when format is set to `envoy`. When empty, Envoy's
- default format is used.
- type: string
- accessLogJSONFields:
- description: AccessLogJSONFields sets the fields that
- JSON logging will output when AccessLogFormat is json.
- items:
- type: string
- type: array
- accessLogLevel:
- description: "AccessLogLevel sets the verbosity level
- of the access log. \n Values: `info` (default, meaning
- all requests are logged), `error` and `disabled`. \n
- Other values will produce an error."
- type: string
- type: object
- metrics:
- description: "Metrics defines the endpoint Envoy uses to serve
- metrics. \n Contour's default is { address: \"0.0.0.0\",
- port: 8002 }."
- properties:
- address:
- description: Defines the metrics address interface.
- maxLength: 253
- minLength: 1
- type: string
- port:
- description: Defines the metrics port.
- type: integer
- tls:
- description: TLS holds TLS file config details. Metrics
- and health endpoints cannot have same port number when
- metrics is served over HTTPS.
- properties:
- caFile:
- description: CA filename.
- type: string
- certFile:
- description: Client certificate filename.
- type: string
- keyFile:
- description: Client key filename.
- type: string
- type: object
- type: object
- network:
- description: Network holds various configurable Envoy network
- values.
- properties:
- adminPort:
- description: "Configure the port used to access the Envoy
- Admin interface. If configured to port \"0\" then the
- admin interface is disabled. \n Contour's default is
- 9001."
- type: integer
- numTrustedHops:
- description: "XffNumTrustedHops defines the number of
- additional ingress proxy hops from the right side of
- the x-forwarded-for HTTP header to trust when determining
- the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
- for more information. \n Contour's default is 0."
- format: int32
- type: integer
- type: object
- service:
- description: "Service holds Envoy service parameters for setting
- Ingress status. \n Contour's default is { namespace: \"projectcontour\",
- name: \"envoy\" }."
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- timeouts:
- description: Timeouts holds various configurable timeouts
- that can be set in the config file.
- properties:
- connectTimeout:
- description: "ConnectTimeout defines how long the proxy
- should wait when establishing connection to upstream
- service. If not set, a default value of 2 seconds will
- be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
- for more information."
- type: string
- connectionIdleTimeout:
- description: "ConnectionIdleTimeout defines how long the
- proxy should wait while there are no active requests
- (for HTTP/1.1) or streams (for HTTP/2) before terminating
- an HTTP connection. Set to \"infinity\" to disable the
- timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
- for more information."
- type: string
- connectionShutdownGracePeriod:
- description: "ConnectionShutdownGracePeriod defines how
- long the proxy will wait between sending an initial
- GOAWAY frame and a second, final GOAWAY frame when terminating
- an HTTP/2 connection. During this grace period, the
- proxy will continue to respond to new streams. After
- the final GOAWAY frame has been sent, the proxy will
- refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
- for more information."
- type: string
- delayedCloseTimeout:
- description: "DelayedCloseTimeout defines how long envoy
- will wait, once connection close processing has been
- initiated, for the downstream peer to close the connection
- before Envoy closes the socket associated with the connection.
- \n Setting this timeout to 'infinity' will disable it,
- equivalent to setting it to '0' in Envoy. Leaving it
- unset will result in the Envoy default value being used.
- \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
- for more information."
- type: string
- maxConnectionDuration:
- description: "MaxConnectionDuration defines the maximum
- period of time after an HTTP connection has been established
- from the client to the proxy before it is closed by
- the proxy, regardless of whether there has been activity
- or not. Omit or set to \"infinity\" for no max duration.
- \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
- for more information."
- type: string
- requestTimeout:
- description: "RequestTimeout sets the client request timeout
- globally for Contour. Note that this is a timeout for
- the entire request, not an idle timeout. Omit or set
- to \"infinity\" to disable the timeout entirely. \n
- See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
- for more information."
- type: string
- streamIdleTimeout:
- description: "StreamIdleTimeout defines how long the proxy
- should wait while there is no request activity (for
- HTTP/1.1) or stream activity (for HTTP/2) before terminating
- the HTTP request or stream. Set to \"infinity\" to disable
- the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
- for more information."
- type: string
- type: object
- type: object
- gateway:
- description: Gateway contains parameters for the gateway-api Gateway
- that Contour is configured to serve traffic.
- properties:
- controllerName:
- description: ControllerName is used to determine whether Contour
- should reconcile a GatewayClass. The string takes the form
- of "projectcontour.io//contour". If unset, the
- gatewayclass controller will not be started. Exactly one
- of ControllerName or GatewayRef must be set.
- type: string
- gatewayRef:
- description: GatewayRef defines a specific Gateway that this
- Contour instance corresponds to. If set, Contour will reconcile
- only this gateway, and will not reconcile any gateway classes.
- Exactly one of ControllerName or GatewayRef must be set.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- type: object
- globalExtAuth:
- description: GlobalExternalAuthorization allows envoys external
- authorization filter to be enabled for all virtual hosts.
- properties:
- authPolicy:
- description: AuthPolicy sets a default authorization policy
- for client requests. This policy will be used unless overridden
- by individual routes.
- properties:
- context:
- additionalProperties:
- type: string
- description: Context is a set of key/value pairs that
- are sent to the authentication server in the check request.
- If a context is provided at an enclosing scope, the
- entries are merged such that the inner scope overrides
- matching keys from the outer scope.
- type: object
- disabled:
- description: When true, this field disables client request
- authentication for the scope of the policy.
- type: boolean
- type: object
- extensionRef:
- description: ExtensionServiceRef specifies the extension resource
- that will authorize client requests.
- properties:
- apiVersion:
- description: API version of the referent. If this field
- is not specified, the default "projectcontour.io/v1alpha1"
- will be used
- minLength: 1
- type: string
- name:
- description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
- minLength: 1
- type: string
- namespace:
- description: "Namespace of the referent. If this field
- is not specifies, the namespace of the resource that
- targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
- minLength: 1
- type: string
- type: object
- failOpen:
- description: If FailOpen is true, the client request is forwarded
- to the upstream service even if the authorization server
- fails to respond. This field should not be set in most cases.
- It is intended for use only while migrating applications
- from internal authorization to Contour external authorization.
- type: boolean
- responseTimeout:
- description: ResponseTimeout configures maximum time to wait
- for a check response from the authorization server. Timeout
- durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m",
- "h". The string "infinity" is also a valid input and specifies
- no timeout.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- withRequestBody:
- description: WithRequestBody specifies configuration for sending
- the client request's body to authorization server.
- properties:
- allowPartialMessage:
- description: If AllowPartialMessage is true, then Envoy
- will buffer the body until MaxRequestBytes are reached.
- type: boolean
- maxRequestBytes:
- default: 1024
- description: MaxRequestBytes sets the maximum size of
- message body ExtAuthz filter will hold in-memory.
- format: int32
- minimum: 1
- type: integer
- packAsBytes:
- description: If PackAsBytes is true, the body sent to
- Authorization Server is in raw bytes.
- type: boolean
- type: object
- type: object
- health:
- description: "Health defines the endpoints Contour uses to serve
- health checks. \n Contour's default is { address: \"0.0.0.0\",
- port: 8000 }."
- properties:
- address:
- description: Defines the health address interface.
- minLength: 1
- type: string
- port:
- description: Defines the health port.
- type: integer
- type: object
- httpproxy:
- description: HTTPProxy defines parameters on HTTPProxy.
- properties:
- disablePermitInsecure:
- description: "DisablePermitInsecure disables the use of the
- permitInsecure field in HTTPProxy. \n Contour's default
- is false."
- type: boolean
- fallbackCertificate:
- description: FallbackCertificate defines the namespace/name
- of the Kubernetes secret to use as fallback when a non-SNI
- request is received.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- rootNamespaces:
- description: Restrict Contour to searching these namespaces
- for root ingress routes.
- items:
- type: string
- type: array
- type: object
- ingress:
- description: Ingress contains parameters for ingress options.
- properties:
- classNames:
- description: Ingress Class Names Contour should use.
- items:
- type: string
- type: array
- statusAddress:
- description: Address to set in Ingress object status.
- type: string
- type: object
- metrics:
- description: "Metrics defines the endpoint Contour uses to serve
- metrics. \n Contour's default is { address: \"0.0.0.0\", port:
- 8000 }."
- properties:
- address:
- description: Defines the metrics address interface.
- maxLength: 253
- minLength: 1
- type: string
- port:
- description: Defines the metrics port.
- type: integer
- tls:
- description: TLS holds TLS file config details. Metrics and
- health endpoints cannot have same port number when metrics
- is served over HTTPS.
- properties:
- caFile:
- description: CA filename.
- type: string
- certFile:
- description: Client certificate filename.
- type: string
- keyFile:
- description: Client key filename.
- type: string
- type: object
- type: object
- policy:
- description: Policy specifies default policy applied if not overridden
- by the user
- properties:
- applyToIngress:
- description: "ApplyToIngress determines if the Policies will
- apply to ingress objects \n Contour's default is false."
- type: boolean
- requestHeaders:
- description: RequestHeadersPolicy defines the request headers
- set/removed on all routes
- properties:
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- responseHeaders:
- description: ResponseHeadersPolicy defines the response headers
- set/removed on all routes
- properties:
- remove:
- items:
- type: string
- type: array
- set:
- additionalProperties:
- type: string
- type: object
- type: object
- type: object
- rateLimitService:
- description: RateLimitService optionally holds properties of the
- Rate Limit Service to be used for global rate limiting.
- properties:
- domain:
- description: Domain is passed to the Rate Limit Service.
- type: string
- enableResourceExhaustedCode:
- description: EnableResourceExhaustedCode enables translating
- error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled
- it's translated to UNAVAILABLE
- type: boolean
- enableXRateLimitHeaders:
- description: "EnableXRateLimitHeaders defines whether to include
- the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining,
- and X-RateLimit-Reset (as defined by the IETF Internet-Draft
- linked below), on responses to clients when the Rate Limit
- Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html"
- type: boolean
- extensionService:
- description: ExtensionService identifies the extension service
- defining the RLS.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- failOpen:
- description: FailOpen defines whether to allow requests to
- proceed when the Rate Limit Service fails to respond with
- a valid rate limit decision within the timeout defined on
- the extension service.
- type: boolean
- required:
- - extensionService
- type: object
- tracing:
- description: Tracing defines properties for exporting trace data
- to OpenTelemetry.
- properties:
- customTags:
- description: CustomTags defines a list of custom tags with
- unique tag name.
- items:
- description: CustomTag defines custom tags with unique tag
- name to create tags for the active span.
- properties:
- literal:
- description: Literal is a static custom tag value. Precisely
- one of Literal, RequestHeaderName must be set.
- type: string
- requestHeaderName:
- description: RequestHeaderName indicates which request
- header the label value is obtained from. Precisely
- one of Literal, RequestHeaderName must be set.
- type: string
- tagName:
- description: TagName is the unique name of the custom
- tag.
- type: string
- required:
- - tagName
- type: object
- type: array
- extensionService:
- description: ExtensionService identifies the extension service
- defining the otel-collector.
- properties:
- name:
- type: string
- namespace:
- type: string
- required:
- - name
- - namespace
- type: object
- includePodDetail:
- description: 'IncludePodDetail defines a flag. If it is true,
- contour will add the pod name and namespace to the span
- of the trace. the default is true. Note: The Envoy pods
- MUST have the HOSTNAME and CONTOUR_NAMESPACE environment
- variables set for this to work properly.'
- type: boolean
- maxPathTagLength:
- description: MaxPathTagLength defines maximum length of the
- request path to extract and include in the HttpUrl tag.
- contour's default is 256.
- format: int32
- type: integer
- overallSampling:
- description: OverallSampling defines the sampling rate of
- trace data. contour's default is 100.
- type: string
- serviceName:
- description: ServiceName defines the name for the service.
- contour's default is contour.
- type: string
- required:
- - extensionService
- type: object
- xdsServer:
- description: XDSServer contains parameters for the xDS server.
- properties:
- address:
- description: "Defines the xDS gRPC API address which Contour
- will serve. \n Contour's default is \"0.0.0.0\"."
- minLength: 1
- type: string
- port:
- description: "Defines the xDS gRPC API port which Contour
- will serve. \n Contour's default is 8001."
- type: integer
- tls:
- description: "TLS holds TLS file config details. \n Contour's
- default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\",
- keyFile: \"/certs/tls.key\", insecure: false }."
- properties:
- caFile:
- description: CA filename.
- type: string
- certFile:
- description: Client certificate filename.
- type: string
- insecure:
- description: Allow serving the xDS gRPC API without TLS.
- type: boolean
- keyFile:
- description: Client key filename.
- type: string
- type: object
- type:
- description: "Defines the XDSServer to use for `contour serve`.
- \n Values: `contour` (default), `envoy`. \n Other values
- will produce an error."
- type: string
- type: object
- type: object
- type: object
- status:
- description: ContourDeploymentStatus defines the observed state of a ContourDeployment
- resource.
- properties:
- conditions:
- description: Conditions describe the current conditions of the ContourDeployment
- resource.
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
- properties:
- lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/charts/contour/contour/charts/contour/resources/extensionservices.yaml b/charts/contour/contour/charts/contour/resources/extensionservices.yaml
deleted file mode 100644
index e233efc0f..000000000
--- a/charts/contour/contour/charts/contour/resources/extensionservices.yaml
+++ /dev/null
@@ -1,420 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.11.4
- name: extensionservices.projectcontour.io
-spec:
- preserveUnknownFields: false
- group: projectcontour.io
- names:
- kind: ExtensionService
- listKind: ExtensionServiceList
- plural: extensionservices
- shortNames:
- - extensionservice
- - extensionservices
- singular: extensionservice
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ExtensionService is the schema for the Contour extension services
- API. An ExtensionService resource binds a network service to the Contour
- API so that Contour API features can be implemented by collaborating components.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: ExtensionServiceSpec defines the desired state of an ExtensionService
- resource.
- properties:
- loadBalancerPolicy:
- description: The policy for load balancing GRPC service requests.
- Note that the `Cookie` and `RequestHash` load balancing strategies
- cannot be used here.
- properties:
- requestHashPolicies:
- description: RequestHashPolicies contains a list of hash policies
- to apply when the `RequestHash` load balancing strategy is chosen.
- If an element of the supplied list of hash policies is invalid,
- it will be ignored. If the list of hash policies is empty after
- validation, the load balancing strategy will fall back to the
- default `RoundRobin`.
- items:
- description: RequestHashPolicy contains configuration for an
- individual hash policy on a request attribute.
- properties:
- hashSourceIP:
- description: HashSourceIP should be set to true when request
- source IP hash based load balancing is desired. It must
- be the only hash option field set, otherwise this request
- hash policy object will be ignored.
- type: boolean
- headerHashOptions:
- description: HeaderHashOptions should be set when request
- header hash based load balancing is desired. It must be
- the only hash option field set, otherwise this request
- hash policy object will be ignored.
- properties:
- headerName:
- description: HeaderName is the name of the HTTP request
- header that will be used to calculate the hash key.
- If the header specified is not present on a request,
- no hash will be produced.
- minLength: 1
- type: string
- type: object
- queryParameterHashOptions:
- description: QueryParameterHashOptions should be set when
- request query parameter hash based load balancing is desired.
- It must be the only hash option field set, otherwise this
- request hash policy object will be ignored.
- properties:
- parameterName:
- description: ParameterName is the name of the HTTP request
- query parameter that will be used to calculate the
- hash key. If the query parameter specified is not
- present on a request, no hash will be produced.
- minLength: 1
- type: string
- type: object
- terminal:
- description: Terminal is a flag that allows for short-circuiting
- computing of a hash for a given request. If set to true,
- and the request attribute specified in the attribute hash
- options is present, no further hash policies will be used
- to calculate a hash for the request.
- type: boolean
- type: object
- type: array
- strategy:
- description: Strategy specifies the policy used to balance requests
- across the pool of backend pods. Valid policy names are `Random`,
- `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`.
- If an unknown strategy name is specified or no policy is supplied,
- the default `RoundRobin` policy is used.
- type: string
- type: object
- protocol:
- description: Protocol may be used to specify (or override) the protocol
- used to reach this Service. Values may be h2 or h2c. If omitted,
- protocol-selection falls back on Service annotations.
- enum:
- - h2
- - h2c
- type: string
- protocolVersion:
- description: This field sets the version of the GRPC protocol that
- Envoy uses to send requests to the extension service. Since Contour
- always uses the v3 Envoy API, this is currently fixed at "v3". However,
- other protocol options will be available in future.
- enum:
- - v3
- type: string
- services:
- description: Services specifies the set of Kubernetes Service resources
- that receive GRPC extension API requests. If no weights are specified
- for any of the entries in this array, traffic will be spread evenly
- across all the services. Otherwise, traffic is balanced proportionally
- to the Weight field in each entry.
- items:
- description: ExtensionServiceTarget defines an Kubernetes Service
- to target with extension service traffic.
- properties:
- name:
- description: Name is the name of Kubernetes service that will
- accept service traffic.
- type: string
- port:
- description: Port (defined as Integer) to proxy traffic to since
- a service can have multiple defined.
- exclusiveMaximum: true
- maximum: 65536
- minimum: 1
- type: integer
- weight:
- description: Weight defines proportion of traffic to balance
- to the Kubernetes Service.
- format: int32
- type: integer
- required:
- - name
- - port
- type: object
- minItems: 1
- type: array
- timeoutPolicy:
- description: The timeout policy for requests to the services.
- properties:
- idle:
- description: Timeout for how long the proxy should wait while
- there is no activity during single request/response (for HTTP/1.1)
- or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1
- connection is idle between two consecutive requests. If not
- specified, there is no per-route idle timeout, though a connection
- manager-wide stream_idle_timeout default of 5m still applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- idleConnection:
- description: Timeout for how long connection from the proxy to
- the upstream service is kept when there are no active requests.
- If not supplied, Envoy's default value of 1h applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- response:
- description: Timeout for receiving a response from the server
- after processing a request from client. If not supplied, Envoy's
- default value of 15s applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- type: object
- validation:
- description: UpstreamValidation defines how to verify the backend
- service's certificate
- properties:
- caSecret:
- description: Name or namespaced name of the Kubernetes secret
- used to validate the certificate presented by the backend. The
- secret must contain key named ca.crt.
- type: string
- subjectName:
- description: Key which is expected to be present in the 'subjectAltName'
- of the presented certificate.
- type: string
- required:
- - caSecret
- - subjectName
- type: object
- required:
- - services
- type: object
- status:
- description: ExtensionServiceStatus defines the observed state of an ExtensionService
- resource.
- properties:
- conditions:
- description: "Conditions contains the current status of the ExtensionService
- resource. \n Contour will update a single condition, `Valid`, that
- is in normal-true polarity. \n Contour will not modify any other
- Conditions set in this block, in case some other controller wants
- to add a Condition."
- items:
- description: "DetailedCondition is an extension of the normal Kubernetes
- conditions, with two extra fields to hold sub-conditions, which
- provide more detailed reasons for the state (True or False) of
- the condition. \n `errors` holds information about sub-conditions
- which are fatal to that condition and render its state False.
- \n `warnings` holds information about sub-conditions which are
- not fatal to that condition and do not force the state to be False.
- \n Remember that Conditions have a type, a status, and a reason.
- \n The type is the type of the condition, the most important one
- in this CRD set is `Valid`. `Valid` is a positive-polarity condition:
- when it is `status: true` there are no problems. \n In more detail,
- `status: true` means that the object is has been ingested into
- Contour with no errors. `warnings` may still be present, and will
- be indicated in the Reason field. There must be zero entries in
- the `errors` slice in this case. \n `Valid`, `status: false` means
- that the object has had one or more fatal errors during processing
- into Contour. The details of the errors will be present under
- the `errors` field. There must be at least one error in the `errors`
- slice if `status` is `false`. \n For DetailedConditions of types
- other than `Valid`, the Condition must be in the negative polarity.
- When they have `status` `true`, there is an error. There must
- be at least one entry in the `errors` Subcondition slice. When
- they have `status` `false`, there are no serious errors, and there
- must be zero entries in the `errors` slice. In either case, there
- may be entries in the `warnings` slice. \n Regardless of the polarity,
- the `reason` and `message` fields must be updated with either
- the detail of the reason (if there is one and only one entry in
- total across both the `errors` and `warnings` slices), or `MultipleReasons`
- if there is more than one entry."
- properties:
- errors:
- description: "Errors contains a slice of relevant error subconditions
- for this object. \n Subconditions are expected to appear when
- relevant (when there is a error), and disappear when not relevant.
- An empty slice here indicates no errors."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- warnings:
- description: "Warnings contains a slice of relevant warning
- subconditions for this object. \n Subconditions are expected
- to appear when relevant (when there is a warning), and disappear
- when not relevant. An empty slice here indicates no warnings."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/charts/contour/contour/charts/contour/resources/httpproxies.yaml b/charts/contour/contour/charts/contour/resources/httpproxies.yaml
deleted file mode 100644
index 0acd0fd8c..000000000
--- a/charts/contour/contour/charts/contour/resources/httpproxies.yaml
+++ /dev/null
@@ -1,2619 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.11.4
- name: httpproxies.projectcontour.io
-spec:
- preserveUnknownFields: false
- group: projectcontour.io
- names:
- kind: HTTPProxy
- listKind: HTTPProxyList
- plural: httpproxies
- shortNames:
- - proxy
- - proxies
- singular: httpproxy
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Fully qualified domain name
- jsonPath: .spec.virtualhost.fqdn
- name: FQDN
- type: string
- - description: Secret with TLS credentials
- jsonPath: .spec.virtualhost.tls.secretName
- name: TLS Secret
- type: string
- - description: The current status of the HTTPProxy
- jsonPath: .status.currentStatus
- name: Status
- type: string
- - description: Description of the current status
- jsonPath: .status.description
- name: Status Description
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: HTTPProxy is an Ingress CRD specification.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: HTTPProxySpec defines the spec of the CRD.
- properties:
- includes:
- description: Includes allow for specific routing configuration to
- be included from another HTTPProxy, possibly in another namespace.
- items:
- description: Include describes a set of policies that can be applied
- to an HTTPProxy in a namespace.
- properties:
- conditions:
- description: 'Conditions are a set of rules that are applied
- to included HTTPProxies. In effect, they are added onto the
- Conditions of included HTTPProxy Route structs. When applied,
- they are merged using AND, with one exception: There can be
- only one Prefix MatchCondition per Conditions slice. More
- than one Prefix, or contradictory Conditions, will make the
- include invalid.'
- items:
- description: MatchCondition are a general holder for matching
- rules for HTTPProxies. One of Prefix, Exact, Header or QueryParameter
- must be provided.
- properties:
- exact:
- description: Exact defines a exact match for a request.
- This field is not allowed in include match conditions.
- type: string
- header:
- description: Header specifies the header condition to
- match.
- properties:
- contains:
- description: Contains specifies a substring that must
- be present in the header value.
- type: string
- exact:
- description: Exact specifies a string that the header
- value must be equal to.
- type: string
- name:
- description: Name is the name of the header to match
- against. Name is required. Header names are case
- insensitive.
- type: string
- notcontains:
- description: NotContains specifies a substring that
- must not be present in the header value.
- type: string
- notexact:
- description: NoExact specifies a string that the header
- value must not be equal to. The condition is true
- if the header has any other value.
- type: string
- notpresent:
- description: NotPresent specifies that condition is
- true when the named header is not present. Note
- that setting NotPresent to false does not make the
- condition true if the named header is present.
- type: boolean
- present:
- description: Present specifies that condition is true
- when the named header is present, regardless of
- its value. Note that setting Present to false does
- not make the condition true if the named header
- is absent.
- type: boolean
- required:
- - name
- type: object
- prefix:
- description: Prefix defines a prefix match for a request.
- type: string
- queryParameter:
- description: QueryParameter specifies the query parameter
- condition to match.
- properties:
- contains:
- description: Contains specifies a substring that must
- be present in the query parameter value.
- type: string
- exact:
- description: Exact specifies a string that the query
- parameter value must be equal to.
- type: string
- ignoreCase:
- description: IgnoreCase specifies that string matching
- should be case insensitive. Note that this has no
- effect on the Regex parameter.
- type: boolean
- name:
- description: Name is the name of the query parameter
- to match against. Name is required. Query parameter
- names are case insensitive.
- type: string
- prefix:
- description: Prefix defines a prefix match for the
- query parameter value.
- type: string
- present:
- description: Present specifies that condition is true
- when the named query parameter is present, regardless
- of its value. Note that setting Present to false
- does not make the condition true if the named query
- parameter is absent.
- type: boolean
- regex:
- description: Regex specifies a regular expression
- pattern that must match the query parameter value.
- type: string
- suffix:
- description: Suffix defines a suffix match for a query
- parameter value.
- type: string
- required:
- - name
- type: object
- type: object
- type: array
- name:
- description: Name of the HTTPProxy
- type: string
- namespace:
- description: Namespace of the HTTPProxy to include. Defaults
- to the current namespace if not supplied.
- type: string
- required:
- - name
- type: object
- type: array
- ingressClassName:
- description: IngressClassName optionally specifies the ingress class
- to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class`
- annotation. For backwards compatibility, when that annotation is
- set, it is given precedence over this field.
- type: string
- routes:
- description: Routes are the ingress routes. If TCPProxy is present,
- Routes is ignored.
- items:
- description: Route contains the set of routes for a virtual host.
- properties:
- authPolicy:
- description: AuthPolicy updates the authorization policy that
- was set on the root HTTPProxy object for client requests that
- match this route.
- properties:
- context:
- additionalProperties:
- type: string
- description: Context is a set of key/value pairs that are
- sent to the authentication server in the check request.
- If a context is provided at an enclosing scope, the entries
- are merged such that the inner scope overrides matching
- keys from the outer scope.
- type: object
- disabled:
- description: When true, this field disables client request
- authentication for the scope of the policy.
- type: boolean
- type: object
- conditions:
- description: 'Conditions are a set of rules that are applied
- to a Route. When applied, they are merged using AND, with
- one exception: There can be only one Prefix MatchCondition
- per Conditions slice. More than one Prefix, or contradictory
- Conditions, will make the route invalid.'
- items:
- description: MatchCondition are a general holder for matching
- rules for HTTPProxies. One of Prefix, Exact, Header or QueryParameter
- must be provided.
- properties:
- exact:
- description: Exact defines a exact match for a request.
- This field is not allowed in include match conditions.
- type: string
- header:
- description: Header specifies the header condition to
- match.
- properties:
- contains:
- description: Contains specifies a substring that must
- be present in the header value.
- type: string
- exact:
- description: Exact specifies a string that the header
- value must be equal to.
- type: string
- name:
- description: Name is the name of the header to match
- against. Name is required. Header names are case
- insensitive.
- type: string
- notcontains:
- description: NotContains specifies a substring that
- must not be present in the header value.
- type: string
- notexact:
- description: NoExact specifies a string that the header
- value must not be equal to. The condition is true
- if the header has any other value.
- type: string
- notpresent:
- description: NotPresent specifies that condition is
- true when the named header is not present. Note
- that setting NotPresent to false does not make the
- condition true if the named header is present.
- type: boolean
- present:
- description: Present specifies that condition is true
- when the named header is present, regardless of
- its value. Note that setting Present to false does
- not make the condition true if the named header
- is absent.
- type: boolean
- required:
- - name
- type: object
- prefix:
- description: Prefix defines a prefix match for a request.
- type: string
- queryParameter:
- description: QueryParameter specifies the query parameter
- condition to match.
- properties:
- contains:
- description: Contains specifies a substring that must
- be present in the query parameter value.
- type: string
- exact:
- description: Exact specifies a string that the query
- parameter value must be equal to.
- type: string
- ignoreCase:
- description: IgnoreCase specifies that string matching
- should be case insensitive. Note that this has no
- effect on the Regex parameter.
- type: boolean
- name:
- description: Name is the name of the query parameter
- to match against. Name is required. Query parameter
- names are case insensitive.
- type: string
- prefix:
- description: Prefix defines a prefix match for the
- query parameter value.
- type: string
- present:
- description: Present specifies that condition is true
- when the named query parameter is present, regardless
- of its value. Note that setting Present to false
- does not make the condition true if the named query
- parameter is absent.
- type: boolean
- regex:
- description: Regex specifies a regular expression
- pattern that must match the query parameter value.
- type: string
- suffix:
- description: Suffix defines a suffix match for a query
- parameter value.
- type: string
- required:
- - name
- type: object
- type: object
- type: array
- cookieRewritePolicies:
- description: The policies for rewriting Set-Cookie header attributes.
- Note that rewritten cookie names must be unique in this list.
- Order rewrite policies are specified in does not matter.
- items:
- properties:
- domainRewrite:
- description: DomainRewrite enables rewriting the Set-Cookie
- Domain element. If not set, Domain will not be rewritten.
- properties:
- value:
- description: Value is the value to rewrite the Domain
- attribute to. For now this is required.
- maxLength: 4096
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - value
- type: object
- name:
- description: Name is the name of the cookie for which
- attributes will be rewritten.
- maxLength: 4096
- minLength: 1
- pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
- type: string
- pathRewrite:
- description: PathRewrite enables rewriting the Set-Cookie
- Path element. If not set, Path will not be rewritten.
- properties:
- value:
- description: Value is the value to rewrite the Path
- attribute to. For now this is required.
- maxLength: 4096
- minLength: 1
- pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
- type: string
- required:
- - value
- type: object
- sameSite:
- description: SameSite enables rewriting the Set-Cookie
- SameSite element. If not set, SameSite attribute will
- not be rewritten.
- enum:
- - Strict
- - Lax
- - None
- type: string
- secure:
- description: Secure enables rewriting the Set-Cookie Secure
- element. If not set, Secure attribute will not be rewritten.
- type: boolean
- required:
- - name
- type: object
- type: array
- directResponsePolicy:
- description: DirectResponsePolicy returns an arbitrary HTTP
- response directly.
- properties:
- body:
- description: "Body is the content of the response body.
- If this setting is omitted, no body is included in the
- generated response. \n Note: Body is not recommended to
- set too long otherwise it can have significant resource
- usage impacts."
- type: string
- statusCode:
- description: StatusCode is the HTTP response status to be
- returned.
- maximum: 599
- minimum: 200
- type: integer
- required:
- - statusCode
- type: object
- enableWebsockets:
- description: Enables websocket support for the route.
- type: boolean
- healthCheckPolicy:
- description: The health check policy for this route.
- properties:
- healthyThresholdCount:
- description: The number of healthy health checks required
- before a host is marked healthy
- format: int64
- minimum: 0
- type: integer
- host:
- description: The value of the host header in the HTTP health
- check request. If left empty (default value), the name
- "contour-envoy-healthcheck" will be used.
- type: string
- intervalSeconds:
- description: The interval (seconds) between health checks
- format: int64
- type: integer
- path:
- description: HTTP endpoint used to perform health checks
- on upstream service
- type: string
- timeoutSeconds:
- description: The time to wait (seconds) for a health check
- response
- format: int64
- type: integer
- unhealthyThresholdCount:
- description: The number of unhealthy health checks required
- before a host is marked unhealthy
- format: int64
- minimum: 0
- type: integer
- required:
- - path
- type: object
- internalRedirectPolicy:
- description: The policy to define when to handle redirects responses
- internally.
- properties:
- allowCrossSchemeRedirect:
- default: Never
- description: AllowCrossSchemeRedirect Allow internal redirect
- to follow a target URI with a different scheme than the
- value of x-forwarded-proto. SafeOnly allows same scheme
- redirect and safe cross scheme redirect, which means if
- the downstream scheme is HTTPS, both HTTPS and HTTP redirect
- targets are allowed, but if the downstream scheme is HTTP,
- only HTTP redirect targets are allowed.
- enum:
- - Always
- - Never
- - SafeOnly
- type: string
- denyRepeatedRouteRedirect:
- description: If DenyRepeatedRouteRedirect is true, rejects
- redirect targets that are pointing to a route that has
- been followed by a previous redirect from the current
- route.
- type: boolean
- maxInternalRedirects:
- description: MaxInternalRedirects An internal redirect is
- not handled, unless the number of previous internal redirects
- that a downstream request has encountered is lower than
- this value.
- format: int32
- type: integer
- redirectResponseCodes:
- description: RedirectResponseCodes If unspecified, only
- 302 will be treated as internal redirect. Only 301, 302,
- 303, 307 and 308 are valid values.
- items:
- description: RedirectResponseCode is a uint32 type alias
- with validation to ensure that the value is valid.
- enum:
- - 301
- - 302
- - 303
- - 307
- - 308
- format: int32
- type: integer
- type: array
- type: object
- ipAllowPolicy:
- description: IPAllowFilterPolicy is a list of ipv4/6 filter
- rules for which matching requests should be allowed. All other
- requests will be denied. Only one of IPAllowFilterPolicy and
- IPDenyFilterPolicy can be defined. The rules defined here
- override any rules set on the root HTTPProxy.
- items:
- properties:
- cidr:
- description: CIDR is a CIDR block of ipv4 or ipv6 addresses
- to filter on. This can also be a bare IP address (without
- a mask) to filter on exactly one address.
- type: string
- source:
- description: 'Source indicates how to determine the ip
- address to filter on, and can be one of two values:
- - `Remote` filters on the ip address of the client,
- accounting for PROXY and X-Forwarded-For as needed.
- - `Peer` filters on the ip of the network request, ignoring
- PROXY and X-Forwarded-For.'
- enum:
- - Peer
- - Remote
- type: string
- required:
- - cidr
- - source
- type: object
- type: array
- ipDenyPolicy:
- description: IPDenyFilterPolicy is a list of ipv4/6 filter rules
- for which matching requests should be denied. All other requests
- will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy
- can be defined. The rules defined here override any rules
- set on the root HTTPProxy.
- items:
- properties:
- cidr:
- description: CIDR is a CIDR block of ipv4 or ipv6 addresses
- to filter on. This can also be a bare IP address (without
- a mask) to filter on exactly one address.
- type: string
- source:
- description: 'Source indicates how to determine the ip
- address to filter on, and can be one of two values:
- - `Remote` filters on the ip address of the client,
- accounting for PROXY and X-Forwarded-For as needed.
- - `Peer` filters on the ip of the network request, ignoring
- PROXY and X-Forwarded-For.'
- enum:
- - Peer
- - Remote
- type: string
- required:
- - cidr
- - source
- type: object
- type: array
- jwtVerificationPolicy:
- description: The policy for verifying JWTs for requests to this
- route.
- properties:
- disabled:
- description: Disabled defines whether to disable all JWT
- verification for this route. This can be used to opt specific
- routes out of the default JWT provider for the HTTPProxy.
- At most one of this field or the "require" field can be
- specified.
- type: boolean
- require:
- description: Require names a specific JWT provider (defined
- in the virtual host) to require for the route. If specified,
- this field overrides the default provider if one exists.
- If this field is not specified, the default provider will
- be required if one exists. At most one of this field or
- the "disabled" field can be specified.
- type: string
- type: object
- loadBalancerPolicy:
- description: The load balancing policy for this route.
- properties:
- requestHashPolicies:
- description: RequestHashPolicies contains a list of hash
- policies to apply when the `RequestHash` load balancing
- strategy is chosen. If an element of the supplied list
- of hash policies is invalid, it will be ignored. If the
- list of hash policies is empty after validation, the load
- balancing strategy will fall back to the default `RoundRobin`.
- items:
- description: RequestHashPolicy contains configuration
- for an individual hash policy on a request attribute.
- properties:
- hashSourceIP:
- description: HashSourceIP should be set to true when
- request source IP hash based load balancing is desired.
- It must be the only hash option field set, otherwise
- this request hash policy object will be ignored.
- type: boolean
- headerHashOptions:
- description: HeaderHashOptions should be set when
- request header hash based load balancing is desired.
- It must be the only hash option field set, otherwise
- this request hash policy object will be ignored.
- properties:
- headerName:
- description: HeaderName is the name of the HTTP
- request header that will be used to calculate
- the hash key. If the header specified is not
- present on a request, no hash will be produced.
- minLength: 1
- type: string
- type: object
- queryParameterHashOptions:
- description: QueryParameterHashOptions should be set
- when request query parameter hash based load balancing
- is desired. It must be the only hash option field
- set, otherwise this request hash policy object will
- be ignored.
- properties:
- parameterName:
- description: ParameterName is the name of the
- HTTP request query parameter that will be used
- to calculate the hash key. If the query parameter
- specified is not present on a request, no hash
- will be produced.
- minLength: 1
- type: string
- type: object
- terminal:
- description: Terminal is a flag that allows for short-circuiting
- computing of a hash for a given request. If set
- to true, and the request attribute specified in
- the attribute hash options is present, no further
- hash policies will be used to calculate a hash for
- the request.
- type: boolean
- type: object
- type: array
- strategy:
- description: Strategy specifies the policy used to balance
- requests across the pool of backend pods. Valid policy
- names are `Random`, `RoundRobin`, `WeightedLeastRequest`,
- `Cookie`, and `RequestHash`. If an unknown strategy name
- is specified or no policy is supplied, the default `RoundRobin`
- policy is used.
- type: string
- type: object
- pathRewritePolicy:
- description: The policy for rewriting the path of the request
- URL after the request has been routed to a Service.
- properties:
- replacePrefix:
- description: ReplacePrefix describes how the path prefix
- should be replaced.
- items:
- description: ReplacePrefix describes a path prefix replacement.
- properties:
- prefix:
- description: "Prefix specifies the URL path prefix
- to be replaced. \n If Prefix is specified, it must
- exactly match the MatchCondition prefix that is
- rendered by the chain of including HTTPProxies and
- only that path prefix will be replaced by Replacement.
- This allows HTTPProxies that are included through
- multiple roots to only replace specific path prefixes,
- leaving others unmodified. \n If Prefix is not specified,
- all routing prefixes rendered by the include chain
- will be replaced."
- minLength: 1
- type: string
- replacement:
- description: Replacement is the string that the routing
- path prefix will be replaced with. This must not
- be empty.
- minLength: 1
- type: string
- required:
- - replacement
- type: object
- type: array
- type: object
- permitInsecure:
- description: Allow this path to respond to insecure requests
- over HTTP which are normally not permitted when a `virtualhost.tls`
- block is present.
- type: boolean
- rateLimitPolicy:
- description: The policy for rate limiting on the route.
- properties:
- global:
- description: Global defines global rate limiting parameters,
- i.e. parameters defining descriptors that are sent to
- an external rate limit service (RLS) for a rate limit
- decision on each request.
- properties:
- descriptors:
- description: Descriptors defines the list of descriptors
- that will be generated and sent to the rate limit
- service. Each descriptor contains 1+ key-value pair
- entries.
- items:
- description: RateLimitDescriptor defines a list of
- key-value pair generators.
- properties:
- entries:
- description: Entries is the list of key-value
- pair generators.
- items:
- description: RateLimitDescriptorEntry is a key-value
- pair generator. Exactly one field on this
- struct must be non-nil.
- properties:
- genericKey:
- description: GenericKey defines a descriptor
- entry with a static key and value.
- properties:
- key:
- description: Key defines the key of
- the descriptor entry. If not set,
- the key is set to "generic_key".
- type: string
- value:
- description: Value defines the value
- of the descriptor entry.
- minLength: 1
- type: string
- type: object
- remoteAddress:
- description: RemoteAddress defines a descriptor
- entry with a key of "remote_address" and
- a value equal to the client's IP address
- (from x-forwarded-for).
- type: object
- requestHeader:
- description: RequestHeader defines a descriptor
- entry that's populated only if a given
- header is present on the request. The
- descriptor key is static, and the descriptor
- value is equal to the value of the header.
- properties:
- descriptorKey:
- description: DescriptorKey defines the
- key to use on the descriptor entry.
- minLength: 1
- type: string
- headerName:
- description: HeaderName defines the
- name of the header to look for on
- the request.
- minLength: 1
- type: string
- type: object
- requestHeaderValueMatch:
- description: RequestHeaderValueMatch defines
- a descriptor entry that's populated if
- the request's headers match a set of 1+
- match criteria. The descriptor key is
- "header_match", and the descriptor value
- is static.
- properties:
- expectMatch:
- default: true
- description: ExpectMatch defines whether
- the request must positively match
- the match criteria in order to generate
- a descriptor entry (i.e. true), or
- not match the match criteria in order
- to generate a descriptor entry (i.e.
- false). The default is true.
- type: boolean
- headers:
- description: Headers is a list of 1+
- match criteria to apply against the
- request to determine whether to populate
- the descriptor entry or not.
- items:
- description: HeaderMatchCondition
- specifies how to conditionally match
- against HTTP headers. The Name field
- is required, but only one of the
- remaining fields should be be provided.
- properties:
- contains:
- description: Contains specifies
- a substring that must be present
- in the header value.
- type: string
- exact:
- description: Exact specifies a
- string that the header value
- must be equal to.
- type: string
- name:
- description: Name is the name
- of the header to match against.
- Name is required. Header names
- are case insensitive.
- type: string
- notcontains:
- description: NotContains specifies
- a substring that must not be
- present in the header value.
- type: string
- notexact:
- description: NoExact specifies
- a string that the header value
- must not be equal to. The condition
- is true if the header has any
- other value.
- type: string
- notpresent:
- description: NotPresent specifies
- that condition is true when
- the named header is not present.
- Note that setting NotPresent
- to false does not make the condition
- true if the named header is
- present.
- type: boolean
- present:
- description: Present specifies
- that condition is true when
- the named header is present,
- regardless of its value. Note
- that setting Present to false
- does not make the condition
- true if the named header is
- absent.
- type: boolean
- required:
- - name
- type: object
- minItems: 1
- type: array
- value:
- description: Value defines the value
- of the descriptor entry.
- minLength: 1
- type: string
- type: object
- type: object
- minItems: 1
- type: array
- type: object
- minItems: 1
- type: array
- type: object
- local:
- description: Local defines local rate limiting parameters,
- i.e. parameters for rate limiting that occurs within each
- Envoy pod as requests are handled.
- properties:
- burst:
- description: Burst defines the number of requests above
- the requests per unit that should be allowed within
- a short period of time.
- format: int32
- type: integer
- requests:
- description: Requests defines how many requests per
- unit of time should be allowed before rate limiting
- occurs.
- format: int32
- minimum: 1
- type: integer
- responseHeadersToAdd:
- description: ResponseHeadersToAdd is an optional list
- of response headers to set when a request is rate-limited.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a header
- specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- responseStatusCode:
- description: ResponseStatusCode is the HTTP status code
- to use for responses to rate-limited requests. Codes
- must be in the 400-599 range (inclusive). If not specified,
- the Envoy default of 429 (Too Many Requests) is used.
- format: int32
- maximum: 599
- minimum: 400
- type: integer
- unit:
- description: Unit defines the period of time within
- which requests over the limit will be rate limited.
- Valid values are "second", "minute" and "hour".
- enum:
- - second
- - minute
- - hour
- type: string
- required:
- - requests
- - unit
- type: object
- type: object
- requestHeadersPolicy:
- description: The policy for managing request headers during
- proxying.
- properties:
- remove:
- description: Remove specifies a list of HTTP header names
- to remove.
- items:
- type: string
- type: array
- set:
- description: Set specifies a list of HTTP header values
- that will be set in the HTTP header. If the header does
- not exist it will be added, otherwise it will be overwritten
- with the new value.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a header
- specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- type: object
- requestRedirectPolicy:
- description: RequestRedirectPolicy defines an HTTP redirection.
- properties:
- hostname:
- description: Hostname is the precise hostname to be used
- in the value of the `Location` header in the response.
- When empty, the hostname of the request is used. No wildcards
- are allowed.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: "Path allows for redirection to a different
- path from the original on the request. The path must start
- with a leading slash. \n Note: Only one of Path or Prefix
- can be defined."
- pattern: ^\/.*$
- type: string
- port:
- description: Port is the port to be used in the value of
- the `Location` header in the response. When empty, port
- (if specified) of the request is used.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- prefix:
- description: "Prefix defines the value to swap the matched
- prefix or path with. The prefix must start with a leading
- slash. \n Note: Only one of Path or Prefix can be defined."
- pattern: ^\/.*$
- type: string
- scheme:
- description: Scheme is the scheme to be used in the value
- of the `Location` header in the response. When empty,
- the scheme of the request is used.
- enum:
- - http
- - https
- type: string
- statusCode:
- default: 302
- description: StatusCode is the HTTP status code to be used
- in response.
- enum:
- - 301
- - 302
- type: integer
- type: object
- responseHeadersPolicy:
- description: The policy for managing response headers during
- proxying. Rewriting the 'Host' header is not supported.
- properties:
- remove:
- description: Remove specifies a list of HTTP header names
- to remove.
- items:
- type: string
- type: array
- set:
- description: Set specifies a list of HTTP header values
- that will be set in the HTTP header. If the header does
- not exist it will be added, otherwise it will be overwritten
- with the new value.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a header
- specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- type: object
- retryPolicy:
- description: The retry policy for this route.
- properties:
- count:
- default: 1
- description: NumRetries is maximum allowed number of retries.
- If set to -1, then retries are disabled. If set to 0 or
- not supplied, the value is set to the Envoy default of
- 1.
- format: int64
- minimum: -1
- type: integer
- perTryTimeout:
- description: PerTryTimeout specifies the timeout per retry
- attempt. Ignored if NumRetries is not supplied.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- retriableStatusCodes:
- description: "RetriableStatusCodes specifies the HTTP status
- codes that should be retried. \n This field is only respected
- when you include `retriable-status-codes` in the `RetryOn`
- field."
- items:
- format: int32
- type: integer
- type: array
- retryOn:
- description: "RetryOn specifies the conditions on which
- to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):
- \n - `5xx` - `gateway-error` - `reset` - `connect-failure`
- - `retriable-4xx` - `refused-stream` - `retriable-status-codes`
- - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):
- \n - `cancelled` - `deadline-exceeded` - `internal` -
- `resource-exhausted` - `unavailable`"
- items:
- description: RetryOn is a string type alias with validation
- to ensure that the value is valid.
- enum:
- - 5xx
- - gateway-error
- - reset
- - connect-failure
- - retriable-4xx
- - refused-stream
- - retriable-status-codes
- - retriable-headers
- - cancelled
- - deadline-exceeded
- - internal
- - resource-exhausted
- - unavailable
- type: string
- type: array
- type: object
- services:
- description: Services are the services to proxy traffic.
- items:
- description: Service defines an Kubernetes Service to proxy
- traffic.
- properties:
- cookieRewritePolicies:
- description: The policies for rewriting Set-Cookie header
- attributes.
- items:
- properties:
- domainRewrite:
- description: DomainRewrite enables rewriting the
- Set-Cookie Domain element. If not set, Domain
- will not be rewritten.
- properties:
- value:
- description: Value is the value to rewrite the
- Domain attribute to. For now this is required.
- maxLength: 4096
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - value
- type: object
- name:
- description: Name is the name of the cookie for
- which attributes will be rewritten.
- maxLength: 4096
- minLength: 1
- pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
- type: string
- pathRewrite:
- description: PathRewrite enables rewriting the Set-Cookie
- Path element. If not set, Path will not be rewritten.
- properties:
- value:
- description: Value is the value to rewrite the
- Path attribute to. For now this is required.
- maxLength: 4096
- minLength: 1
- pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
- type: string
- required:
- - value
- type: object
- sameSite:
- description: SameSite enables rewriting the Set-Cookie
- SameSite element. If not set, SameSite attribute
- will not be rewritten.
- enum:
- - Strict
- - Lax
- - None
- type: string
- secure:
- description: Secure enables rewriting the Set-Cookie
- Secure element. If not set, Secure attribute will
- not be rewritten.
- type: boolean
- required:
- - name
- type: object
- type: array
- healthPort:
- description: HealthPort is the port for this service healthcheck.
- If not specified, Port is used for service healthchecks.
- maximum: 65535
- minimum: 1
- type: integer
- mirror:
- description: If Mirror is true the Service will receive
- a read only mirror of the traffic for this route.
- type: boolean
- name:
- description: Name is the name of Kubernetes service to
- proxy traffic. Names defined here will be used to look
- up corresponding endpoints which contain the ips to
- route.
- type: string
- port:
- description: Port (defined as Integer) to proxy traffic
- to since a service can have multiple defined.
- exclusiveMaximum: true
- maximum: 65536
- minimum: 1
- type: integer
- protocol:
- description: Protocol may be used to specify (or override)
- the protocol used to reach this Service. Values may
- be tls, h2, h2c. If omitted, protocol-selection falls
- back on Service annotations.
- enum:
- - h2
- - h2c
- - tls
- type: string
- requestHeadersPolicy:
- description: The policy for managing request headers during
- proxying.
- properties:
- remove:
- description: Remove specifies a list of HTTP header
- names to remove.
- items:
- type: string
- type: array
- set:
- description: Set specifies a list of HTTP header values
- that will be set in the HTTP header. If the header
- does not exist it will be added, otherwise it will
- be overwritten with the new value.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a
- header specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- type: object
- responseHeadersPolicy:
- description: The policy for managing response headers
- during proxying. Rewriting the 'Host' header is not
- supported.
- properties:
- remove:
- description: Remove specifies a list of HTTP header
- names to remove.
- items:
- type: string
- type: array
- set:
- description: Set specifies a list of HTTP header values
- that will be set in the HTTP header. If the header
- does not exist it will be added, otherwise it will
- be overwritten with the new value.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a
- header specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- type: object
- slowStartPolicy:
- description: Slow start will gradually increase amount
- of traffic to a newly added endpoint.
- properties:
- aggression:
- default: "1.0"
- description: "The speed of traffic increase over the
- slow start window. Defaults to 1.0, so that endpoint
- would get linearly increasing amount of traffic.
- When increasing the value for this parameter, the
- speed of traffic ramp-up increases non-linearly.
- The value of aggression parameter should be greater
- than 0.0. \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start"
- pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
- type: string
- minWeightPercent:
- default: 10
- description: The minimum or starting percentage of
- traffic to send to new endpoints. A non-zero value
- helps avoid a too small initial weight, which may
- cause endpoints in slow start mode to receive no
- traffic in the beginning of the slow start window.
- If not specified, the default is 10%.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- window:
- description: The duration of slow start window. Duration
- is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
- Valid time units are "ns", "us" (or "µs"), "ms",
- "s", "m", "h".
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
- type: string
- required:
- - window
- type: object
- validation:
- description: UpstreamValidation defines how to verify
- the backend service's certificate
- properties:
- caSecret:
- description: Name or namespaced name of the Kubernetes
- secret used to validate the certificate presented
- by the backend. The secret must contain key named
- ca.crt.
- type: string
- subjectName:
- description: Key which is expected to be present in
- the 'subjectAltName' of the presented certificate.
- type: string
- required:
- - caSecret
- - subjectName
- type: object
- weight:
- description: Weight defines percentage of traffic to balance
- traffic
- format: int64
- minimum: 0
- type: integer
- required:
- - name
- - port
- type: object
- type: array
- timeoutPolicy:
- description: The timeout policy for this route.
- properties:
- idle:
- description: Timeout for how long the proxy should wait
- while there is no activity during single request/response
- (for HTTP/1.1) or stream (for HTTP/2). Timeout will not
- trigger while HTTP/1.1 connection is idle between two
- consecutive requests. If not specified, there is no per-route
- idle timeout, though a connection manager-wide stream_idle_timeout
- default of 5m still applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- idleConnection:
- description: Timeout for how long connection from the proxy
- to the upstream service is kept when there are no active
- requests. If not supplied, Envoy's default value of 1h
- applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- response:
- description: Timeout for receiving a response from the server
- after processing a request from client. If not supplied,
- Envoy's default value of 15s applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- type: object
- type: object
- type: array
- tcpproxy:
- description: TCPProxy holds TCP proxy information.
- properties:
- healthCheckPolicy:
- description: The health check policy for this tcp proxy
- properties:
- healthyThresholdCount:
- description: The number of healthy health checks required
- before a host is marked healthy
- format: int32
- type: integer
- intervalSeconds:
- description: The interval (seconds) between health checks
- format: int64
- type: integer
- timeoutSeconds:
- description: The time to wait (seconds) for a health check
- response
- format: int64
- type: integer
- unhealthyThresholdCount:
- description: The number of unhealthy health checks required
- before a host is marked unhealthy
- format: int32
- type: integer
- type: object
- include:
- description: Include specifies that this tcpproxy should be delegated
- to another HTTPProxy.
- properties:
- name:
- description: Name of the child HTTPProxy
- type: string
- namespace:
- description: Namespace of the HTTPProxy to include. Defaults
- to the current namespace if not supplied.
- type: string
- required:
- - name
- type: object
- includes:
- description: "IncludesDeprecated allow for specific routing configuration
- to be appended to another HTTPProxy in another namespace. \n
- Exists due to a mistake when developing HTTPProxy and the field
- was marked plural when it should have been singular. This field
- should stay to not break backwards compatibility to v1 users."
- properties:
- name:
- description: Name of the child HTTPProxy
- type: string
- namespace:
- description: Namespace of the HTTPProxy to include. Defaults
- to the current namespace if not supplied.
- type: string
- required:
- - name
- type: object
- loadBalancerPolicy:
- description: The load balancing policy for the backend services.
- Note that the `Cookie` and `RequestHash` load balancing strategies
- cannot be used here.
- properties:
- requestHashPolicies:
- description: RequestHashPolicies contains a list of hash policies
- to apply when the `RequestHash` load balancing strategy
- is chosen. If an element of the supplied list of hash policies
- is invalid, it will be ignored. If the list of hash policies
- is empty after validation, the load balancing strategy will
- fall back to the default `RoundRobin`.
- items:
- description: RequestHashPolicy contains configuration for
- an individual hash policy on a request attribute.
- properties:
- hashSourceIP:
- description: HashSourceIP should be set to true when
- request source IP hash based load balancing is desired.
- It must be the only hash option field set, otherwise
- this request hash policy object will be ignored.
- type: boolean
- headerHashOptions:
- description: HeaderHashOptions should be set when request
- header hash based load balancing is desired. It must
- be the only hash option field set, otherwise this
- request hash policy object will be ignored.
- properties:
- headerName:
- description: HeaderName is the name of the HTTP
- request header that will be used to calculate
- the hash key. If the header specified is not present
- on a request, no hash will be produced.
- minLength: 1
- type: string
- type: object
- queryParameterHashOptions:
- description: QueryParameterHashOptions should be set
- when request query parameter hash based load balancing
- is desired. It must be the only hash option field
- set, otherwise this request hash policy object will
- be ignored.
- properties:
- parameterName:
- description: ParameterName is the name of the HTTP
- request query parameter that will be used to calculate
- the hash key. If the query parameter specified
- is not present on a request, no hash will be produced.
- minLength: 1
- type: string
- type: object
- terminal:
- description: Terminal is a flag that allows for short-circuiting
- computing of a hash for a given request. If set to
- true, and the request attribute specified in the attribute
- hash options is present, no further hash policies
- will be used to calculate a hash for the request.
- type: boolean
- type: object
- type: array
- strategy:
- description: Strategy specifies the policy used to balance
- requests across the pool of backend pods. Valid policy names
- are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
- and `RequestHash`. If an unknown strategy name is specified
- or no policy is supplied, the default `RoundRobin` policy
- is used.
- type: string
- type: object
- services:
- description: Services are the services to proxy traffic
- items:
- description: Service defines an Kubernetes Service to proxy
- traffic.
- properties:
- cookieRewritePolicies:
- description: The policies for rewriting Set-Cookie header
- attributes.
- items:
- properties:
- domainRewrite:
- description: DomainRewrite enables rewriting the Set-Cookie
- Domain element. If not set, Domain will not be rewritten.
- properties:
- value:
- description: Value is the value to rewrite the
- Domain attribute to. For now this is required.
- maxLength: 4096
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - value
- type: object
- name:
- description: Name is the name of the cookie for which
- attributes will be rewritten.
- maxLength: 4096
- minLength: 1
- pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
- type: string
- pathRewrite:
- description: PathRewrite enables rewriting the Set-Cookie
- Path element. If not set, Path will not be rewritten.
- properties:
- value:
- description: Value is the value to rewrite the
- Path attribute to. For now this is required.
- maxLength: 4096
- minLength: 1
- pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
- type: string
- required:
- - value
- type: object
- sameSite:
- description: SameSite enables rewriting the Set-Cookie
- SameSite element. If not set, SameSite attribute
- will not be rewritten.
- enum:
- - Strict
- - Lax
- - None
- type: string
- secure:
- description: Secure enables rewriting the Set-Cookie
- Secure element. If not set, Secure attribute will
- not be rewritten.
- type: boolean
- required:
- - name
- type: object
- type: array
- healthPort:
- description: HealthPort is the port for this service healthcheck.
- If not specified, Port is used for service healthchecks.
- maximum: 65535
- minimum: 1
- type: integer
- mirror:
- description: If Mirror is true the Service will receive
- a read only mirror of the traffic for this route.
- type: boolean
- name:
- description: Name is the name of Kubernetes service to proxy
- traffic. Names defined here will be used to look up corresponding
- endpoints which contain the ips to route.
- type: string
- port:
- description: Port (defined as Integer) to proxy traffic
- to since a service can have multiple defined.
- exclusiveMaximum: true
- maximum: 65536
- minimum: 1
- type: integer
- protocol:
- description: Protocol may be used to specify (or override)
- the protocol used to reach this Service. Values may be
- tls, h2, h2c. If omitted, protocol-selection falls back
- on Service annotations.
- enum:
- - h2
- - h2c
- - tls
- type: string
- requestHeadersPolicy:
- description: The policy for managing request headers during
- proxying.
- properties:
- remove:
- description: Remove specifies a list of HTTP header
- names to remove.
- items:
- type: string
- type: array
- set:
- description: Set specifies a list of HTTP header values
- that will be set in the HTTP header. If the header
- does not exist it will be added, otherwise it will
- be overwritten with the new value.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a header
- specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- type: object
- responseHeadersPolicy:
- description: The policy for managing response headers during
- proxying. Rewriting the 'Host' header is not supported.
- properties:
- remove:
- description: Remove specifies a list of HTTP header
- names to remove.
- items:
- type: string
- type: array
- set:
- description: Set specifies a list of HTTP header values
- that will be set in the HTTP header. If the header
- does not exist it will be added, otherwise it will
- be overwritten with the new value.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a header
- specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- type: object
- slowStartPolicy:
- description: Slow start will gradually increase amount of
- traffic to a newly added endpoint.
- properties:
- aggression:
- default: "1.0"
- description: "The speed of traffic increase over the
- slow start window. Defaults to 1.0, so that endpoint
- would get linearly increasing amount of traffic. When
- increasing the value for this parameter, the speed
- of traffic ramp-up increases non-linearly. The value
- of aggression parameter should be greater than 0.0.
- \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start"
- pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
- type: string
- minWeightPercent:
- default: 10
- description: The minimum or starting percentage of traffic
- to send to new endpoints. A non-zero value helps avoid
- a too small initial weight, which may cause endpoints
- in slow start mode to receive no traffic in the beginning
- of the slow start window. If not specified, the default
- is 10%.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- window:
- description: The duration of slow start window. Duration
- is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
- Valid time units are "ns", "us" (or "µs"), "ms", "s",
- "m", "h".
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
- type: string
- required:
- - window
- type: object
- validation:
- description: UpstreamValidation defines how to verify the
- backend service's certificate
- properties:
- caSecret:
- description: Name or namespaced name of the Kubernetes
- secret used to validate the certificate presented
- by the backend. The secret must contain key named
- ca.crt.
- type: string
- subjectName:
- description: Key which is expected to be present in
- the 'subjectAltName' of the presented certificate.
- type: string
- required:
- - caSecret
- - subjectName
- type: object
- weight:
- description: Weight defines percentage of traffic to balance
- traffic
- format: int64
- minimum: 0
- type: integer
- required:
- - name
- - port
- type: object
- type: array
- type: object
- virtualhost:
- description: Virtualhost appears at most once. If it is present, the
- object is considered to be a "root" HTTPProxy.
- properties:
- authorization:
- description: This field configures an extension service to perform
- authorization for this virtual host. Authorization can only
- be configured on virtual hosts that have TLS enabled. If the
- TLS configuration requires client certificate validation, the
- client certificate is always included in the authentication
- check request.
- properties:
- authPolicy:
- description: AuthPolicy sets a default authorization policy
- for client requests. This policy will be used unless overridden
- by individual routes.
- properties:
- context:
- additionalProperties:
- type: string
- description: Context is a set of key/value pairs that
- are sent to the authentication server in the check request.
- If a context is provided at an enclosing scope, the
- entries are merged such that the inner scope overrides
- matching keys from the outer scope.
- type: object
- disabled:
- description: When true, this field disables client request
- authentication for the scope of the policy.
- type: boolean
- type: object
- extensionRef:
- description: ExtensionServiceRef specifies the extension resource
- that will authorize client requests.
- properties:
- apiVersion:
- description: API version of the referent. If this field
- is not specified, the default "projectcontour.io/v1alpha1"
- will be used
- minLength: 1
- type: string
- name:
- description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
- minLength: 1
- type: string
- namespace:
- description: "Namespace of the referent. If this field
- is not specifies, the namespace of the resource that
- targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
- minLength: 1
- type: string
- type: object
- failOpen:
- description: If FailOpen is true, the client request is forwarded
- to the upstream service even if the authorization server
- fails to respond. This field should not be set in most cases.
- It is intended for use only while migrating applications
- from internal authorization to Contour external authorization.
- type: boolean
- responseTimeout:
- description: ResponseTimeout configures maximum time to wait
- for a check response from the authorization server. Timeout
- durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m",
- "h". The string "infinity" is also a valid input and specifies
- no timeout.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
- type: string
- withRequestBody:
- description: WithRequestBody specifies configuration for sending
- the client request's body to authorization server.
- properties:
- allowPartialMessage:
- description: If AllowPartialMessage is true, then Envoy
- will buffer the body until MaxRequestBytes are reached.
- type: boolean
- maxRequestBytes:
- default: 1024
- description: MaxRequestBytes sets the maximum size of
- message body ExtAuthz filter will hold in-memory.
- format: int32
- minimum: 1
- type: integer
- packAsBytes:
- description: If PackAsBytes is true, the body sent to
- Authorization Server is in raw bytes.
- type: boolean
- type: object
- type: object
- corsPolicy:
- description: Specifies the cross-origin policy to apply to the
- VirtualHost.
- properties:
- allowCredentials:
- description: Specifies whether the resource allows credentials.
- type: boolean
- allowHeaders:
- description: AllowHeaders specifies the content for the *access-control-allow-headers*
- header.
- items:
- description: CORSHeaderValue specifies the value of the
- string headers returned by a cross-domain request.
- pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
- type: string
- minItems: 1
- type: array
- allowMethods:
- description: AllowMethods specifies the content for the *access-control-allow-methods*
- header.
- items:
- description: CORSHeaderValue specifies the value of the
- string headers returned by a cross-domain request.
- pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
- type: string
- minItems: 1
- type: array
- allowOrigin:
- description: AllowOrigin specifies the origins that will be
- allowed to do CORS requests. Allowed values include "*"
- which signifies any origin is allowed, an exact origin of
- the form "scheme://host[:port]" (where port is optional),
- or a valid regex pattern. Note that regex patterns are validated
- and a simple "glob" pattern (e.g. *.foo.com) will be rejected
- or produce unexpected matches when applied as a regex.
- items:
- type: string
- minItems: 1
- type: array
- allowPrivateNetwork:
- description: AllowPrivateNetwork specifies whether to allow
- private network requests. See https://developer.chrome.com/blog/private-network-access-preflight.
- type: boolean
- exposeHeaders:
- description: ExposeHeaders Specifies the content for the *access-control-expose-headers*
- header.
- items:
- description: CORSHeaderValue specifies the value of the
- string headers returned by a cross-domain request.
- pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
- type: string
- minItems: 1
- type: array
- maxAge:
- description: MaxAge indicates for how long the results of
- a preflight request can be cached. MaxAge durations are
- expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
- Valid time units are "ns", "us" (or "µs"), "ms", "s", "m",
- "h". Only positive values are allowed while 0 disables the
- cache requiring a preflight OPTIONS check for all cross-origin
- requests.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$
- type: string
- required:
- - allowMethods
- - allowOrigin
- type: object
- fqdn:
- description: The fully qualified domain name of the root of the
- ingress tree all leaves of the DAG rooted at this object relate
- to the fqdn.
- pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- ipAllowPolicy:
- description: IPAllowFilterPolicy is a list of ipv4/6 filter rules
- for which matching requests should be allowed. All other requests
- will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy
- can be defined. The rules defined here may be overridden in
- a Route.
- items:
- properties:
- cidr:
- description: CIDR is a CIDR block of ipv4 or ipv6 addresses
- to filter on. This can also be a bare IP address (without
- a mask) to filter on exactly one address.
- type: string
- source:
- description: 'Source indicates how to determine the ip address
- to filter on, and can be one of two values: - `Remote`
- filters on the ip address of the client, accounting for
- PROXY and X-Forwarded-For as needed. - `Peer` filters
- on the ip of the network request, ignoring PROXY and X-Forwarded-For.'
- enum:
- - Peer
- - Remote
- type: string
- required:
- - cidr
- - source
- type: object
- type: array
- ipDenyPolicy:
- description: IPDenyFilterPolicy is a list of ipv4/6 filter rules
- for which matching requests should be denied. All other requests
- will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy
- can be defined. The rules defined here may be overridden in
- a Route.
- items:
- properties:
- cidr:
- description: CIDR is a CIDR block of ipv4 or ipv6 addresses
- to filter on. This can also be a bare IP address (without
- a mask) to filter on exactly one address.
- type: string
- source:
- description: 'Source indicates how to determine the ip address
- to filter on, and can be one of two values: - `Remote`
- filters on the ip address of the client, accounting for
- PROXY and X-Forwarded-For as needed. - `Peer` filters
- on the ip of the network request, ignoring PROXY and X-Forwarded-For.'
- enum:
- - Peer
- - Remote
- type: string
- required:
- - cidr
- - source
- type: object
- type: array
- jwtProviders:
- description: Providers to use for verifying JSON Web Tokens (JWTs)
- on the virtual host.
- items:
- description: JWTProvider defines how to verify JWTs on requests.
- properties:
- audiences:
- description: Audiences that JWTs are allowed to have in
- the "aud" field. If not provided, JWT audiences are not
- checked.
- items:
- type: string
- type: array
- default:
- description: Whether the provider should apply to all routes
- in the HTTPProxy/its includes by default. At most one
- provider can be marked as the default. If no provider
- is marked as the default, individual routes must explicitly
- identify the provider they require.
- type: boolean
- forwardJWT:
- description: Whether the JWT should be forwarded to the
- backend service after successful verification. By default,
- the JWT is not forwarded.
- type: boolean
- issuer:
- description: Issuer that JWTs are required to have in the
- "iss" field. If not provided, JWT issuers are not checked.
- type: string
- name:
- description: Unique name for the provider.
- minLength: 1
- type: string
- remoteJWKS:
- description: Remote JWKS to use for verifying JWT signatures.
- properties:
- cacheDuration:
- description: How long to cache the JWKS locally. If
- not specified, Envoy's default of 5m applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
- type: string
- dnsLookupFamily:
- description: "The DNS IP address resolution policy for
- the JWKS URI. When configured as \"v4\", the DNS resolver
- will only perform a lookup for addresses in the IPv4
- family. If \"v6\" is configured, the DNS resolver
- will only perform a lookup for addresses in the IPv6
- family. If \"all\" is configured, the DNS resolver
- will perform a lookup for addresses in both the IPv4
- and IPv6 family. If \"auto\" is configured, the DNS
- resolver will first perform a lookup for addresses
- in the IPv6 family and fallback to a lookup for addresses
- in the IPv4 family. If not specified, the Contour-wide
- setting defined in the config file or ContourConfiguration
- applies (defaults to \"auto\"). \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
- for more information."
- enum:
- - auto
- - v4
- - v6
- type: string
- timeout:
- description: How long to wait for a response from the
- URI. If not specified, a default of 1s applies.
- pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
- type: string
- uri:
- description: The URI for the JWKS.
- minLength: 1
- type: string
- validation:
- description: UpstreamValidation defines how to verify
- the JWKS's TLS certificate.
- properties:
- caSecret:
- description: Name or namespaced name of the Kubernetes
- secret used to validate the certificate presented
- by the backend. The secret must contain key named
- ca.crt.
- type: string
- subjectName:
- description: Key which is expected to be present
- in the 'subjectAltName' of the presented certificate.
- type: string
- required:
- - caSecret
- - subjectName
- type: object
- required:
- - uri
- type: object
- required:
- - name
- - remoteJWKS
- type: object
- type: array
- rateLimitPolicy:
- description: The policy for rate limiting on the virtual host.
- properties:
- global:
- description: Global defines global rate limiting parameters,
- i.e. parameters defining descriptors that are sent to an
- external rate limit service (RLS) for a rate limit decision
- on each request.
- properties:
- descriptors:
- description: Descriptors defines the list of descriptors
- that will be generated and sent to the rate limit service.
- Each descriptor contains 1+ key-value pair entries.
- items:
- description: RateLimitDescriptor defines a list of key-value
- pair generators.
- properties:
- entries:
- description: Entries is the list of key-value pair
- generators.
- items:
- description: RateLimitDescriptorEntry is a key-value
- pair generator. Exactly one field on this struct
- must be non-nil.
- properties:
- genericKey:
- description: GenericKey defines a descriptor
- entry with a static key and value.
- properties:
- key:
- description: Key defines the key of the
- descriptor entry. If not set, the key
- is set to "generic_key".
- type: string
- value:
- description: Value defines the value of
- the descriptor entry.
- minLength: 1
- type: string
- type: object
- remoteAddress:
- description: RemoteAddress defines a descriptor
- entry with a key of "remote_address" and
- a value equal to the client's IP address
- (from x-forwarded-for).
- type: object
- requestHeader:
- description: RequestHeader defines a descriptor
- entry that's populated only if a given header
- is present on the request. The descriptor
- key is static, and the descriptor value
- is equal to the value of the header.
- properties:
- descriptorKey:
- description: DescriptorKey defines the
- key to use on the descriptor entry.
- minLength: 1
- type: string
- headerName:
- description: HeaderName defines the name
- of the header to look for on the request.
- minLength: 1
- type: string
- type: object
- requestHeaderValueMatch:
- description: RequestHeaderValueMatch defines
- a descriptor entry that's populated if the
- request's headers match a set of 1+ match
- criteria. The descriptor key is "header_match",
- and the descriptor value is static.
- properties:
- expectMatch:
- default: true
- description: ExpectMatch defines whether
- the request must positively match the
- match criteria in order to generate
- a descriptor entry (i.e. true), or not
- match the match criteria in order to
- generate a descriptor entry (i.e. false).
- The default is true.
- type: boolean
- headers:
- description: Headers is a list of 1+ match
- criteria to apply against the request
- to determine whether to populate the
- descriptor entry or not.
- items:
- description: HeaderMatchCondition specifies
- how to conditionally match against
- HTTP headers. The Name field is required,
- but only one of the remaining fields
- should be be provided.
- properties:
- contains:
- description: Contains specifies
- a substring that must be present
- in the header value.
- type: string
- exact:
- description: Exact specifies a string
- that the header value must be
- equal to.
- type: string
- name:
- description: Name is the name of
- the header to match against. Name
- is required. Header names are
- case insensitive.
- type: string
- notcontains:
- description: NotContains specifies
- a substring that must not be present
- in the header value.
- type: string
- notexact:
- description: NoExact specifies a
- string that the header value must
- not be equal to. The condition
- is true if the header has any
- other value.
- type: string
- notpresent:
- description: NotPresent specifies
- that condition is true when the
- named header is not present. Note
- that setting NotPresent to false
- does not make the condition true
- if the named header is present.
- type: boolean
- present:
- description: Present specifies that
- condition is true when the named
- header is present, regardless
- of its value. Note that setting
- Present to false does not make
- the condition true if the named
- header is absent.
- type: boolean
- required:
- - name
- type: object
- minItems: 1
- type: array
- value:
- description: Value defines the value of
- the descriptor entry.
- minLength: 1
- type: string
- type: object
- type: object
- minItems: 1
- type: array
- type: object
- minItems: 1
- type: array
- type: object
- local:
- description: Local defines local rate limiting parameters,
- i.e. parameters for rate limiting that occurs within each
- Envoy pod as requests are handled.
- properties:
- burst:
- description: Burst defines the number of requests above
- the requests per unit that should be allowed within
- a short period of time.
- format: int32
- type: integer
- requests:
- description: Requests defines how many requests per unit
- of time should be allowed before rate limiting occurs.
- format: int32
- minimum: 1
- type: integer
- responseHeadersToAdd:
- description: ResponseHeadersToAdd is an optional list
- of response headers to set when a request is rate-limited.
- items:
- description: HeaderValue represents a header name/value
- pair
- properties:
- name:
- description: Name represents a key of a header
- minLength: 1
- type: string
- value:
- description: Value represents the value of a header
- specified by a key
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- responseStatusCode:
- description: ResponseStatusCode is the HTTP status code
- to use for responses to rate-limited requests. Codes
- must be in the 400-599 range (inclusive). If not specified,
- the Envoy default of 429 (Too Many Requests) is used.
- format: int32
- maximum: 599
- minimum: 400
- type: integer
- unit:
- description: Unit defines the period of time within which
- requests over the limit will be rate limited. Valid
- values are "second", "minute" and "hour".
- enum:
- - second
- - minute
- - hour
- type: string
- required:
- - requests
- - unit
- type: object
- type: object
- tls:
- description: If present the fields describes TLS properties of
- the virtual host. The SNI names that will be matched on are
- described in fqdn, the tls.secretName secret must contain a
- certificate that itself contains a name that matches the FQDN.
- properties:
- clientValidation:
- description: "ClientValidation defines how to verify the client
- certificate when an external client establishes a TLS connection
- to Envoy. \n This setting: \n 1. Enables TLS client certificate
- validation. 2. Specifies how the client certificate will
- be validated (i.e. validation required or skipped). \n Note:
- Setting client certificate validation to be skipped should
- be only used in conjunction with an external authorization
- server that performs client validation as Contour will ensure
- client certificates are passed along."
- properties:
- caSecret:
- description: Name of a Kubernetes secret that contains
- a CA certificate bundle. The secret must contain key
- named ca.crt. The client certificate must validate against
- the certificates in the bundle. If specified and SkipClientCertValidation
- is true, client certificates will be required on requests.
- minLength: 1
- type: string
- crlOnlyVerifyLeafCert:
- description: If this option is set to true, only the certificate
- at the end of the certificate chain will be subject
- to validation by CRL.
- type: boolean
- crlSecret:
- description: Name of a Kubernetes opaque secret that contains
- a concatenated list of PEM encoded CRLs. The secret
- must contain key named crl.pem. This field will be used
- to verify that a client certificate has not been revoked.
- CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert
- is true. Large CRL lists are not supported since individual
- secrets are limited to 1MiB in size.
- minLength: 1
- type: string
- forwardClientCertificate:
- description: ForwardClientCertificate adds the selected
- data from the passed client TLS certificate to the x-forwarded-client-cert
- header.
- properties:
- cert:
- description: Client cert in URL encoded PEM format.
- type: boolean
- chain:
- description: Client cert chain (including the leaf
- cert) in URL encoded PEM format.
- type: boolean
- dns:
- description: DNS type Subject Alternative Names of
- the client cert.
- type: boolean
- subject:
- description: Subject of the client cert.
- type: boolean
- uri:
- description: URI type Subject Alternative Name of
- the client cert.
- type: boolean
- type: object
- optionalClientCertificate:
- description: OptionalClientCertificate when set to true
- will request a client certificate but allow the connection
- to continue if the client does not provide one. If a
- client certificate is sent, it will be verified according
- to the other properties, which includes disabling validation
- if SkipClientCertValidation is set. Defaults to false.
- type: boolean
- skipClientCertValidation:
- description: SkipClientCertValidation disables downstream
- client certificate validation. Defaults to false. This
- field is intended to be used in conjunction with external
- authorization in order to enable the external authorization
- server to validate client certificates. When this field
- is set to true, client certificates are requested but
- not verified by Envoy. If CACertificate is specified,
- client certificates are required on requests, but not
- verified. If external authorization is in use, they
- are presented to the external authorization server.
- type: boolean
- type: object
- enableFallbackCertificate:
- description: EnableFallbackCertificate defines if the vhost
- should allow a default certificate to be applied which handles
- all requests which don't match the SNI defined in this vhost.
- type: boolean
- minimumProtocolVersion:
- description: MinimumProtocolVersion is the minimum TLS version
- this vhost should negotiate. Valid options are `1.2` (default)
- and `1.3`. Any other value defaults to TLS 1.2.
- type: string
- passthrough:
- description: Passthrough defines whether the encrypted TLS
- handshake will be passed through to the backing cluster.
- Either Passthrough or SecretName must be specified, but
- not both.
- type: boolean
- secretName:
- description: SecretName is the name of a TLS secret in the
- current namespace. Either SecretName or Passthrough must
- be specified, but not both. If specified, the named secret
- must contain a matching certificate for the virtual host's
- FQDN.
- type: string
- type: object
- required:
- - fqdn
- type: object
- type: object
- status:
- default:
- currentStatus: NotReconciled
- description: Waiting for controller
- description: Status is a container for computed information about the
- HTTPProxy.
- properties:
- conditions:
- description: "Conditions contains information about the current status
- of the HTTPProxy, in an upstream-friendly container. \n Contour
- will update a single condition, `Valid`, that is in normal-true
- polarity. That is, when `currentStatus` is `valid`, the `Valid`
- condition will be `status: true`, and vice versa. \n Contour will
- leave untouched any other Conditions set in this block, in case
- some other controller wants to add a Condition. \n If you are another
- controller owner and wish to add a condition, you *should* namespace
- your condition with a label, like `controller.domain.com/ConditionName`."
- items:
- description: "DetailedCondition is an extension of the normal Kubernetes
- conditions, with two extra fields to hold sub-conditions, which
- provide more detailed reasons for the state (True or False) of
- the condition. \n `errors` holds information about sub-conditions
- which are fatal to that condition and render its state False.
- \n `warnings` holds information about sub-conditions which are
- not fatal to that condition and do not force the state to be False.
- \n Remember that Conditions have a type, a status, and a reason.
- \n The type is the type of the condition, the most important one
- in this CRD set is `Valid`. `Valid` is a positive-polarity condition:
- when it is `status: true` there are no problems. \n In more detail,
- `status: true` means that the object is has been ingested into
- Contour with no errors. `warnings` may still be present, and will
- be indicated in the Reason field. There must be zero entries in
- the `errors` slice in this case. \n `Valid`, `status: false` means
- that the object has had one or more fatal errors during processing
- into Contour. The details of the errors will be present under
- the `errors` field. There must be at least one error in the `errors`
- slice if `status` is `false`. \n For DetailedConditions of types
- other than `Valid`, the Condition must be in the negative polarity.
- When they have `status` `true`, there is an error. There must
- be at least one entry in the `errors` Subcondition slice. When
- they have `status` `false`, there are no serious errors, and there
- must be zero entries in the `errors` slice. In either case, there
- may be entries in the `warnings` slice. \n Regardless of the polarity,
- the `reason` and `message` fields must be updated with either
- the detail of the reason (if there is one and only one entry in
- total across both the `errors` and `warnings` slices), or `MultipleReasons`
- if there is more than one entry."
- properties:
- errors:
- description: "Errors contains a slice of relevant error subconditions
- for this object. \n Subconditions are expected to appear when
- relevant (when there is a error), and disappear when not relevant.
- An empty slice here indicates no errors."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- warnings:
- description: "Warnings contains a slice of relevant warning
- subconditions for this object. \n Subconditions are expected
- to appear when relevant (when there is a warning), and disappear
- when not relevant. An empty slice here indicates no warnings."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- currentStatus:
- type: string
- description:
- type: string
- loadBalancer:
- description: LoadBalancer contains the current status of the load
- balancer.
- properties:
- ingress:
- description: Ingress is a list containing ingress points for the
- load-balancer. Traffic intended for the service should be sent
- to these ingress points.
- items:
- description: 'LoadBalancerIngress represents the status of a
- load-balancer ingress point: traffic intended for the service
- should be sent to an ingress point.'
- properties:
- hostname:
- description: Hostname is set for load-balancer ingress points
- that are DNS based (typically AWS load-balancers)
- type: string
- ip:
- description: IP is set for load-balancer ingress points
- that are IP based (typically GCE or OpenStack load-balancers)
- type: string
- ports:
- description: Ports is a list of records of service ports
- If used, every port defined in the service should have
- an entry in it
- items:
- properties:
- error:
- description: 'Error is to record the problem with
- the service port The format of the error shall comply
- with the following rules: - built-in error values
- shall be specified in this file and those shall
- use CamelCase names - cloud provider specific error
- values must have names that comply with the format
- foo.example.com/CamelCase. --- The regex it matches
- is (dns1123SubdomainFmt/)?(qualifiedNameFmt)'
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- port:
- description: Port is the port number of the service
- port of which status is recorded here
- format: int32
- type: integer
- protocol:
- default: TCP
- description: 'Protocol is the protocol of the service
- port of which status is recorded here The supported
- values are: "TCP", "UDP", "SCTP"'
- type: string
- required:
- - port
- - protocol
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- type: array
- type: object
- type: object
- required:
- - metadata
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/charts/contour/contour/charts/contour/resources/tlscertificatedeligations.yaml b/charts/contour/contour/charts/contour/resources/tlscertificatedeligations.yaml
deleted file mode 100644
index 75fcdea0c..000000000
--- a/charts/contour/contour/charts/contour/resources/tlscertificatedeligations.yaml
+++ /dev/null
@@ -1,289 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.11.4
- name: tlscertificatedelegations.projectcontour.io
-spec:
- preserveUnknownFields: false
- group: projectcontour.io
- names:
- kind: TLSCertificateDelegation
- listKind: TLSCertificateDelegationList
- plural: tlscertificatedelegations
- shortNames:
- - tlscerts
- singular: tlscertificatedelegation
- scope: Namespaced
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- description: TLSCertificateDelegation is an TLS Certificate Delegation CRD
- specification. See design/tls-certificate-delegation.md for details.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: TLSCertificateDelegationSpec defines the spec of the CRD
- properties:
- delegations:
- items:
- description: CertificateDelegation maps the authority to reference
- a secret in the current namespace to a set of namespaces.
- properties:
- secretName:
- description: required, the name of a secret in the current namespace.
- type: string
- targetNamespaces:
- description: required, the namespaces the authority to reference
- the secret will be delegated to. If TargetNamespaces is nil
- or empty, the CertificateDelegation' is ignored. If the TargetNamespace
- list contains the character, "*" the secret will be delegated
- to all namespaces.
- items:
- type: string
- type: array
- required:
- - secretName
- - targetNamespaces
- type: object
- type: array
- required:
- - delegations
- type: object
- status:
- description: TLSCertificateDelegationStatus allows for the status of the
- delegation to be presented to the user.
- properties:
- conditions:
- description: "Conditions contains information about the current status
- of the HTTPProxy, in an upstream-friendly container. \n Contour
- will update a single condition, `Valid`, that is in normal-true
- polarity. That is, when `currentStatus` is `valid`, the `Valid`
- condition will be `status: true`, and vice versa. \n Contour will
- leave untouched any other Conditions set in this block, in case
- some other controller wants to add a Condition. \n If you are another
- controller owner and wish to add a condition, you *should* namespace
- your condition with a label, like `controller.domain.com\\ConditionName`."
- items:
- description: "DetailedCondition is an extension of the normal Kubernetes
- conditions, with two extra fields to hold sub-conditions, which
- provide more detailed reasons for the state (True or False) of
- the condition. \n `errors` holds information about sub-conditions
- which are fatal to that condition and render its state False.
- \n `warnings` holds information about sub-conditions which are
- not fatal to that condition and do not force the state to be False.
- \n Remember that Conditions have a type, a status, and a reason.
- \n The type is the type of the condition, the most important one
- in this CRD set is `Valid`. `Valid` is a positive-polarity condition:
- when it is `status: true` there are no problems. \n In more detail,
- `status: true` means that the object is has been ingested into
- Contour with no errors. `warnings` may still be present, and will
- be indicated in the Reason field. There must be zero entries in
- the `errors` slice in this case. \n `Valid`, `status: false` means
- that the object has had one or more fatal errors during processing
- into Contour. The details of the errors will be present under
- the `errors` field. There must be at least one error in the `errors`
- slice if `status` is `false`. \n For DetailedConditions of types
- other than `Valid`, the Condition must be in the negative polarity.
- When they have `status` `true`, there is an error. There must
- be at least one entry in the `errors` Subcondition slice. When
- they have `status` `false`, there are no serious errors, and there
- must be zero entries in the `errors` slice. In either case, there
- may be entries in the `warnings` slice. \n Regardless of the polarity,
- the `reason` and `message` fields must be updated with either
- the detail of the reason (if there is one and only one entry in
- total across both the `errors` and `warnings` slices), or `MultipleReasons`
- if there is more than one entry."
- properties:
- errors:
- description: "Errors contains a slice of relevant error subconditions
- for this object. \n Subconditions are expected to appear when
- relevant (when there is a error), and disappear when not relevant.
- An empty slice here indicates no errors."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- warnings:
- description: "Warnings contains a slice of relevant warning
- subconditions for this object. \n Subconditions are expected
- to appear when relevant (when there is a warning), and disappear
- when not relevant. An empty slice here indicates no warnings."
- items:
- description: "SubCondition is a Condition-like type intended
- for use as a subcondition inside a DetailedCondition. \n
- It contains a subset of the Condition fields. \n It is intended
- for warnings and errors, so `type` names should use abnormal-true
- polarity, that is, they should be of the form \"ErrorPresent:
- true\". \n The expected lifecycle for these errors is that
- they should only be present when the error or warning is,
- and should be removed when they are not relevant."
- properties:
- message:
- description: "Message is a human readable message indicating
- details about the transition. \n This may be an empty
- string."
- maxLength: 32768
- type: string
- reason:
- description: "Reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. \n The value
- should be a CamelCase string. \n This field may not
- be empty."
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: Status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
- \n This must be in abnormal-true polarity, that is,
- `ErrorFound` or `controller.io/ErrorFound`. \n The regex
- it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)"
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - message
- - reason
- - status
- - type
- type: object
- type: array
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- required:
- - metadata
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/charts/contour/contour/charts/contour/templates/00-crds.yaml b/charts/contour/contour/charts/contour/templates/00-crds.yaml
deleted file mode 100644
index b7141ad69..000000000
--- a/charts/contour/contour/charts/contour/templates/00-crds.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-{{ if .Values.contour.manageCRDs }}
-{{ range $path, $_ := .Files.Glob "resources/*.yaml" }}
-{{ $.Files.Get $path }}
----
-{{ end }}
-{{ end }}
diff --git a/charts/contour/contour/charts/contour/templates/NOTES.txt b/charts/contour/contour/charts/contour/templates/NOTES.txt
index f021504ae..1acdc7752 100644
--- a/charts/contour/contour/charts/contour/templates/NOTES.txt
+++ b/charts/contour/contour/charts/contour/templates/NOTES.txt
@@ -38,3 +38,5 @@ APP VERSION: {{ .Chart.AppVersion }}
{{- include "contour.validateValues" . }}
{{- include "common.warnings.rollingTag" .Values.contour.image }}
{{- include "common.warnings.rollingTag" .Values.envoy.image }}
+{{- include "common.warnings.resources" (dict "sections" (list "contour" "defaultBackend" "envoy" "envoy.shutdownManager") "context" $) }}
+{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.contour.image .Values.envoy.image .Values.defaultBackend.image) "context" $) }}
\ No newline at end of file
diff --git a/charts/contour/contour/charts/contour/templates/_helpers.tpl b/charts/contour/contour/charts/contour/templates/_helpers.tpl
index b60c2b689..f24dcec6b 100644
--- a/charts/contour/contour/charts/contour/templates/_helpers.tpl
+++ b/charts/contour/contour/charts/contour/templates/_helpers.tpl
@@ -1,3 +1,8 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{/* vim: set filetype=mustache: */}}
{{/*
diff --git a/charts/contour/contour/charts/contour/templates/certgen/job.yaml b/charts/contour/contour/charts/contour/templates/certgen/job.yaml
index 48f216df5..b17f4708b 100644
--- a/charts/contour/contour/charts/contour/templates/certgen/job.yaml
+++ b/charts/contour/contour/charts/contour/templates/certgen/job.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.contour.enabled (include "contour.contour-certgen.enabled" .) }}
apiVersion: batch/v1
kind: Job
@@ -11,15 +16,14 @@ metadata:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour-certgen
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
spec:
template:
metadata:
- labels: {{- include "common.labels.standard" . | nindent 8 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: contour-certgen
spec:
{{- include "common.images.pullSecrets" ( dict "images" (list .Values.contour.image) "global" .Values.global) | nindent 6 }}
@@ -33,7 +37,7 @@ spec:
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.contour.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.contour.podSecurityContext.enabled }}
- securityContext: {{- omit .Values.contour.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
containers:
- name: contour
@@ -69,11 +73,58 @@ spec:
{{- end }}
{{- end }}
{{- if .Values.contour.containerSecurityContext.enabled }}
- securityContext: {{- omit .Values.contour.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
+ {{- if .Values.contour.resources }}
resources: {{ toYaml .Values.contour.resources | nindent 12 }}
+ {{- else if ne .Values.contour.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.contour.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.contour.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.contour.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.contour.startupProbe.enabled }}
+ startupProbe:
+ exec:
+ command:
+ - pgrep
+ - contour
+ initialDelaySeconds: {{ .Values.contour.startupProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.contour.startupProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.contour.startupProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.contour.startupProbe.successThreshold }}
+ failureThreshold: {{ .Values.contour.startupProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.contour.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.contour.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.contour.livenessProbe.enabled }}
+ livenessProbe:
+ exec:
+ command:
+ - pgrep
+ - contour
+ initialDelaySeconds: {{ .Values.contour.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.contour.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.contour.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.contour.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.contour.livenessProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.contour.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.contour.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.contour.readinessProbe.enabled }}
+ readinessProbe:
+ exec:
+ command:
+ - pgrep
+ - contour
+ initialDelaySeconds: {{ .Values.contour.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.contour.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.contour.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.contour.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.contour.readinessProbe.failureThreshold }}
+ {{- end }}
restartPolicy: Never
serviceAccountName: {{ include "contour.contourCertGenServiceAccountName" . }}
+ automountServiceAccountToken: {{ .Values.contour.certgen.automountServiceAccountToken }}
parallelism: 1
completions: 1
backoffLimit: 1
diff --git a/charts/contour/contour/charts/contour/templates/certgen/networkpolicy.yaml b/charts/contour/contour/charts/contour/templates/certgen/networkpolicy.yaml
new file mode 100644
index 000000000..16422b5d5
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/certgen/networkpolicy.yaml
@@ -0,0 +1,46 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.contour.enabled (include "contour.contour-certgen.enabled" .) .Values.contour.certgen.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ printf "%s-contour-certgen" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: contour-certgen
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: contour-certgen
+ policyTypes:
+ - Ingress
+ - Egress
+ {{- if .Values.contour.certgen.networkPolicy.allowExternalEgress }}
+ egress:
+ - {}
+ {{- else }}
+ egress:
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ {{- range $port := .Values.contour.certgen.networkPolicy.kubeAPIServerPorts }}
+ - port: {{ $port }}
+ {{- end }}
+ {{- if .Values.contour.certgen.networkPolicy.extraEgress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.contour.certgen.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ ingress:
+ {{- if .Values.contour.certgen.networkPolicy.extraIngress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.contour.certgen.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/certgen/rbac.yaml b/charts/contour/contour/charts/contour/templates/certgen/rbac.yaml
index 27512e075..89c265cda 100644
--- a/charts/contour/contour/charts/contour/templates/certgen/rbac.yaml
+++ b/charts/contour/contour/charts/contour/templates/certgen/rbac.yaml
@@ -1,4 +1,11 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.rbac.create .Values.contour.enabled (include "contour.contour-certgen.enabled" .) }}
+{{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: Role
metadata:
@@ -10,11 +17,8 @@ metadata:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour-certgen
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
rules:
- apiGroups:
- ""
@@ -32,7 +36,7 @@ metadata:
annotations:
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour-certgen
roleRef:
apiGroup: rbac.authorization.k8s.io
diff --git a/charts/contour/contour/charts/contour/templates/certgen/serviceaccount.yaml b/charts/contour/contour/charts/contour/templates/certgen/serviceaccount.yaml
index 715387b5c..601506531 100644
--- a/charts/contour/contour/charts/contour/templates/certgen/serviceaccount.yaml
+++ b/charts/contour/contour/charts/contour/templates/certgen/serviceaccount.yaml
@@ -1,22 +1,24 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.contour.certgen.serviceAccount.create (include "contour.contour-certgen.enabled" .) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "contour.contourCertGenServiceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour-certgen
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
annotations:
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
- {{- end }}
- {{- if .Values.contour.certgen.serviceAccount.annotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.contour.certgen.serviceAccount.annotations "context" $) | nindent 4 }}
+ {{- if or .Values.contour.certgen.serviceAccount.annotations .Values.commonAnnotations }}
+ {{- $mergedAnnotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.contour.certgen.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $mergedAnnotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.contour.certgen.serviceAccount.automountServiceAccountToken }}
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/contour/configmap.yaml b/charts/contour/contour/charts/contour/templates/contour/configmap.yaml
index 6368aa8e6..941acf405 100644
--- a/charts/contour/contour/charts/contour/templates/contour/configmap.yaml
+++ b/charts/contour/contour/charts/contour/templates/contour/configmap.yaml
@@ -1,14 +1,18 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if .Values.configInline }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/contour/deployment.yaml b/charts/contour/contour/charts/contour/templates/contour/deployment.yaml
index 28ca0ed0d..cc9b78944 100644
--- a/charts/contour/contour/charts/contour/templates/contour/deployment.yaml
+++ b/charts/contour/contour/charts/contour/templates/contour/deployment.yaml
@@ -1,24 +1,29 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if .Values.contour.enabled }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ printf "%s-contour" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.contour.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
replicas: {{ .Values.contour.replicaCount }}
{{- if .Values.contour.updateStrategy }}
strategy: {{- toYaml .Values.contour.updateStrategy | nindent 4 }}
{{- end }}
selector:
- matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: contour
template:
metadata:
@@ -34,19 +39,14 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
- labels: {{- include "common.labels.standard" . | nindent 8 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: contour
- {{- if .Values.contour.podLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.contour.podLabels "context" $ ) | nindent 8 }}
- {{- end }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
- {{- end }}
spec:
{{- include "common.images.pullSecrets" ( dict "images" (list .Values.contour.image) "global" .Values.global) | nindent 6 }}
{{- if .Values.contour.priorityClassName }}
priorityClassName: {{ .Values.contour.priorityClassName | quote }}
{{- end }}
+ automountServiceAccountToken: {{ .Values.contour.automountServiceAccountToken }}
{{- if .Values.contour.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.contour.hostAliases "context" $) | nindent 8 }}
{{- end }}
@@ -54,8 +54,8 @@ spec:
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.contour.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
- podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.contour.podAffinityPreset "component" "contour" "context" $) | nindent 10 }}
- podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.contour.podAntiAffinityPreset "component" "contour" "context" $) | nindent 10 }}
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.contour.podAffinityPreset "component" "contour" "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.contour.podAntiAffinityPreset "component" "contour" "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.contour.nodeAffinityPreset.type "key" .Values.contour.nodeAffinityPreset.key "values" .Values.contour.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.contour.nodeSelector }}
@@ -102,7 +102,11 @@ spec:
- --contour-cafile=/certs/ca.crt
- --contour-cert-file=/certs/tls.crt
- --contour-key-file=/certs/tls.key
+ {{- if .Values.contour.configPath }}
- --config-path=/config/contour.yaml
+ {{- else }}
+ - --contour-config-name={{ .Values.contour.contourConfigName }}
+ {{- end }}
{{- if .Values.contour.ingressStatusAddress }}
- --ingress-status-address={{ .Values.contour.ingressStatusAddress }}
{{- else }}
@@ -142,8 +146,7 @@ spec:
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.contour.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.contour.livenessProbe.enabled }}
livenessProbe:
- httpGet:
- path: /healthz
+ tcpSocket:
port: {{ .Values.contour.containerPorts.metrics }}
initialDelaySeconds: {{ .Values.contour.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.contour.livenessProbe.periodSeconds }}
@@ -178,7 +181,11 @@ spec:
failureThreshold: {{ .Values.contour.startupProbe.failureThreshold }}
{{- end }}
{{- end }}
+ {{- if .Values.contour.resources }}
resources: {{ toYaml .Values.contour.resources | nindent 12 }}
+ {{- else if ne .Values.contour.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.contour.resourcesPreset) | nindent 12 }}
+ {{- end }}
volumeMounts:
- name: contourcert
mountPath: /certs
@@ -217,7 +224,7 @@ spec:
{{- end }}
{{- end }}
{{- if .Values.contour.containerSecurityContext.enabled }}
- securityContext: {{- omit .Values.contour.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.contour.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.contour.sidecars "context" $) | nindent 8 }}
@@ -225,7 +232,7 @@ spec:
dnsPolicy: ClusterFirst
serviceAccountName: {{ include "contour.contourServiceAccountName" . }}
{{- if .Values.contour.podSecurityContext.enabled }}
- securityContext: {{- omit .Values.contour.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: contourcert
diff --git a/charts/contour/contour/charts/contour/templates/contour/ingressclass.yaml b/charts/contour/contour/charts/contour/templates/contour/ingressclass.yaml
index c0a2d1ca8..8280bed8b 100644
--- a/charts/contour/contour/charts/contour/templates/contour/ingressclass.yaml
+++ b/charts/contour/contour/charts/contour/templates/contour/ingressclass.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{ $ingressClass := .Values.contour.ingressClass }}
{{- if kindIs "map" $ingressClass }}
{{- if $ingressClass.create }}
@@ -10,7 +15,9 @@ metadata:
{{- if $ingressClass.default }}
ingressclass.kubernetes.io/is-default-class: "true"
{{- end }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
spec:
controller: {{ printf "projectcontour.io/%s/%s-contour" (include "common.names.namespace" .) (include "common.names.fullname" .) }}
diff --git a/charts/contour/contour/charts/contour/templates/contour/networkpolicy.yaml b/charts/contour/contour/charts/contour/templates/contour/networkpolicy.yaml
new file mode 100644
index 000000000..ab8d7a4f2
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/contour/networkpolicy.yaml
@@ -0,0 +1,99 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.contour.enabled .Values.contour.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ printf "%s-contour" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: contour
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: contour
+ policyTypes:
+ - Ingress
+ - Egress
+ {{- if .Values.contour.networkPolicy.allowExternalEgress }}
+ egress:
+ - {}
+ {{- else }}
+ egress:
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ {{- range $port := .Values.contour.networkPolicy.kubeAPIServerPorts }}
+ - port: {{ $port }}
+ {{- end }}
+ # Allow outbound connections to other contour pods
+ - ports:
+ - port: {{ .Values.contour.containerPorts.xds }}
+ - port: {{ .Values.contour.containerPorts.metrics }}
+ to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
+ app.kubernetes.io/component: contour
+ {{- if .Values.envoy.enabled }}
+ # Allow outbound connections to envoy
+ - ports:
+ - port: {{ .Values.envoy.containerPorts.http }}
+ - port: {{ .Values.envoy.containerPorts.https }}
+ - port: {{ .Values.envoy.containerPorts.metrics }}
+ to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
+ app.kubernetes.io/component: envoy
+ {{- end }}
+ {{- if .Values.defaultBackend.enabled }}
+ # Allow outbound connections to envoy
+ - ports:
+ - port: {{ .Values.defaultBackend.containerPorts.http }}
+ to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
+ app.kubernetes.io/component: default-backend
+ {{- end }}
+ {{- if .Values.contour.networkPolicy.extraEgress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.contour.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ ingress:
+ - ports:
+ - port: {{ .Values.contour.containerPorts.xds }}
+ - port: {{ .Values.contour.containerPorts.metrics }}
+ {{- if not .Values.contour.networkPolicy.allowExternal }}
+ from:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+ - podSelector:
+ matchLabels:
+ {{ template "common.names.fullname" . }}-client: "true"
+ {{- if .Values.contour.networkPolicy.ingressNSMatchLabels }}
+ - namespaceSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.contour.networkPolicy.ingressNSMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- if .Values.contour.networkPolicy.ingressNSPodMatchLabels }}
+ podSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.contour.networkPolicy.ingressNSPodMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.contour.networkPolicy.extraIngress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.contour.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/contour/poddisruptionbudget.yaml b/charts/contour/contour/charts/contour/templates/contour/poddisruptionbudget.yaml
new file mode 100644
index 000000000..c057f528b
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/contour/poddisruptionbudget.yaml
@@ -0,0 +1,30 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+{{- $replicaCount := int .Values.contour.replicaCount }}
+{{- if and .Values.contour.enabled .Values.contour.pdb.create (gt $replicaCount 1) }}
+apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+ name: {{ printf "%s-contour" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: contour
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.contour.pdb.minAvailable }}
+ minAvailable: {{ .Values.contour.pdb.minAvailable }}
+ {{- end }}
+ {{- if or .Values.contour.pdb.maxUnavailable ( not .Values.contour.pdb.minAvailable ) }}
+ maxUnavailable: {{ .Values.contour.pdb.maxUnavailable | default 1 }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.contour.podLabels .Values.commonLabels ) "context" . ) }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: contour
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/contour/rbac.yaml b/charts/contour/contour/charts/contour/templates/contour/rbac.yaml
index 2e790a581..4625fb974 100644
--- a/charts/contour/contour/charts/contour/templates/contour/rbac.yaml
+++ b/charts/contour/contour/charts/contour/templates/contour/rbac.yaml
@@ -1,12 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.rbac.create .Values.contour.enabled }}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ printf "%s-contour" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -18,7 +22,9 @@ rules:
verbs:
- create
- get
+ - list
- update
+ - watch
- apiGroups:
- ""
resources:
@@ -88,6 +94,7 @@ rules:
- udproutes
- referencepolicies
- referencegrants
+ - backendtlspolicies
verbs:
- get
- list
@@ -154,6 +161,14 @@ rules:
- create
- get
- update
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
{{- if .Values.rbac.rules }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
{{- end }}
@@ -162,7 +177,9 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-contour" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -177,10 +194,9 @@ kind: Role
metadata:
name: {{ printf "%s-contour" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -207,7 +223,9 @@ kind: RoleBinding
metadata:
name: {{ printf "%s-contour-role" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff --git a/charts/contour/contour/charts/contour/templates/contour/service.yaml b/charts/contour/contour/charts/contour/templates/contour/service.yaml
index 4dbbf8358..c879b7958 100644
--- a/charts/contour/contour/charts/contour/templates/contour/service.yaml
+++ b/charts/contour/contour/charts/contour/templates/contour/service.yaml
@@ -1,21 +1,22 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if .Values.contour.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
- annotations:
- {{- if .Values.contour.service.annotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.contour.service.annotations "context" $ ) | nindent 4 }}
- {{- end }}
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
- {{- end }}
+ {{- if or .Values.contour.service.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.contour.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
spec:
type: {{ .Values.contour.service.type }}
{{- if or (eq .Values.contour.service.type "LoadBalancer") (eq .Values.contour.service.type "NodePort") }}
@@ -52,7 +53,8 @@ spec:
{{- if .Values.contour.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.contour.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
- selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.contour.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
{{- if .Values.metrics.serviceMonitor.enabled }}
---
@@ -61,12 +63,13 @@ kind: Service
metadata:
name: {{ printf "%s-contour-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
spec:
type: ClusterIP
clusterIP: None
- selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.contour.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
ports:
- name: metrics
diff --git a/charts/contour/contour/charts/contour/templates/contour/serviceaccount.yaml b/charts/contour/contour/charts/contour/templates/contour/serviceaccount.yaml
index 3fcfaf434..4968079dc 100644
--- a/charts/contour/contour/charts/contour/templates/contour/serviceaccount.yaml
+++ b/charts/contour/contour/charts/contour/templates/contour/serviceaccount.yaml
@@ -1,22 +1,21 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.contour.serviceAccount.create .Values.contour.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "contour.contourServiceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
- {{- if or .Values.contour.serviceAccount.annotations .Values.commonAnnotations }}
- annotations:
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
- {{- end }}
- {{- if .Values.contour.serviceAccount.annotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.contour.serviceAccount.annotations "context" $) | nindent 4 }}
- {{- end }}
+ {{- $mergedAnnotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.contour.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- if $mergedAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $mergedAnnotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.contour.serviceAccount.automountServiceAccountToken }}
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/contour/servicemonitor.yaml b/charts/contour/contour/charts/contour/templates/contour/servicemonitor.yaml
index f502cf037..94671c8f6 100644
--- a/charts/contour/contour/charts/contour/templates/contour/servicemonitor.yaml
+++ b/charts/contour/contour/charts/contour/templates/contour/servicemonitor.yaml
@@ -1,28 +1,29 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.metrics.serviceMonitor.enabled .Values.contour.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ printf "%s-contour" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.contour.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: contour
- {{- if .Values.metrics.serviceMonitor.labels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }}
- {{- end }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }}
selector:
- matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: contour
- {{- if .Values.metrics.serviceMonitor.selector }}
- {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 4 }}
- {{- end }}
+ {{- if .Values.metrics.serviceMonitor.selector }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
+ {{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
diff --git a/charts/contour/contour/charts/contour/templates/crds/contour-crds.yaml b/charts/contour/contour/charts/contour/templates/crds/contour-crds.yaml
new file mode 100644
index 000000000..dd05d4894
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/crds/contour-crds.yaml
@@ -0,0 +1,8671 @@
+# Source: https://raw.githubusercontent.com/projectcontour/contour/v{version}/examples/contour/01-crds.yaml
+# Version: 1.30.0
+# Conditional: .Values.contour.manageCRDs
+{{- if .Values.contour.manageCRDs }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: contourconfigurations.projectcontour.io
+spec:
+ preserveUnknownFields: false
+ group: projectcontour.io
+ names:
+ kind: ContourConfiguration
+ listKind: ContourConfigurationList
+ plural: contourconfigurations
+ shortNames:
+ - contourconfig
+ singular: contourconfiguration
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ContourConfiguration is the schema for a Contour instance.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ ContourConfigurationSpec represents a configuration of a Contour controller.
+ It contains most of all the options that can be customized, the
+ other remaining options being command line flags.
+ properties:
+ debug:
+ description: |-
+ Debug contains parameters to enable debug logging
+ and debug interfaces inside Contour.
+ properties:
+ address:
+ description: |-
+ Defines the Contour debug address interface.
+ Contour's default is "127.0.0.1".
+ type: string
+ port:
+ description: |-
+ Defines the Contour debug address port.
+ Contour's default is 6060.
+ type: integer
+ type: object
+ enableExternalNameService:
+ description: |-
+ EnableExternalNameService allows processing of ExternalNameServices
+ Contour's default is false for security reasons.
+ type: boolean
+ envoy:
+ description: |-
+ Envoy contains parameters for Envoy as well
+ as how to optionally configure a managed Envoy fleet.
+ properties:
+ clientCertificate:
+ description: |-
+ ClientCertificate defines the namespace/name of the Kubernetes
+ secret containing the client certificate and private key
+ to be used when establishing TLS connection to upstream
+ cluster.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ cluster:
+ description: |-
+ Cluster holds various configurable Envoy cluster values that can
+ be set in the config file.
+ properties:
+ circuitBreakers:
+ description: |-
+ GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
+ If defined, this will be used as the default for all services.
+ properties:
+ maxConnections:
+ description: The maximum number of connections that a
+ single Envoy instance allows to the Kubernetes Service;
+ defaults to 1024.
+ format: int32
+ type: integer
+ maxPendingRequests:
+ description: The maximum number of pending requests that
+ a single Envoy instance allows to the Kubernetes Service;
+ defaults to 1024.
+ format: int32
+ type: integer
+ maxRequests:
+ description: The maximum parallel requests a single Envoy
+ instance allows to the Kubernetes Service; defaults
+ to 1024
+ format: int32
+ type: integer
+ maxRetries:
+ description: The maximum number of parallel retries a
+ single Envoy instance allows to the Kubernetes Service;
+ defaults to 3.
+ format: int32
+ type: integer
+ perHostMaxConnections:
+ description: |-
+ PerHostMaxConnections is the maximum number of connections
+ that Envoy will allow to each individual host in a cluster.
+ format: int32
+ type: integer
+ type: object
+ dnsLookupFamily:
+ description: |-
+ DNSLookupFamily defines how external names are looked up
+ When configured as V4, the DNS resolver will only perform a lookup
+ for addresses in the IPv4 family. If V6 is configured, the DNS resolver
+ will only perform a lookup for addresses in the IPv6 family.
+ If AUTO is configured, the DNS resolver will first perform a lookup
+ for addresses in the IPv6 family and fallback to a lookup for addresses
+ in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
+ both IPv4 and IPv6 families, and return all resolved addresses.
+ When this is used, Happy Eyeballs will be enabled for upstream connections.
+ Refer to Happy Eyeballs Support for more information.
+ Note: This only applies to externalName clusters.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
+ for more information.
+ Values: `auto` (default), `v4`, `v6`, `all`.
+ Other values will produce an error.
+ type: string
+ maxRequestsPerConnection:
+ description: |-
+ Defines the maximum requests for upstream connections. If not specified, there is no limit.
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ per-connection-buffer-limit-bytes:
+ description: |-
+ Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
+ If unspecified, an implementation defined default is applied (1MiB).
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ upstreamTLS:
+ description: UpstreamTLS contains the TLS policy parameters
+ for upstream connections
+ properties:
+ cipherSuites:
+ description: |-
+ CipherSuites defines the TLS ciphers to be supported by Envoy TLS
+ listeners when negotiating TLS 1.2. Ciphers are validated against the
+ set that Envoy supports by default. This parameter should only be used
+ by advanced users. Note that these will be ignored when TLS 1.3 is in
+ use.
+ This field is optional; when it is undefined, a Contour-managed ciphersuite list
+ will be used, which may be updated to keep it secure.
+ Contour's default list is:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ Ciphers provided are validated against the following list:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES128-GCM-SHA256"
+ - "ECDHE-RSA-AES128-GCM-SHA256"
+ - "ECDHE-ECDSA-AES128-SHA"
+ - "ECDHE-RSA-AES128-SHA"
+ - "AES128-GCM-SHA256"
+ - "AES128-SHA"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ - "ECDHE-ECDSA-AES256-SHA"
+ - "ECDHE-RSA-AES256-SHA"
+ - "AES256-GCM-SHA384"
+ - "AES256-SHA"
+ Contour recommends leaving this undefined unless you are sure you must.
+ See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
+ Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
+ items:
+ type: string
+ type: array
+ maximumProtocolVersion:
+ description: |-
+ MaximumProtocolVersion is the maximum TLS version this vhost should
+ negotiate.
+ Values: `1.2`, `1.3`(default).
+ Other values will produce an error.
+ type: string
+ minimumProtocolVersion:
+ description: |-
+ MinimumProtocolVersion is the minimum TLS version this vhost should
+ negotiate.
+ Values: `1.2` (default), `1.3`.
+ Other values will produce an error.
+ type: string
+ type: object
+ type: object
+ defaultHTTPVersions:
+ description: |-
+ DefaultHTTPVersions defines the default set of HTTPS
+ versions the proxy should accept. HTTP versions are
+ strings of the form "HTTP/xx". Supported versions are
+ "HTTP/1.1" and "HTTP/2".
+ Values: `HTTP/1.1`, `HTTP/2` (default: both).
+ Other values will produce an error.
+ items:
+ description: HTTPVersionType is the name of a supported HTTP
+ version.
+ type: string
+ type: array
+ health:
+ description: |-
+ Health defines the endpoint Envoy uses to serve health checks.
+ Contour's default is { address: "0.0.0.0", port: 8002 }.
+ properties:
+ address:
+ description: Defines the health address interface.
+ minLength: 1
+ type: string
+ port:
+ description: Defines the health port.
+ type: integer
+ type: object
+ http:
+ description: |-
+ Defines the HTTP Listener for Envoy.
+ Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
+ properties:
+ accessLog:
+ description: AccessLog defines where Envoy logs are outputted
+ for this listener.
+ type: string
+ address:
+ description: Defines an Envoy Listener Address.
+ minLength: 1
+ type: string
+ port:
+ description: Defines an Envoy listener Port.
+ type: integer
+ type: object
+ https:
+ description: |-
+ Defines the HTTPS Listener for Envoy.
+ Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
+ properties:
+ accessLog:
+ description: AccessLog defines where Envoy logs are outputted
+ for this listener.
+ type: string
+ address:
+ description: Defines an Envoy Listener Address.
+ minLength: 1
+ type: string
+ port:
+ description: Defines an Envoy listener Port.
+ type: integer
+ type: object
+ listener:
+ description: Listener hold various configurable Envoy listener
+ values.
+ properties:
+ connectionBalancer:
+ description: |-
+ ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
+ for more information.
+ Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
+ Other values will produce an error.
+ type: string
+ disableAllowChunkedLength:
+ description: |-
+ DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
+ strip the "Content-Length" header if "Transfer-Encoding: chunked" is
+ also set. This is an emergency off-switch to revert back to Envoy's
+ default behavior in case of failures. Please file an issue if failures
+ are encountered.
+ See: https://github.com/projectcontour/contour/issues/3221
+ Contour's default is false.
+ type: boolean
+ disableMergeSlashes:
+ description: |-
+ DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
+ which strips duplicate slashes from request URL paths.
+ Contour's default is false.
+ type: boolean
+ httpMaxConcurrentStreams:
+ description: |-
+ Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+ SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+ for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+ than 100 but this field can be used to bound resource usage by HTTP/2 connections
+ and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+ unlimited.
+ format: int32
+ minimum: 1
+ type: integer
+ maxConnectionsPerListener:
+ description: |-
+ Defines the limit on number of active connections to a listener. The limit is applied
+ per listener. The default value when this is not set is unlimited.
+ format: int32
+ minimum: 1
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ Defines the maximum requests for downstream connections. If not specified, there is no limit.
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ maxRequestsPerIOCycle:
+ description: |-
+ Defines the limit on number of HTTP requests that Envoy will process from a single
+ connection in a single I/O cycle. Requests over this limit are processed in subsequent
+ I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
+ detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
+ value when this is not set is no limit.
+ format: int32
+ minimum: 1
+ type: integer
+ per-connection-buffer-limit-bytes:
+ description: |-
+ Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
+ If unspecified, an implementation defined default is applied (1MiB).
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ serverHeaderTransformation:
+ description: |-
+ Defines the action to be applied to the Server header on the response path.
+ When configured as overwrite, overwrites any Server header with "envoy".
+ When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
+ When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
+ Values: `overwrite` (default), `append_if_absent`, `pass_through`
+ Other values will produce an error.
+ Contour's default is overwrite.
+ type: string
+ socketOptions:
+ description: |-
+ SocketOptions defines configurable socket options for the listeners.
+ Single set of options are applied to all listeners.
+ properties:
+ tos:
+ description: |-
+ Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
+ Single value is applied to all listeners.
+ If listeners are bound to IPv6-only addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: |-
+ Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
+ Single value is applied to all listeners.
+ If listeners are bound to IPv4-only addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS holds various configurable Envoy TLS listener
+ values.
+ properties:
+ cipherSuites:
+ description: |-
+ CipherSuites defines the TLS ciphers to be supported by Envoy TLS
+ listeners when negotiating TLS 1.2. Ciphers are validated against the
+ set that Envoy supports by default. This parameter should only be used
+ by advanced users. Note that these will be ignored when TLS 1.3 is in
+ use.
+ This field is optional; when it is undefined, a Contour-managed ciphersuite list
+ will be used, which may be updated to keep it secure.
+ Contour's default list is:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ Ciphers provided are validated against the following list:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES128-GCM-SHA256"
+ - "ECDHE-RSA-AES128-GCM-SHA256"
+ - "ECDHE-ECDSA-AES128-SHA"
+ - "ECDHE-RSA-AES128-SHA"
+ - "AES128-GCM-SHA256"
+ - "AES128-SHA"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ - "ECDHE-ECDSA-AES256-SHA"
+ - "ECDHE-RSA-AES256-SHA"
+ - "AES256-GCM-SHA384"
+ - "AES256-SHA"
+ Contour recommends leaving this undefined unless you are sure you must.
+ See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
+ Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
+ items:
+ type: string
+ type: array
+ maximumProtocolVersion:
+ description: |-
+ MaximumProtocolVersion is the maximum TLS version this vhost should
+ negotiate.
+ Values: `1.2`, `1.3`(default).
+ Other values will produce an error.
+ type: string
+ minimumProtocolVersion:
+ description: |-
+ MinimumProtocolVersion is the minimum TLS version this vhost should
+ negotiate.
+ Values: `1.2` (default), `1.3`.
+ Other values will produce an error.
+ type: string
+ type: object
+ useProxyProtocol:
+ description: |-
+ Use PROXY protocol for all listeners.
+ Contour's default is false.
+ type: boolean
+ type: object
+ logging:
+ description: Logging defines how Envoy's logs can be configured.
+ properties:
+ accessLogFormat:
+ description: |-
+ AccessLogFormat sets the global access log format.
+ Values: `envoy` (default), `json`.
+ Other values will produce an error.
+ type: string
+ accessLogFormatString:
+ description: |-
+ AccessLogFormatString sets the access log format when format is set to `envoy`.
+ When empty, Envoy's default format is used.
+ type: string
+ accessLogJSONFields:
+ description: |-
+ AccessLogJSONFields sets the fields that JSON logging will
+ output when AccessLogFormat is json.
+ items:
+ type: string
+ type: array
+ accessLogLevel:
+ description: |-
+ AccessLogLevel sets the verbosity level of the access log.
+ Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
+ Other values will produce an error.
+ type: string
+ type: object
+ metrics:
+ description: |-
+ Metrics defines the endpoint Envoy uses to serve metrics.
+ Contour's default is { address: "0.0.0.0", port: 8002 }.
+ properties:
+ address:
+ description: Defines the metrics address interface.
+ maxLength: 253
+ minLength: 1
+ type: string
+ port:
+ description: Defines the metrics port.
+ type: integer
+ tls:
+ description: |-
+ TLS holds TLS file config details.
+ Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
+ properties:
+ caFile:
+ description: CA filename.
+ type: string
+ certFile:
+ description: Client certificate filename.
+ type: string
+ keyFile:
+ description: Client key filename.
+ type: string
+ type: object
+ type: object
+ network:
+ description: Network holds various configurable Envoy network
+ values.
+ properties:
+ adminPort:
+ description: |-
+ Configure the port used to access the Envoy Admin interface.
+ If configured to port "0" then the admin interface is disabled.
+ Contour's default is 9001.
+ type: integer
+ numTrustedHops:
+ description: |-
+ XffNumTrustedHops defines the number of additional ingress proxy hops from the
+ right side of the x-forwarded-for HTTP header to trust when determining the origin
+ client’s IP address.
+ See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
+ for more information.
+ Contour's default is 0.
+ format: int32
+ type: integer
+ type: object
+ service:
+ description: |-
+ Service holds Envoy service parameters for setting Ingress status.
+ Contour's default is { namespace: "projectcontour", name: "envoy" }.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ timeouts:
+ description: |-
+ Timeouts holds various configurable timeouts that can
+ be set in the config file.
+ properties:
+ connectTimeout:
+ description: |-
+ ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
+ If not set, a default value of 2 seconds will be used.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
+ for more information.
+ type: string
+ connectionIdleTimeout:
+ description: |-
+ ConnectionIdleTimeout defines how long the proxy should wait while there are
+ no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
+ an HTTP connection. Set to "infinity" to disable the timeout entirely.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
+ for more information.
+ type: string
+ connectionShutdownGracePeriod:
+ description: |-
+ ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
+ initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
+ During this grace period, the proxy will continue to respond to new streams. After the final
+ GOAWAY frame has been sent, the proxy will refuse new streams.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
+ for more information.
+ type: string
+ delayedCloseTimeout:
+ description: |-
+ DelayedCloseTimeout defines how long envoy will wait, once connection
+ close processing has been initiated, for the downstream peer to close
+ the connection before Envoy closes the socket associated with the connection.
+ Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
+ in Envoy. Leaving it unset will result in the Envoy default value being used.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
+ for more information.
+ type: string
+ maxConnectionDuration:
+ description: |-
+ MaxConnectionDuration defines the maximum period of time after an HTTP connection
+ has been established from the client to the proxy before it is closed by the proxy,
+ regardless of whether there has been activity or not. Omit or set to "infinity" for
+ no max duration.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
+ for more information.
+ type: string
+ requestTimeout:
+ description: |-
+ RequestTimeout sets the client request timeout globally for Contour. Note that
+ this is a timeout for the entire request, not an idle timeout. Omit or set to
+ "infinity" to disable the timeout entirely.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
+ for more information.
+ type: string
+ streamIdleTimeout:
+ description: |-
+ StreamIdleTimeout defines how long the proxy should wait while there is no
+ request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
+ terminating the HTTP request or stream. Set to "infinity" to disable the
+ timeout entirely.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
+ for more information.
+ type: string
+ type: object
+ type: object
+ featureFlags:
+ description: |-
+ FeatureFlags defines toggle to enable new contour features.
+ Available toggles are:
+ useEndpointSlices - Configures contour to fetch endpoint data
+ from k8s endpoint slices. defaults to true,
+ If false then reads endpoint data from the k8s endpoints.
+ items:
+ type: string
+ type: array
+ gateway:
+ description: |-
+ Gateway contains parameters for the gateway-api Gateway that Contour
+ is configured to serve traffic.
+ properties:
+ gatewayRef:
+ description: |-
+ GatewayRef defines the specific Gateway that this Contour
+ instance corresponds to.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ required:
+ - gatewayRef
+ type: object
+ globalExtAuth:
+ description: |-
+ GlobalExternalAuthorization allows envoys external authorization filter
+ to be enabled for all virtual hosts.
+ properties:
+ authPolicy:
+ description: |-
+ AuthPolicy sets a default authorization policy for client requests.
+ This policy will be used unless overridden by individual routes.
+ properties:
+ context:
+ additionalProperties:
+ type: string
+ description: |-
+ Context is a set of key/value pairs that are sent to the
+ authentication server in the check request. If a context
+ is provided at an enclosing scope, the entries are merged
+ such that the inner scope overrides matching keys from the
+ outer scope.
+ type: object
+ disabled:
+ description: |-
+ When true, this field disables client request authentication
+ for the scope of the policy.
+ type: boolean
+ type: object
+ extensionRef:
+ description: ExtensionServiceRef specifies the extension resource
+ that will authorize client requests.
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent.
+ If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace of the referent.
+ If this field is not specifies, the namespace of the resource that targets the referent will be used.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+ minLength: 1
+ type: string
+ type: object
+ failOpen:
+ description: |-
+ If FailOpen is true, the client request is forwarded to the upstream service
+ even if the authorization server fails to respond. This field should not be
+ set in most cases. It is intended for use only while migrating applications
+ from internal authorization to Contour external authorization.
+ type: boolean
+ responseTimeout:
+ description: |-
+ ResponseTimeout configures maximum time to wait for a check response from the authorization server.
+ Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ The string "infinity" is also a valid input and specifies no timeout.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ withRequestBody:
+ description: WithRequestBody specifies configuration for sending
+ the client request's body to authorization server.
+ properties:
+ allowPartialMessage:
+ description: If AllowPartialMessage is true, then Envoy will
+ buffer the body until MaxRequestBytes are reached.
+ type: boolean
+ maxRequestBytes:
+ default: 1024
+ description: MaxRequestBytes sets the maximum size of message
+ body ExtAuthz filter will hold in-memory.
+ format: int32
+ minimum: 1
+ type: integer
+ packAsBytes:
+ description: If PackAsBytes is true, the body sent to Authorization
+ Server is in raw bytes.
+ type: boolean
+ type: object
+ type: object
+ health:
+ description: |-
+ Health defines the endpoints Contour uses to serve health checks.
+ Contour's default is { address: "0.0.0.0", port: 8000 }.
+ properties:
+ address:
+ description: Defines the health address interface.
+ minLength: 1
+ type: string
+ port:
+ description: Defines the health port.
+ type: integer
+ type: object
+ httpproxy:
+ description: HTTPProxy defines parameters on HTTPProxy.
+ properties:
+ disablePermitInsecure:
+ description: |-
+ DisablePermitInsecure disables the use of the
+ permitInsecure field in HTTPProxy.
+ Contour's default is false.
+ type: boolean
+ fallbackCertificate:
+ description: |-
+ FallbackCertificate defines the namespace/name of the Kubernetes secret to
+ use as fallback when a non-SNI request is received.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ rootNamespaces:
+ description: Restrict Contour to searching these namespaces for
+ root ingress routes.
+ items:
+ type: string
+ type: array
+ type: object
+ ingress:
+ description: Ingress contains parameters for ingress options.
+ properties:
+ classNames:
+ description: Ingress Class Names Contour should use.
+ items:
+ type: string
+ type: array
+ statusAddress:
+ description: Address to set in Ingress object status.
+ type: string
+ type: object
+ metrics:
+ description: |-
+ Metrics defines the endpoint Contour uses to serve metrics.
+ Contour's default is { address: "0.0.0.0", port: 8000 }.
+ properties:
+ address:
+ description: Defines the metrics address interface.
+ maxLength: 253
+ minLength: 1
+ type: string
+ port:
+ description: Defines the metrics port.
+ type: integer
+ tls:
+ description: |-
+ TLS holds TLS file config details.
+ Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
+ properties:
+ caFile:
+ description: CA filename.
+ type: string
+ certFile:
+ description: Client certificate filename.
+ type: string
+ keyFile:
+ description: Client key filename.
+ type: string
+ type: object
+ type: object
+ policy:
+ description: Policy specifies default policy applied if not overridden
+ by the user
+ properties:
+ applyToIngress:
+ description: |-
+ ApplyToIngress determines if the Policies will apply to ingress objects
+ Contour's default is false.
+ type: boolean
+ requestHeaders:
+ description: RequestHeadersPolicy defines the request headers
+ set/removed on all routes
+ properties:
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ responseHeaders:
+ description: ResponseHeadersPolicy defines the response headers
+ set/removed on all routes
+ properties:
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ rateLimitService:
+ description: |-
+ RateLimitService optionally holds properties of the Rate Limit Service
+ to be used for global rate limiting.
+ properties:
+ defaultGlobalRateLimitPolicy:
+ description: |-
+ DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
+ HTTPProxy can overwrite this configuration.
+ properties:
+ descriptors:
+ description: |-
+ Descriptors defines the list of descriptors that will
+ be generated and sent to the rate limit service. Each
+ descriptor contains 1+ key-value pair entries.
+ items:
+ description: RateLimitDescriptor defines a list of key-value
+ pair generators.
+ properties:
+ entries:
+ description: Entries is the list of key-value pair generators.
+ items:
+ description: |-
+ RateLimitDescriptorEntry is a key-value pair generator. Exactly
+ one field on this struct must be non-nil.
+ properties:
+ genericKey:
+ description: GenericKey defines a descriptor entry
+ with a static key and value.
+ properties:
+ key:
+ description: |-
+ Key defines the key of the descriptor entry. If not set, the
+ key is set to "generic_key".
+ type: string
+ value:
+ description: Value defines the value of the
+ descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ remoteAddress:
+ description: |-
+ RemoteAddress defines a descriptor entry with a key of "remote_address"
+ and a value equal to the client's IP address (from x-forwarded-for).
+ type: object
+ requestHeader:
+ description: |-
+ RequestHeader defines a descriptor entry that's populated only if
+ a given header is present on the request. The descriptor key is static,
+ and the descriptor value is equal to the value of the header.
+ properties:
+ descriptorKey:
+ description: DescriptorKey defines the key
+ to use on the descriptor entry.
+ minLength: 1
+ type: string
+ headerName:
+ description: HeaderName defines the name of
+ the header to look for on the request.
+ minLength: 1
+ type: string
+ type: object
+ requestHeaderValueMatch:
+ description: |-
+ RequestHeaderValueMatch defines a descriptor entry that's populated
+ if the request's headers match a set of 1+ match criteria. The
+ descriptor key is "header_match", and the descriptor value is static.
+ properties:
+ expectMatch:
+ default: true
+ description: |-
+ ExpectMatch defines whether the request must positively match the match
+ criteria in order to generate a descriptor entry (i.e. true), or not
+ match the match criteria in order to generate a descriptor entry (i.e. false).
+ The default is true.
+ type: boolean
+ headers:
+ description: |-
+ Headers is a list of 1+ match criteria to apply against the request
+ to determine whether to populate the descriptor entry or not.
+ items:
+ description: |-
+ HeaderMatchCondition specifies how to conditionally match against HTTP
+ headers. The Name field is required, only one of Present, NotPresent,
+ Contains, NotContains, Exact, NotExact and Regex can be set.
+ For negative matching rules only (e.g. NotContains or NotExact) you can set
+ TreatMissingAsEmpty.
+ IgnoreCase has no effect for Regex.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the header value.
+ type: string
+ exact:
+ description: Exact specifies a string
+ that the header value must be equal
+ to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the header to match against. Name is required.
+ Header names are case insensitive.
+ type: string
+ notcontains:
+ description: |-
+ NotContains specifies a substring that must not be present
+ in the header value.
+ type: string
+ notexact:
+ description: |-
+ NoExact specifies a string that the header value must not be
+ equal to. The condition is true if the header has any other value.
+ type: string
+ notpresent:
+ description: |-
+ NotPresent specifies that condition is true when the named header
+ is not present. Note that setting NotPresent to false does not
+ make the condition true if the named header is present.
+ type: boolean
+ present:
+ description: |-
+ Present specifies that condition is true when the named header
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named header
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the header
+ value.
+ type: string
+ treatMissingAsEmpty:
+ description: |-
+ TreatMissingAsEmpty specifies if the header match rule specified header
+ does not exist, this header value will be treated as empty. Defaults to false.
+ Unlike the underlying Envoy implementation this is **only** supported for
+ negative matches (e.g. NotContains, NotExact).
+ type: boolean
+ required:
+ - name
+ type: object
+ minItems: 1
+ type: array
+ value:
+ description: Value defines the value of the
+ descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ minItems: 1
+ type: array
+ disabled:
+ description: |-
+ Disabled configures the HTTPProxy to not use
+ the default global rate limit policy defined by the Contour configuration.
+ type: boolean
+ type: object
+ domain:
+ description: Domain is passed to the Rate Limit Service.
+ type: string
+ enableResourceExhaustedCode:
+ description: |-
+ EnableResourceExhaustedCode enables translating error code 429 to
+ grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
+ type: boolean
+ enableXRateLimitHeaders:
+ description: |-
+ EnableXRateLimitHeaders defines whether to include the X-RateLimit
+ headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
+ (as defined by the IETF Internet-Draft linked below), on responses
+ to clients when the Rate Limit Service is consulted for a request.
+ ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
+ type: boolean
+ extensionService:
+ description: ExtensionService identifies the extension service
+ defining the RLS.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ failOpen:
+ description: |-
+ FailOpen defines whether to allow requests to proceed when the
+ Rate Limit Service fails to respond with a valid rate limit
+ decision within the timeout defined on the extension service.
+ type: boolean
+ required:
+ - extensionService
+ type: object
+ tracing:
+ description: Tracing defines properties for exporting trace data to
+ OpenTelemetry.
+ properties:
+ customTags:
+ description: CustomTags defines a list of custom tags with unique
+ tag name.
+ items:
+ description: |-
+ CustomTag defines custom tags with unique tag name
+ to create tags for the active span.
+ properties:
+ literal:
+ description: |-
+ Literal is a static custom tag value.
+ Precisely one of Literal, RequestHeaderName must be set.
+ type: string
+ requestHeaderName:
+ description: |-
+ RequestHeaderName indicates which request header
+ the label value is obtained from.
+ Precisely one of Literal, RequestHeaderName must be set.
+ type: string
+ tagName:
+ description: TagName is the unique name of the custom tag.
+ type: string
+ required:
+ - tagName
+ type: object
+ type: array
+ extensionService:
+ description: ExtensionService identifies the extension service
+ defining the otel-collector.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ includePodDetail:
+ description: |-
+ IncludePodDetail defines a flag.
+ If it is true, contour will add the pod name and namespace to the span of the trace.
+ the default is true.
+ Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
+ type: boolean
+ maxPathTagLength:
+ description: |-
+ MaxPathTagLength defines maximum length of the request path
+ to extract and include in the HttpUrl tag.
+ contour's default is 256.
+ format: int32
+ type: integer
+ overallSampling:
+ description: |-
+ OverallSampling defines the sampling rate of trace data.
+ contour's default is 100.
+ type: string
+ serviceName:
+ description: |-
+ ServiceName defines the name for the service.
+ contour's default is contour.
+ type: string
+ required:
+ - extensionService
+ type: object
+ xdsServer:
+ description: XDSServer contains parameters for the xDS server.
+ properties:
+ address:
+ description: |-
+ Defines the xDS gRPC API address which Contour will serve.
+ Contour's default is "0.0.0.0".
+ minLength: 1
+ type: string
+ port:
+ description: |-
+ Defines the xDS gRPC API port which Contour will serve.
+ Contour's default is 8001.
+ type: integer
+ tls:
+ description: |-
+ TLS holds TLS file config details.
+ Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
+ properties:
+ caFile:
+ description: CA filename.
+ type: string
+ certFile:
+ description: Client certificate filename.
+ type: string
+ insecure:
+ description: Allow serving the xDS gRPC API without TLS.
+ type: boolean
+ keyFile:
+ description: Client key filename.
+ type: string
+ type: object
+ type:
+ description: |-
+ Defines the XDSServer to use for `contour serve`.
+ Values: `envoy` (default), `contour (deprecated)`.
+ Other values will produce an error.
+ Deprecated: this field will be removed in a future release when
+ the `contour` xDS server implementation is removed.
+ type: string
+ type: object
+ type: object
+ status:
+ description: ContourConfigurationStatus defines the observed state of
+ a ContourConfiguration resource.
+ properties:
+ conditions:
+ description: |-
+ Conditions contains the current status of the Contour resource.
+ Contour will update a single condition, `Valid`, that is in normal-true polarity.
+ Contour will not modify any other Conditions set in this block,
+ in case some other controller wants to add a Condition.
+ items:
+ description: |-
+ DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
+ fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
+ of the condition.
+ `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
+ `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
+ Remember that Conditions have a type, a status, and a reason.
+ The type is the type of the condition, the most important one in this CRD set is `Valid`.
+ `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
+ In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
+ `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
+ slice in this case.
+ `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
+ The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
+ slice if `status` is `false`.
+ For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
+ When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
+ When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
+ In either case, there may be entries in the `warnings` slice.
+ Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
+ (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
+ `MultipleReasons` if there is more than one entry.
+ properties:
+ errors:
+ description: |-
+ Errors contains a slice of relevant error subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
+ An empty slice here indicates no errors.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ warnings:
+ description: |-
+ Warnings contains a slice of relevant warning subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
+ An empty slice here indicates no warnings.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: contourdeployments.projectcontour.io
+spec:
+ preserveUnknownFields: false
+ group: projectcontour.io
+ names:
+ kind: ContourDeployment
+ listKind: ContourDeploymentList
+ plural: contourdeployments
+ shortNames:
+ - contourdeploy
+ singular: contourdeployment
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ContourDeployment is the schema for a Contour Deployment.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ ContourDeploymentSpec specifies options for how a Contour
+ instance should be provisioned.
+ properties:
+ contour:
+ description: |-
+ Contour specifies deployment-time settings for the Contour
+ part of the installation, i.e. the xDS server/control plane
+ and associated resources, including things like replica count
+ for the Deployment, and node placement constraints for the pods.
+ properties:
+ deployment:
+ description: Deployment describes the settings for running contour
+ as a `Deployment`.
+ properties:
+ replicas:
+ description: Replicas is the desired number of replicas.
+ format: int32
+ minimum: 0
+ type: integer
+ strategy:
+ description: Strategy describes the deployment strategy to
+ use to replace existing pods with new pods.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ ---
+ TODO: Update this to follow our convention for oneOf, whatever we decide it
+ to be.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of deployment. Can be "Recreate" or
+ "RollingUpdate". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ disabledFeatures:
+ description: |-
+ DisabledFeatures defines an array of resources that will be ignored by
+ contour reconciler.
+ items:
+ enum:
+ - grpcroutes
+ - tlsroutes
+ - extensionservices
+ - backendtlspolicies
+ type: string
+ maxItems: 42
+ minItems: 1
+ type: array
+ kubernetesLogLevel:
+ description: |-
+ KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset,
+ defaults to 0.
+ maximum: 9
+ minimum: 0
+ type: integer
+ logLevel:
+ description: |-
+ LogLevel sets the log level for Contour
+ Allowed values are "info", "debug".
+ type: string
+ nodePlacement:
+ description: NodePlacement describes node scheduling configuration
+ of Contour pods.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the simplest recommended form of node selection constraint
+ and specifies a map of key-value pairs. For the pod to be eligible
+ to run on a node, the node must have each of the indicated key-value pairs
+ as labels (it can have additional labels as well).
+ If unset, the pod(s) will be scheduled to any available node.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations work with taints to ensure that pods are not scheduled
+ onto inappropriate nodes. One or more taints are applied to a node; this
+ marks that the node should not accept any pods that do not tolerate the
+ taints.
+ The default is an empty list.
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ for additional details.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ podAnnotations:
+ additionalProperties:
+ type: string
+ description: |-
+ PodAnnotations defines annotations to add to the Contour pods.
+ the annotations for Prometheus will be appended or overwritten with predefined value.
+ type: object
+ replicas:
+ description: |-
+ Deprecated: Use `DeploymentSettings.Replicas` instead.
+ Replicas is the desired number of Contour replicas. If if unset,
+ defaults to 2.
+ if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
+ format: int32
+ minimum: 0
+ type: integer
+ resources:
+ description: |-
+ Compute Resources required by contour container.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ watchNamespaces:
+ description: |-
+ WatchNamespaces is an array of namespaces. Setting it will instruct the contour instance
+ to only watch this subset of namespaces.
+ items:
+ description: |-
+ Namespace refers to a Kubernetes namespace. It must be a RFC 1123 label.
+ This validation is based off of the corresponding Kubernetes validation:
+ https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L187
+ This is used for Namespace name validation here:
+ https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/api/validation/generic.go#L63
+ Valid values include:
+ * "example"
+ Invalid values include:
+ * "example.com" - "." is an invalid character
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ maxItems: 42
+ minItems: 1
+ type: array
+ type: object
+ envoy:
+ description: |-
+ Envoy specifies deployment-time settings for the Envoy
+ part of the installation, i.e. the xDS client/data plane
+ and associated resources, including things like the workload
+ type to use (DaemonSet or Deployment), node placement constraints
+ for the pods, and various options for the Envoy service.
+ properties:
+ baseID:
+ description: |-
+ The base ID to use when allocating shared memory regions.
+ if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID
+ so that the shared memory regions do not conflict.
+ defaults to 0.
+ format: int32
+ minimum: 0
+ type: integer
+ daemonSet:
+ description: |-
+ DaemonSet describes the settings for running envoy as a `DaemonSet`.
+ if `WorkloadType` is `Deployment`,it's must be nil
+ properties:
+ updateStrategy:
+ description: Strategy describes the deployment strategy to
+ use to replace existing DaemonSet pods with new pods.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if type = "RollingUpdate".
+ ---
+ TODO: Update this to follow our convention for oneOf, whatever we decide it
+ to be. Same as Deployment `strategy.rollingUpdate`.
+ See https://github.com/kubernetes/kubernetes/issues/35345
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of nodes with an existing available DaemonSet pod that
+ can have an updated DaemonSet pod during during an update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up to a minimum of 1.
+ Default value is 0.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their a new pod created before the old pod is marked as deleted.
+ The update starts by launching new pods on 30% of nodes. Once an updated
+ pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+ on that node is marked deleted. If the old pod becomes unavailable for any
+ reason (Ready transitions to false, is evicted, or is drained) an updated
+ pod is immediatedly created on that node without considering surge limits.
+ Allowing surge implies the possibility that the resources consumed by the
+ daemonset on any given node can double if the readiness check fails, and
+ so resource intensive daemonsets should take into account that they may
+ cause evictions during disruption.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of DaemonSet pods that can be unavailable during the
+ update. Value can be an absolute number (ex: 5) or a percentage of total
+ number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+ number is calculated from percentage by rounding up.
+ This cannot be 0 if MaxSurge is 0
+ Default value is 1.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their pods stopped for an update at any given time. The update
+ starts by stopping at most 30% of those DaemonSet pods and then brings
+ up new DaemonSet pods in their place. Once the new pods are available,
+ it then proceeds onto other DaemonSet pods, thus ensuring that at least
+ 70% of original number of DaemonSet pods are available at all times during
+ the update.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of daemon set update. Can be "RollingUpdate"
+ or "OnDelete". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ deployment:
+ description: |-
+ Deployment describes the settings for running envoy as a `Deployment`.
+ if `WorkloadType` is `DaemonSet`,it's must be nil
+ properties:
+ replicas:
+ description: Replicas is the desired number of replicas.
+ format: int32
+ minimum: 0
+ type: integer
+ strategy:
+ description: Strategy describes the deployment strategy to
+ use to replace existing pods with new pods.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ ---
+ TODO: Update this to follow our convention for oneOf, whatever we decide it
+ to be.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of deployment. Can be "Recreate" or
+ "RollingUpdate". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ extraVolumeMounts:
+ description: ExtraVolumeMounts holds the extra volume mounts to
+ add (normally used with extraVolumes).
+ items:
+ description: VolumeMount describes a mounting of a Volume within
+ a container.
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ extraVolumes:
+ description: ExtraVolumes holds the extra volumes to add.
+ items:
+ description: Volume represents a named volume in a pod that
+ may be accessed by any container in the pod.
+ properties:
+ awsElasticBlockStore:
+ description: |-
+ awsElasticBlockStore represents an AWS Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ TODO: how do we prevent errors in the filesystem from compromising the machine
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly value true will force the readOnly setting in VolumeMounts.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: boolean
+ volumeID:
+ description: |-
+ volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ description: azureDisk represents an Azure Data Disk mount
+ on the host and bind mount to the pod.
+ properties:
+ cachingMode:
+ description: 'cachingMode is the Host Caching mode:
+ None, Read Only, Read Write.'
+ type: string
+ diskName:
+ description: diskName is the Name of the data disk in
+ the blob storage
+ type: string
+ diskURI:
+ description: diskURI is the URI of data disk in the
+ blob storage
+ type: string
+ fsType:
+ description: |-
+ fsType is Filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ kind:
+ description: 'kind expected values are Shared: multiple
+ blob disks per storage account Dedicated: single
+ blob disk per storage account Managed: azure managed
+ data disk (only in managed availability set). defaults
+ to shared'
+ type: string
+ readOnly:
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ description: azureFile represents an Azure File Service
+ mount on the host and bind mount to the pod.
+ properties:
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretName:
+ description: secretName is the name of secret that
+ contains Azure Storage Account Name and Key
+ type: string
+ shareName:
+ description: shareName is the azure share Name
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ description: cephFS represents a Ceph FS mount on the host
+ that shares a pod's lifetime
+ properties:
+ monitors:
+ description: |-
+ monitors is Required: Monitors is a collection of Ceph monitors
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: 'path is Optional: Used as the mounted
+ root, rather than the full Ceph tree, default is /'
+ type: string
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: boolean
+ secretFile:
+ description: |-
+ secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ secretRef:
+ description: |-
+ secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ description: |-
+ user is optional: User is the rados user name, default is admin
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ description: |-
+ cinder represents a cinder volume attached and mounted on kubelets host machine.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is optional: points to a secret object containing parameters used to connect
+ to OpenStack.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ description: |-
+ volumeID used to identify the volume in cinder.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ description: configMap represents a configMap that should
+ populate this volume
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path within a
+ volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ optional:
+ description: optional specify whether the ConfigMap
+ or its keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ description: csi (Container Storage Interface) represents
+ ephemeral storage that is handled by certain external
+ CSI drivers (Beta feature).
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ description: downwardAPI represents downward API about the
+ pod that should populate this volume
+ properties:
+ defaultMode:
+ description: |-
+ Optional: mode bits to use on created files by default. Must be a
+ Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: Items is a list of downward API volume
+ file
+ items:
+ description: DownwardAPIVolumeFile represents information
+ to create the file containing the pod field
+ properties:
+ fieldRef:
+ description: 'Required: Selects a field of the
+ pod: only annotations, labels, name, namespace
+ and uid are supported.'
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath
+ is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in
+ the specified API version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required: Path is the relative
+ path name of the file to be created. Must not
+ be absolute or contain the ''..'' path. Must
+ be utf-8 encoded. The first item of the relative
+ path must not start with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name: required for
+ volumes, optional for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output format of
+ the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ description: |-
+ emptyDir represents a temporary directory that shares a pod's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ description: |-
+ ephemeral represents a volume that is handled by a cluster storage driver.
+ The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+ and deleted when the pod is removed.
+ Use this if:
+ a) the volume is only needed while the pod runs,
+ b) features of normal volumes like restoring from snapshot or capacity
+ tracking are needed,
+ c) the storage driver is specified through a storage class, and
+ d) the storage driver supports dynamic volume provisioning through
+ a PersistentVolumeClaim (see EphemeralVolumeSource for more
+ information on the connection between this volume type
+ and PersistentVolumeClaim).
+ Use PersistentVolumeClaim or one of the vendor-specific
+ APIs for volumes that persist for longer than the lifecycle
+ of an individual pod.
+ Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+ be used that way - see the documentation of the driver for
+ more information.
+ A pod can use both types of ephemeral volumes and
+ persistent volumes at the same time.
+ properties:
+ volumeClaimTemplate:
+ description: |-
+ Will be used to create a stand-alone PVC to provision the volume.
+ The pod in which this EphemeralVolumeSource is embedded will be the
+ owner of the PVC, i.e. the PVC will be deleted together with the
+ pod. The name of the PVC will be `-` where
+ `` is the name from the `PodSpec.Volumes` array
+ entry. Pod validation will reject the pod if the concatenated name
+ is not valid for a PVC (for example, too long).
+ An existing PVC with that name that is not owned by the pod
+ will *not* be used for the pod to avoid using an unrelated
+ volume by mistake. Starting the pod is then blocked until
+ the unrelated PVC is removed. If such a pre-created PVC is
+ meant to be used by the pod, the PVC has to updated with an
+ owner reference to the pod once the pod exists. Normally
+ this should not be necessary, but it may be useful when
+ manually reconstructing a broken cluster.
+ This field is read-only and no changes will be made by Kubernetes
+ to the PVC after it has been created.
+ Required, must not be nil.
+ properties:
+ metadata:
+ description: |-
+ May contain labels and annotations that will be copied into the PVC
+ when creating it. No other fields are allowed and will be rejected during
+ validation.
+ type: object
+ spec:
+ description: |-
+ The specification for the PersistentVolumeClaim. The entire content is
+ copied unchanged into the PVC that gets created from this
+ template. The same fields as in a PersistentVolumeClaim
+ are also valid here.
+ properties:
+ accessModes:
+ description: |-
+ accessModes contains the desired access modes the volume should have.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ description: |-
+ dataSource field can be used to specify either:
+ * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+ * An existing PVC (PersistentVolumeClaim)
+ If the provisioner or an external controller can support the specified data source,
+ it will create a new volume based on the contents of the specified data source.
+ When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+ and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+ If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type of resource
+ being referenced
+ type: string
+ name:
+ description: Name is the name of resource
+ being referenced
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ description: |-
+ dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+ volume is desired. This may be any object from a non-empty API group (non
+ core object) or a PersistentVolumeClaim object.
+ When this field is specified, volume binding will only succeed if the type of
+ the specified object matches some installed volume populator or dynamic
+ provisioner.
+ This field will replace the functionality of the dataSource field and as such
+ if both fields are non-empty, they must have the same value. For backwards
+ compatibility, when namespace isn't specified in dataSourceRef,
+ both fields (dataSource and dataSourceRef) will be set to the same
+ value automatically if one of them is empty and the other is non-empty.
+ When namespace is specified in dataSourceRef,
+ dataSource isn't set to the same value and must be empty.
+ There are three important differences between dataSource and dataSourceRef:
+ * While dataSource only allows two specific types of objects, dataSourceRef
+ allows any non-core object, as well as PersistentVolumeClaim objects.
+ * While dataSource ignores disallowed values (dropping them), dataSourceRef
+ preserves all values, and generates an error if a disallowed value is
+ specified.
+ * While dataSource only allows local objects, dataSourceRef allows objects
+ in any namespaces.
+ (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+ (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type of resource
+ being referenced
+ type: string
+ name:
+ description: Name is the name of resource
+ being referenced
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of resource being referenced
+ Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+ (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ description: |-
+ resources represents the minimum resources the volume should have.
+ If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+ that are lower than previous value but must still be higher than capacity recorded in the
+ status field of the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ selector:
+ description: selector is a label query over
+ volumes to consider for binding.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ description: |-
+ storageClassName is the name of the StorageClass required by the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+ type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ type: string
+ volumeMode:
+ description: |-
+ volumeMode defines what type of volume is required by the claim.
+ Value of Filesystem is implied when not included in claim spec.
+ type: string
+ volumeName:
+ description: volumeName is the binding reference
+ to the PersistentVolume backing this claim.
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ description: fc represents a Fibre Channel resource that
+ is attached to a kubelet's host machine and then exposed
+ to the pod.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ TODO: how do we prevent errors in the filesystem from compromising the machine
+ type: string
+ lun:
+ description: 'lun is Optional: FC target lun number'
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ targetWWNs:
+ description: 'targetWWNs is Optional: FC target worldwide
+ names (WWNs)'
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ description: |-
+ wwids Optional: FC volume world wide identifiers (wwids)
+ Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ description: |-
+ flexVolume represents a generic volume resource that is
+ provisioned/attached using an exec based plugin.
+ properties:
+ driver:
+ description: driver is the name of the driver to use
+ for this volume.
+ type: string
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ description: 'options is Optional: this field holds
+ extra command options if any.'
+ type: object
+ readOnly:
+ description: |-
+ readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is Optional: secretRef is reference to the secret object containing
+ sensitive information to pass to the plugin scripts. This may be
+ empty if no secret object is specified. If the secret object
+ contains more than one secret, all secrets are passed to the plugin
+ scripts.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ description: flocker represents a Flocker volume attached
+ to a kubelet's host machine. This depends on the Flocker
+ control service being running
+ properties:
+ datasetName:
+ description: |-
+ datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+ should be considered as deprecated
+ type: string
+ datasetUUID:
+ description: datasetUUID is the UUID of the dataset.
+ This is unique identifier of a Flocker dataset
+ type: string
+ type: object
+ gcePersistentDisk:
+ description: |-
+ gcePersistentDisk represents a GCE Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ TODO: how do we prevent errors in the filesystem from compromising the machine
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ format: int32
+ type: integer
+ pdName:
+ description: |-
+ pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ description: |-
+ gitRepo represents a git repository at a particular revision.
+ DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+ into the Pod's container.
+ properties:
+ directory:
+ description: |-
+ directory is the target directory name.
+ Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
+ git repository. Otherwise, if specified, the volume will contain the git repository in
+ the subdirectory with the given name.
+ type: string
+ repository:
+ description: repository is the URL
+ type: string
+ revision:
+ description: revision is the commit hash for the specified
+ revision.
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ description: |-
+ glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md
+ properties:
+ endpoints:
+ description: |-
+ endpoints is the endpoint name that details Glusterfs topology.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: string
+ path:
+ description: |-
+ path is the Glusterfs volume path.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ description: |-
+ hostPath represents a pre-existing file or directory on the host
+ machine that is directly exposed to the container. This is generally
+ used for system agents or other privileged things that are allowed
+ to see the host machine. Most containers will NOT need this.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ ---
+ TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+ mount host directories as read/write.
+ properties:
+ path:
+ description: |-
+ path of the directory on the host.
+ If the path is a symlink, it will follow the link to the real path.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ type:
+ description: |-
+ type for HostPath Volume
+ Defaults to ""
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ description: |-
+ iscsi represents an ISCSI Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://examples.k8s.io/volumes/iscsi/README.md
+ properties:
+ chapAuthDiscovery:
+ description: chapAuthDiscovery defines whether support
+ iSCSI Discovery CHAP authentication
+ type: boolean
+ chapAuthSession:
+ description: chapAuthSession defines whether support
+ iSCSI Session CHAP authentication
+ type: boolean
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+ TODO: how do we prevent errors in the filesystem from compromising the machine
+ type: string
+ initiatorName:
+ description: |-
+ initiatorName is the custom iSCSI Initiator Name.
+ If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+ : will be created for the connection.
+ type: string
+ iqn:
+ description: iqn is the target iSCSI Qualified Name.
+ type: string
+ iscsiInterface:
+ description: |-
+ iscsiInterface is the interface Name that uses an iSCSI transport.
+ Defaults to 'default' (tcp).
+ type: string
+ lun:
+ description: lun represents iSCSI Target Lun number.
+ format: int32
+ type: integer
+ portals:
+ description: |-
+ portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ type: boolean
+ secretRef:
+ description: secretRef is the CHAP Secret for iSCSI
+ target and initiator authentication
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ description: |-
+ targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ description: |-
+ name of the volume.
+ Must be a DNS_LABEL and unique within the pod.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ nfs:
+ description: |-
+ nfs represents an NFS mount on the host that shares a pod's lifetime
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ properties:
+ path:
+ description: |-
+ path that is exported by the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the NFS export to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: boolean
+ server:
+ description: |-
+ server is the hostname or IP address of the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ description: |-
+ persistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ description: photonPersistentDisk represents a PhotonController
+ persistent disk attached and mounted on kubelets host
+ machine
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ pdID:
+ description: pdID is the ID that identifies Photon Controller
+ persistent disk
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ description: portworxVolume represents a portworx volume
+ attached and mounted on kubelets host machine
+ properties:
+ fsType:
+ description: |-
+ fSType represents the filesystem type to mount
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ volumeID:
+ description: volumeID uniquely identifies a Portworx
+ volume
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ description: projected items for all in one resources secrets,
+ configmaps, and downward API
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ sources:
+ description: sources is the list of volume projections
+ items:
+ description: Projection that may be projected along
+ with other supported volume types
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume
+ root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ description: configMap information about the configMap
+ data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ optional:
+ description: optional specify whether the
+ ConfigMap or its keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information about the
+ downwardAPI data to project
+ properties:
+ items:
+ description: Items is a list of DownwardAPIVolume
+ file
+ items:
+ description: DownwardAPIVolumeFile represents
+ information to create the file containing
+ the pod field
+ properties:
+ fieldRef:
+ description: 'Required: Selects a field
+ of the pod: only annotations, labels,
+ name, namespace and uid are supported.'
+ properties:
+ apiVersion:
+ description: Version of the schema
+ the FieldPath is written in terms
+ of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to
+ select in the specified API version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required: Path is the
+ relative path name of the file to
+ be created. Must not be absolute or
+ contain the ''..'' path. Must be utf-8
+ encoded. The first item of the relative
+ path must not start with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name: required
+ for volumes, optional for env
+ vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output
+ format of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource
+ to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ description: secret information about the secret
+ data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ optional:
+ description: optional field specify whether
+ the Secret or its key must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is information
+ about the serviceAccountToken data to project
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ format: int64
+ type: integer
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ description: quobyte represents a Quobyte mount on the host
+ that shares a pod's lifetime
+ properties:
+ group:
+ description: |-
+ group to map volume access to
+ Default is no group
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+ Defaults to false.
+ type: boolean
+ registry:
+ description: |-
+ registry represents a single or multiple Quobyte Registry services
+ specified as a string as host:port pair (multiple entries are separated with commas)
+ which acts as the central registry for volumes
+ type: string
+ tenant:
+ description: |-
+ tenant owning the given Quobyte volume in the Backend
+ Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+ type: string
+ user:
+ description: |-
+ user to map volume access to
+ Defaults to serivceaccount user
+ type: string
+ volume:
+ description: volume is a string that references an already
+ created Quobyte volume by name.
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ description: |-
+ rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/rbd/README.md
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+ TODO: how do we prevent errors in the filesystem from compromising the machine
+ type: string
+ image:
+ description: |-
+ image is the rados image name.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ keyring:
+ description: |-
+ keyring is the path to key ring for RBDUser.
+ Default is /etc/ceph/keyring.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ monitors:
+ description: |-
+ monitors is a collection of Ceph monitors.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ description: |-
+ pool is the rados pool name.
+ Default is rbd.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is name of the authentication secret for RBDUser. If provided
+ overrides keyring.
+ Default is nil.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ description: |-
+ user is the rados user name.
+ Default is admin.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ description: scaleIO represents a ScaleIO persistent volume
+ attached and mounted on Kubernetes nodes.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs".
+ Default is "xfs".
+ type: string
+ gateway:
+ description: gateway is the host address of the ScaleIO
+ API Gateway.
+ type: string
+ protectionDomain:
+ description: protectionDomain is the name of the ScaleIO
+ Protection Domain for the configured storage.
+ type: string
+ readOnly:
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef references to the secret for ScaleIO user and other
+ sensitive information. If this is not provided, Login operation will fail.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ description: sslEnabled Flag enable/disable SSL communication
+ with Gateway, default false
+ type: boolean
+ storageMode:
+ description: |-
+ storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+ Default is ThinProvisioned.
+ type: string
+ storagePool:
+ description: storagePool is the ScaleIO Storage Pool
+ associated with the protection domain.
+ type: string
+ system:
+ description: system is the name of the storage system
+ as configured in ScaleIO.
+ type: string
+ volumeName:
+ description: |-
+ volumeName is the name of a volume already created in the ScaleIO system
+ that is associated with this volume source.
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ description: |-
+ secret represents a secret that should populate this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path within a
+ volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether the Secret
+ or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ type: object
+ storageos:
+ description: storageOS represents a StorageOS volume attached
+ and mounted on Kubernetes nodes.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef specifies the secret to use for obtaining the StorageOS API
+ credentials. If not specified, default values will be attempted.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ description: |-
+ volumeName is the human-readable name of the StorageOS volume. Volume
+ names are only unique within a namespace.
+ type: string
+ volumeNamespace:
+ description: |-
+ volumeNamespace specifies the scope of the volume within StorageOS. If no
+ namespace is specified then the Pod's namespace will be used. This allows the
+ Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+ Set VolumeName to any name to override the default behaviour.
+ Set to "default" if you are not using namespaces within StorageOS.
+ Namespaces that do not pre-exist within StorageOS will be created.
+ type: string
+ type: object
+ vsphereVolume:
+ description: vsphereVolume represents a vSphere volume attached
+ and mounted on kubelets host machine
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ storagePolicyID:
+ description: storagePolicyID is the storage Policy Based
+ Management (SPBM) profile ID associated with the StoragePolicyName.
+ type: string
+ storagePolicyName:
+ description: storagePolicyName is the storage Policy
+ Based Management (SPBM) profile name.
+ type: string
+ volumePath:
+ description: volumePath is the path that identifies
+ vSphere volume vmdk
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ logLevel:
+ description: |-
+ LogLevel sets the log level for Envoy.
+ Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off".
+ type: string
+ networkPublishing:
+ description: NetworkPublishing defines how to expose Envoy to
+ a network.
+ properties:
+ externalTrafficPolicy:
+ description: |-
+ ExternalTrafficPolicy describes how nodes distribute service traffic they
+ receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs,
+ and LoadBalancer IPs).
+ If unset, defaults to "Local".
+ type: string
+ ipFamilyPolicy:
+ description: |-
+ IPFamilyPolicy represents the dual-stack-ness requested or required by
+ this Service. If there is no value provided, then this field will be set
+ to SingleStack. Services can be "SingleStack" (a single IP family),
+ "PreferDualStack" (two IP families on dual-stack configured clusters or
+ a single IP family on single-stack clusters), or "RequireDualStack"
+ (two IP families on dual-stack configured clusters, otherwise fail).
+ type: string
+ serviceAnnotations:
+ additionalProperties:
+ type: string
+ description: |-
+ ServiceAnnotations is the annotations to add to
+ the provisioned Envoy service.
+ type: object
+ type:
+ description: |-
+ NetworkPublishingType is the type of publishing strategy to use. Valid values are:
+ * LoadBalancerService
+ In this configuration, network endpoints for Envoy use container networking.
+ A Kubernetes LoadBalancer Service is created to publish Envoy network
+ endpoints.
+ See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+ * NodePortService
+ Publishes Envoy network endpoints using a Kubernetes NodePort Service.
+ In this configuration, Envoy network endpoints use container networking. A Kubernetes
+ NodePort Service is created to publish the network endpoints.
+ See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+ NOTE:
+ When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate
+ the Service's node port values, there's no way to auto-allocate them.
+ See: https://github.com/projectcontour/contour/issues/4499
+ * ClusterIPService
+ Publishes Envoy network endpoints using a Kubernetes ClusterIP Service.
+ In this configuration, Envoy network endpoints use container networking. A Kubernetes
+ ClusterIP Service is created to publish the network endpoints.
+ See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+ If unset, defaults to LoadBalancerService.
+ type: string
+ type: object
+ nodePlacement:
+ description: NodePlacement describes node scheduling configuration
+ of Envoy pods.
+ properties:
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the simplest recommended form of node selection constraint
+ and specifies a map of key-value pairs. For the pod to be eligible
+ to run on a node, the node must have each of the indicated key-value pairs
+ as labels (it can have additional labels as well).
+ If unset, the pod(s) will be scheduled to any available node.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations work with taints to ensure that pods are not scheduled
+ onto inappropriate nodes. One or more taints are applied to a node; this
+ marks that the node should not accept any pods that do not tolerate the
+ taints.
+ The default is an empty list.
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ for additional details.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ overloadMaxHeapSize:
+ description: |-
+ OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager.
+ When the value is greater than 0, the overload manager is enabled,
+ and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation,
+ When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests.
+ More info: https://projectcontour.io/docs/main/config/overload-manager/
+ format: int64
+ type: integer
+ podAnnotations:
+ additionalProperties:
+ type: string
+ description: |-
+ PodAnnotations defines annotations to add to the Envoy pods.
+ the annotations for Prometheus will be appended or overwritten with predefined value.
+ type: object
+ replicas:
+ description: |-
+ Deprecated: Use `DeploymentSettings.Replicas` instead.
+ Replicas is the desired number of Envoy replicas. If WorkloadType
+ is not "Deployment", this field is ignored. Otherwise, if unset,
+ defaults to 2.
+ if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`.
+ format: int32
+ minimum: 0
+ type: integer
+ resources:
+ description: |-
+ Compute Resources required by envoy container.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ workloadType:
+ description: |-
+ WorkloadType is the type of workload to install Envoy
+ as. Choices are DaemonSet and Deployment. If unset, defaults
+ to DaemonSet.
+ type: string
+ type: object
+ resourceLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ ResourceLabels is a set of labels to add to the provisioned Contour resources.
+ Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be
+ removed in a future release.
+ type: object
+ runtimeSettings:
+ description: |-
+ RuntimeSettings is a ContourConfiguration spec to be used when
+ provisioning a Contour instance that will influence aspects of
+ the Contour instance's runtime behavior.
+ properties:
+ debug:
+ description: |-
+ Debug contains parameters to enable debug logging
+ and debug interfaces inside Contour.
+ properties:
+ address:
+ description: |-
+ Defines the Contour debug address interface.
+ Contour's default is "127.0.0.1".
+ type: string
+ port:
+ description: |-
+ Defines the Contour debug address port.
+ Contour's default is 6060.
+ type: integer
+ type: object
+ enableExternalNameService:
+ description: |-
+ EnableExternalNameService allows processing of ExternalNameServices
+ Contour's default is false for security reasons.
+ type: boolean
+ envoy:
+ description: |-
+ Envoy contains parameters for Envoy as well
+ as how to optionally configure a managed Envoy fleet.
+ properties:
+ clientCertificate:
+ description: |-
+ ClientCertificate defines the namespace/name of the Kubernetes
+ secret containing the client certificate and private key
+ to be used when establishing TLS connection to upstream
+ cluster.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ cluster:
+ description: |-
+ Cluster holds various configurable Envoy cluster values that can
+ be set in the config file.
+ properties:
+ circuitBreakers:
+ description: |-
+ GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
+ If defined, this will be used as the default for all services.
+ properties:
+ maxConnections:
+ description: The maximum number of connections that
+ a single Envoy instance allows to the Kubernetes
+ Service; defaults to 1024.
+ format: int32
+ type: integer
+ maxPendingRequests:
+ description: The maximum number of pending requests
+ that a single Envoy instance allows to the Kubernetes
+ Service; defaults to 1024.
+ format: int32
+ type: integer
+ maxRequests:
+ description: The maximum parallel requests a single
+ Envoy instance allows to the Kubernetes Service;
+ defaults to 1024
+ format: int32
+ type: integer
+ maxRetries:
+ description: The maximum number of parallel retries
+ a single Envoy instance allows to the Kubernetes
+ Service; defaults to 3.
+ format: int32
+ type: integer
+ perHostMaxConnections:
+ description: |-
+ PerHostMaxConnections is the maximum number of connections
+ that Envoy will allow to each individual host in a cluster.
+ format: int32
+ type: integer
+ type: object
+ dnsLookupFamily:
+ description: |-
+ DNSLookupFamily defines how external names are looked up
+ When configured as V4, the DNS resolver will only perform a lookup
+ for addresses in the IPv4 family. If V6 is configured, the DNS resolver
+ will only perform a lookup for addresses in the IPv6 family.
+ If AUTO is configured, the DNS resolver will first perform a lookup
+ for addresses in the IPv6 family and fallback to a lookup for addresses
+ in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for
+ both IPv4 and IPv6 families, and return all resolved addresses.
+ When this is used, Happy Eyeballs will be enabled for upstream connections.
+ Refer to Happy Eyeballs Support for more information.
+ Note: This only applies to externalName clusters.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
+ for more information.
+ Values: `auto` (default), `v4`, `v6`, `all`.
+ Other values will produce an error.
+ type: string
+ maxRequestsPerConnection:
+ description: |-
+ Defines the maximum requests for upstream connections. If not specified, there is no limit.
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ per-connection-buffer-limit-bytes:
+ description: |-
+ Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes.
+ If unspecified, an implementation defined default is applied (1MiB).
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ upstreamTLS:
+ description: UpstreamTLS contains the TLS policy parameters
+ for upstream connections
+ properties:
+ cipherSuites:
+ description: |-
+ CipherSuites defines the TLS ciphers to be supported by Envoy TLS
+ listeners when negotiating TLS 1.2. Ciphers are validated against the
+ set that Envoy supports by default. This parameter should only be used
+ by advanced users. Note that these will be ignored when TLS 1.3 is in
+ use.
+ This field is optional; when it is undefined, a Contour-managed ciphersuite list
+ will be used, which may be updated to keep it secure.
+ Contour's default list is:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ Ciphers provided are validated against the following list:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES128-GCM-SHA256"
+ - "ECDHE-RSA-AES128-GCM-SHA256"
+ - "ECDHE-ECDSA-AES128-SHA"
+ - "ECDHE-RSA-AES128-SHA"
+ - "AES128-GCM-SHA256"
+ - "AES128-SHA"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ - "ECDHE-ECDSA-AES256-SHA"
+ - "ECDHE-RSA-AES256-SHA"
+ - "AES256-GCM-SHA384"
+ - "AES256-SHA"
+ Contour recommends leaving this undefined unless you are sure you must.
+ See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
+ Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
+ items:
+ type: string
+ type: array
+ maximumProtocolVersion:
+ description: |-
+ MaximumProtocolVersion is the maximum TLS version this vhost should
+ negotiate.
+ Values: `1.2`, `1.3`(default).
+ Other values will produce an error.
+ type: string
+ minimumProtocolVersion:
+ description: |-
+ MinimumProtocolVersion is the minimum TLS version this vhost should
+ negotiate.
+ Values: `1.2` (default), `1.3`.
+ Other values will produce an error.
+ type: string
+ type: object
+ type: object
+ defaultHTTPVersions:
+ description: |-
+ DefaultHTTPVersions defines the default set of HTTPS
+ versions the proxy should accept. HTTP versions are
+ strings of the form "HTTP/xx". Supported versions are
+ "HTTP/1.1" and "HTTP/2".
+ Values: `HTTP/1.1`, `HTTP/2` (default: both).
+ Other values will produce an error.
+ items:
+ description: HTTPVersionType is the name of a supported
+ HTTP version.
+ type: string
+ type: array
+ health:
+ description: |-
+ Health defines the endpoint Envoy uses to serve health checks.
+ Contour's default is { address: "0.0.0.0", port: 8002 }.
+ properties:
+ address:
+ description: Defines the health address interface.
+ minLength: 1
+ type: string
+ port:
+ description: Defines the health port.
+ type: integer
+ type: object
+ http:
+ description: |-
+ Defines the HTTP Listener for Envoy.
+ Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }.
+ properties:
+ accessLog:
+ description: AccessLog defines where Envoy logs are outputted
+ for this listener.
+ type: string
+ address:
+ description: Defines an Envoy Listener Address.
+ minLength: 1
+ type: string
+ port:
+ description: Defines an Envoy listener Port.
+ type: integer
+ type: object
+ https:
+ description: |-
+ Defines the HTTPS Listener for Envoy.
+ Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }.
+ properties:
+ accessLog:
+ description: AccessLog defines where Envoy logs are outputted
+ for this listener.
+ type: string
+ address:
+ description: Defines an Envoy Listener Address.
+ minLength: 1
+ type: string
+ port:
+ description: Defines an Envoy listener Port.
+ type: integer
+ type: object
+ listener:
+ description: Listener hold various configurable Envoy listener
+ values.
+ properties:
+ connectionBalancer:
+ description: |-
+ ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
+ for more information.
+ Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer.
+ Other values will produce an error.
+ type: string
+ disableAllowChunkedLength:
+ description: |-
+ DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to
+ strip the "Content-Length" header if "Transfer-Encoding: chunked" is
+ also set. This is an emergency off-switch to revert back to Envoy's
+ default behavior in case of failures. Please file an issue if failures
+ are encountered.
+ See: https://github.com/projectcontour/contour/issues/3221
+ Contour's default is false.
+ type: boolean
+ disableMergeSlashes:
+ description: |-
+ DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option
+ which strips duplicate slashes from request URL paths.
+ Contour's default is false.
+ type: boolean
+ httpMaxConcurrentStreams:
+ description: |-
+ Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+ SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+ for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+ than 100 but this field can be used to bound resource usage by HTTP/2 connections
+ and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+ unlimited.
+ format: int32
+ minimum: 1
+ type: integer
+ maxConnectionsPerListener:
+ description: |-
+ Defines the limit on number of active connections to a listener. The limit is applied
+ per listener. The default value when this is not set is unlimited.
+ format: int32
+ minimum: 1
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ Defines the maximum requests for downstream connections. If not specified, there is no limit.
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ maxRequestsPerIOCycle:
+ description: |-
+ Defines the limit on number of HTTP requests that Envoy will process from a single
+ connection in a single I/O cycle. Requests over this limit are processed in subsequent
+ I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
+ detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
+ value when this is not set is no limit.
+ format: int32
+ minimum: 1
+ type: integer
+ per-connection-buffer-limit-bytes:
+ description: |-
+ Defines the soft limit on size of the listener’s new connection read and write buffers in bytes.
+ If unspecified, an implementation defined default is applied (1MiB).
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
+ for more information.
+ format: int32
+ minimum: 1
+ type: integer
+ serverHeaderTransformation:
+ description: |-
+ Defines the action to be applied to the Server header on the response path.
+ When configured as overwrite, overwrites any Server header with "envoy".
+ When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
+ When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
+ Values: `overwrite` (default), `append_if_absent`, `pass_through`
+ Other values will produce an error.
+ Contour's default is overwrite.
+ type: string
+ socketOptions:
+ description: |-
+ SocketOptions defines configurable socket options for the listeners.
+ Single set of options are applied to all listeners.
+ properties:
+ tos:
+ description: |-
+ Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
+ Single value is applied to all listeners.
+ If listeners are bound to IPv6-only addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: |-
+ Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
+ Single value is applied to all listeners.
+ If listeners are bound to IPv4-only addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS holds various configurable Envoy TLS
+ listener values.
+ properties:
+ cipherSuites:
+ description: |-
+ CipherSuites defines the TLS ciphers to be supported by Envoy TLS
+ listeners when negotiating TLS 1.2. Ciphers are validated against the
+ set that Envoy supports by default. This parameter should only be used
+ by advanced users. Note that these will be ignored when TLS 1.3 is in
+ use.
+ This field is optional; when it is undefined, a Contour-managed ciphersuite list
+ will be used, which may be updated to keep it secure.
+ Contour's default list is:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ Ciphers provided are validated against the following list:
+ - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
+ - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
+ - "ECDHE-ECDSA-AES128-GCM-SHA256"
+ - "ECDHE-RSA-AES128-GCM-SHA256"
+ - "ECDHE-ECDSA-AES128-SHA"
+ - "ECDHE-RSA-AES128-SHA"
+ - "AES128-GCM-SHA256"
+ - "AES128-SHA"
+ - "ECDHE-ECDSA-AES256-GCM-SHA384"
+ - "ECDHE-RSA-AES256-GCM-SHA384"
+ - "ECDHE-ECDSA-AES256-SHA"
+ - "ECDHE-RSA-AES256-SHA"
+ - "AES256-GCM-SHA384"
+ - "AES256-SHA"
+ Contour recommends leaving this undefined unless you are sure you must.
+ See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
+ Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
+ items:
+ type: string
+ type: array
+ maximumProtocolVersion:
+ description: |-
+ MaximumProtocolVersion is the maximum TLS version this vhost should
+ negotiate.
+ Values: `1.2`, `1.3`(default).
+ Other values will produce an error.
+ type: string
+ minimumProtocolVersion:
+ description: |-
+ MinimumProtocolVersion is the minimum TLS version this vhost should
+ negotiate.
+ Values: `1.2` (default), `1.3`.
+ Other values will produce an error.
+ type: string
+ type: object
+ useProxyProtocol:
+ description: |-
+ Use PROXY protocol for all listeners.
+ Contour's default is false.
+ type: boolean
+ type: object
+ logging:
+ description: Logging defines how Envoy's logs can be configured.
+ properties:
+ accessLogFormat:
+ description: |-
+ AccessLogFormat sets the global access log format.
+ Values: `envoy` (default), `json`.
+ Other values will produce an error.
+ type: string
+ accessLogFormatString:
+ description: |-
+ AccessLogFormatString sets the access log format when format is set to `envoy`.
+ When empty, Envoy's default format is used.
+ type: string
+ accessLogJSONFields:
+ description: |-
+ AccessLogJSONFields sets the fields that JSON logging will
+ output when AccessLogFormat is json.
+ items:
+ type: string
+ type: array
+ accessLogLevel:
+ description: |-
+ AccessLogLevel sets the verbosity level of the access log.
+ Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`.
+ Other values will produce an error.
+ type: string
+ type: object
+ metrics:
+ description: |-
+ Metrics defines the endpoint Envoy uses to serve metrics.
+ Contour's default is { address: "0.0.0.0", port: 8002 }.
+ properties:
+ address:
+ description: Defines the metrics address interface.
+ maxLength: 253
+ minLength: 1
+ type: string
+ port:
+ description: Defines the metrics port.
+ type: integer
+ tls:
+ description: |-
+ TLS holds TLS file config details.
+ Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
+ properties:
+ caFile:
+ description: CA filename.
+ type: string
+ certFile:
+ description: Client certificate filename.
+ type: string
+ keyFile:
+ description: Client key filename.
+ type: string
+ type: object
+ type: object
+ network:
+ description: Network holds various configurable Envoy network
+ values.
+ properties:
+ adminPort:
+ description: |-
+ Configure the port used to access the Envoy Admin interface.
+ If configured to port "0" then the admin interface is disabled.
+ Contour's default is 9001.
+ type: integer
+ numTrustedHops:
+ description: |-
+ XffNumTrustedHops defines the number of additional ingress proxy hops from the
+ right side of the x-forwarded-for HTTP header to trust when determining the origin
+ client’s IP address.
+ See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops
+ for more information.
+ Contour's default is 0.
+ format: int32
+ type: integer
+ type: object
+ service:
+ description: |-
+ Service holds Envoy service parameters for setting Ingress status.
+ Contour's default is { namespace: "projectcontour", name: "envoy" }.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ timeouts:
+ description: |-
+ Timeouts holds various configurable timeouts that can
+ be set in the config file.
+ properties:
+ connectTimeout:
+ description: |-
+ ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
+ If not set, a default value of 2 seconds will be used.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout
+ for more information.
+ type: string
+ connectionIdleTimeout:
+ description: |-
+ ConnectionIdleTimeout defines how long the proxy should wait while there are
+ no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating
+ an HTTP connection. Set to "infinity" to disable the timeout entirely.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout
+ for more information.
+ type: string
+ connectionShutdownGracePeriod:
+ description: |-
+ ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an
+ initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection.
+ During this grace period, the proxy will continue to respond to new streams. After the final
+ GOAWAY frame has been sent, the proxy will refuse new streams.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout
+ for more information.
+ type: string
+ delayedCloseTimeout:
+ description: |-
+ DelayedCloseTimeout defines how long envoy will wait, once connection
+ close processing has been initiated, for the downstream peer to close
+ the connection before Envoy closes the socket associated with the connection.
+ Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0'
+ in Envoy. Leaving it unset will result in the Envoy default value being used.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout
+ for more information.
+ type: string
+ maxConnectionDuration:
+ description: |-
+ MaxConnectionDuration defines the maximum period of time after an HTTP connection
+ has been established from the client to the proxy before it is closed by the proxy,
+ regardless of whether there has been activity or not. Omit or set to "infinity" for
+ no max duration.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration
+ for more information.
+ type: string
+ requestTimeout:
+ description: |-
+ RequestTimeout sets the client request timeout globally for Contour. Note that
+ this is a timeout for the entire request, not an idle timeout. Omit or set to
+ "infinity" to disable the timeout entirely.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout
+ for more information.
+ type: string
+ streamIdleTimeout:
+ description: |-
+ StreamIdleTimeout defines how long the proxy should wait while there is no
+ request activity (for HTTP/1.1) or stream activity (for HTTP/2) before
+ terminating the HTTP request or stream. Set to "infinity" to disable the
+ timeout entirely.
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout
+ for more information.
+ type: string
+ type: object
+ type: object
+ featureFlags:
+ description: |-
+ FeatureFlags defines toggle to enable new contour features.
+ Available toggles are:
+ useEndpointSlices - Configures contour to fetch endpoint data
+ from k8s endpoint slices. defaults to true,
+ If false then reads endpoint data from the k8s endpoints.
+ items:
+ type: string
+ type: array
+ gateway:
+ description: |-
+ Gateway contains parameters for the gateway-api Gateway that Contour
+ is configured to serve traffic.
+ properties:
+ gatewayRef:
+ description: |-
+ GatewayRef defines the specific Gateway that this Contour
+ instance corresponds to.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ required:
+ - gatewayRef
+ type: object
+ globalExtAuth:
+ description: |-
+ GlobalExternalAuthorization allows envoys external authorization filter
+ to be enabled for all virtual hosts.
+ properties:
+ authPolicy:
+ description: |-
+ AuthPolicy sets a default authorization policy for client requests.
+ This policy will be used unless overridden by individual routes.
+ properties:
+ context:
+ additionalProperties:
+ type: string
+ description: |-
+ Context is a set of key/value pairs that are sent to the
+ authentication server in the check request. If a context
+ is provided at an enclosing scope, the entries are merged
+ such that the inner scope overrides matching keys from the
+ outer scope.
+ type: object
+ disabled:
+ description: |-
+ When true, this field disables client request authentication
+ for the scope of the policy.
+ type: boolean
+ type: object
+ extensionRef:
+ description: ExtensionServiceRef specifies the extension resource
+ that will authorize client requests.
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent.
+ If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace of the referent.
+ If this field is not specifies, the namespace of the resource that targets the referent will be used.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+ minLength: 1
+ type: string
+ type: object
+ failOpen:
+ description: |-
+ If FailOpen is true, the client request is forwarded to the upstream service
+ even if the authorization server fails to respond. This field should not be
+ set in most cases. It is intended for use only while migrating applications
+ from internal authorization to Contour external authorization.
+ type: boolean
+ responseTimeout:
+ description: |-
+ ResponseTimeout configures maximum time to wait for a check response from the authorization server.
+ Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ The string "infinity" is also a valid input and specifies no timeout.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ withRequestBody:
+ description: WithRequestBody specifies configuration for sending
+ the client request's body to authorization server.
+ properties:
+ allowPartialMessage:
+ description: If AllowPartialMessage is true, then Envoy
+ will buffer the body until MaxRequestBytes are reached.
+ type: boolean
+ maxRequestBytes:
+ default: 1024
+ description: MaxRequestBytes sets the maximum size of
+ message body ExtAuthz filter will hold in-memory.
+ format: int32
+ minimum: 1
+ type: integer
+ packAsBytes:
+ description: If PackAsBytes is true, the body sent to
+ Authorization Server is in raw bytes.
+ type: boolean
+ type: object
+ type: object
+ health:
+ description: |-
+ Health defines the endpoints Contour uses to serve health checks.
+ Contour's default is { address: "0.0.0.0", port: 8000 }.
+ properties:
+ address:
+ description: Defines the health address interface.
+ minLength: 1
+ type: string
+ port:
+ description: Defines the health port.
+ type: integer
+ type: object
+ httpproxy:
+ description: HTTPProxy defines parameters on HTTPProxy.
+ properties:
+ disablePermitInsecure:
+ description: |-
+ DisablePermitInsecure disables the use of the
+ permitInsecure field in HTTPProxy.
+ Contour's default is false.
+ type: boolean
+ fallbackCertificate:
+ description: |-
+ FallbackCertificate defines the namespace/name of the Kubernetes secret to
+ use as fallback when a non-SNI request is received.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ rootNamespaces:
+ description: Restrict Contour to searching these namespaces
+ for root ingress routes.
+ items:
+ type: string
+ type: array
+ type: object
+ ingress:
+ description: Ingress contains parameters for ingress options.
+ properties:
+ classNames:
+ description: Ingress Class Names Contour should use.
+ items:
+ type: string
+ type: array
+ statusAddress:
+ description: Address to set in Ingress object status.
+ type: string
+ type: object
+ metrics:
+ description: |-
+ Metrics defines the endpoint Contour uses to serve metrics.
+ Contour's default is { address: "0.0.0.0", port: 8000 }.
+ properties:
+ address:
+ description: Defines the metrics address interface.
+ maxLength: 253
+ minLength: 1
+ type: string
+ port:
+ description: Defines the metrics port.
+ type: integer
+ tls:
+ description: |-
+ TLS holds TLS file config details.
+ Metrics and health endpoints cannot have same port number when metrics is served over HTTPS.
+ properties:
+ caFile:
+ description: CA filename.
+ type: string
+ certFile:
+ description: Client certificate filename.
+ type: string
+ keyFile:
+ description: Client key filename.
+ type: string
+ type: object
+ type: object
+ policy:
+ description: Policy specifies default policy applied if not overridden
+ by the user
+ properties:
+ applyToIngress:
+ description: |-
+ ApplyToIngress determines if the Policies will apply to ingress objects
+ Contour's default is false.
+ type: boolean
+ requestHeaders:
+ description: RequestHeadersPolicy defines the request headers
+ set/removed on all routes
+ properties:
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ responseHeaders:
+ description: ResponseHeadersPolicy defines the response headers
+ set/removed on all routes
+ properties:
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ rateLimitService:
+ description: |-
+ RateLimitService optionally holds properties of the Rate Limit Service
+ to be used for global rate limiting.
+ properties:
+ defaultGlobalRateLimitPolicy:
+ description: |-
+ DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy.
+ HTTPProxy can overwrite this configuration.
+ properties:
+ descriptors:
+ description: |-
+ Descriptors defines the list of descriptors that will
+ be generated and sent to the rate limit service. Each
+ descriptor contains 1+ key-value pair entries.
+ items:
+ description: RateLimitDescriptor defines a list of key-value
+ pair generators.
+ properties:
+ entries:
+ description: Entries is the list of key-value pair
+ generators.
+ items:
+ description: |-
+ RateLimitDescriptorEntry is a key-value pair generator. Exactly
+ one field on this struct must be non-nil.
+ properties:
+ genericKey:
+ description: GenericKey defines a descriptor
+ entry with a static key and value.
+ properties:
+ key:
+ description: |-
+ Key defines the key of the descriptor entry. If not set, the
+ key is set to "generic_key".
+ type: string
+ value:
+ description: Value defines the value of
+ the descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ remoteAddress:
+ description: |-
+ RemoteAddress defines a descriptor entry with a key of "remote_address"
+ and a value equal to the client's IP address (from x-forwarded-for).
+ type: object
+ requestHeader:
+ description: |-
+ RequestHeader defines a descriptor entry that's populated only if
+ a given header is present on the request. The descriptor key is static,
+ and the descriptor value is equal to the value of the header.
+ properties:
+ descriptorKey:
+ description: DescriptorKey defines the
+ key to use on the descriptor entry.
+ minLength: 1
+ type: string
+ headerName:
+ description: HeaderName defines the name
+ of the header to look for on the request.
+ minLength: 1
+ type: string
+ type: object
+ requestHeaderValueMatch:
+ description: |-
+ RequestHeaderValueMatch defines a descriptor entry that's populated
+ if the request's headers match a set of 1+ match criteria. The
+ descriptor key is "header_match", and the descriptor value is static.
+ properties:
+ expectMatch:
+ default: true
+ description: |-
+ ExpectMatch defines whether the request must positively match the match
+ criteria in order to generate a descriptor entry (i.e. true), or not
+ match the match criteria in order to generate a descriptor entry (i.e. false).
+ The default is true.
+ type: boolean
+ headers:
+ description: |-
+ Headers is a list of 1+ match criteria to apply against the request
+ to determine whether to populate the descriptor entry or not.
+ items:
+ description: |-
+ HeaderMatchCondition specifies how to conditionally match against HTTP
+ headers. The Name field is required, only one of Present, NotPresent,
+ Contains, NotContains, Exact, NotExact and Regex can be set.
+ For negative matching rules only (e.g. NotContains or NotExact) you can set
+ TreatMissingAsEmpty.
+ IgnoreCase has no effect for Regex.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the header value.
+ type: string
+ exact:
+ description: Exact specifies a string
+ that the header value must be
+ equal to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the header to match against. Name is required.
+ Header names are case insensitive.
+ type: string
+ notcontains:
+ description: |-
+ NotContains specifies a substring that must not be present
+ in the header value.
+ type: string
+ notexact:
+ description: |-
+ NoExact specifies a string that the header value must not be
+ equal to. The condition is true if the header has any other value.
+ type: string
+ notpresent:
+ description: |-
+ NotPresent specifies that condition is true when the named header
+ is not present. Note that setting NotPresent to false does not
+ make the condition true if the named header is present.
+ type: boolean
+ present:
+ description: |-
+ Present specifies that condition is true when the named header
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named header
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the header
+ value.
+ type: string
+ treatMissingAsEmpty:
+ description: |-
+ TreatMissingAsEmpty specifies if the header match rule specified header
+ does not exist, this header value will be treated as empty. Defaults to false.
+ Unlike the underlying Envoy implementation this is **only** supported for
+ negative matches (e.g. NotContains, NotExact).
+ type: boolean
+ required:
+ - name
+ type: object
+ minItems: 1
+ type: array
+ value:
+ description: Value defines the value of
+ the descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ minItems: 1
+ type: array
+ disabled:
+ description: |-
+ Disabled configures the HTTPProxy to not use
+ the default global rate limit policy defined by the Contour configuration.
+ type: boolean
+ type: object
+ domain:
+ description: Domain is passed to the Rate Limit Service.
+ type: string
+ enableResourceExhaustedCode:
+ description: |-
+ EnableResourceExhaustedCode enables translating error code 429 to
+ grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE
+ type: boolean
+ enableXRateLimitHeaders:
+ description: |-
+ EnableXRateLimitHeaders defines whether to include the X-RateLimit
+ headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset
+ (as defined by the IETF Internet-Draft linked below), on responses
+ to clients when the Rate Limit Service is consulted for a request.
+ ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
+ type: boolean
+ extensionService:
+ description: ExtensionService identifies the extension service
+ defining the RLS.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ failOpen:
+ description: |-
+ FailOpen defines whether to allow requests to proceed when the
+ Rate Limit Service fails to respond with a valid rate limit
+ decision within the timeout defined on the extension service.
+ type: boolean
+ required:
+ - extensionService
+ type: object
+ tracing:
+ description: Tracing defines properties for exporting trace data
+ to OpenTelemetry.
+ properties:
+ customTags:
+ description: CustomTags defines a list of custom tags with
+ unique tag name.
+ items:
+ description: |-
+ CustomTag defines custom tags with unique tag name
+ to create tags for the active span.
+ properties:
+ literal:
+ description: |-
+ Literal is a static custom tag value.
+ Precisely one of Literal, RequestHeaderName must be set.
+ type: string
+ requestHeaderName:
+ description: |-
+ RequestHeaderName indicates which request header
+ the label value is obtained from.
+ Precisely one of Literal, RequestHeaderName must be set.
+ type: string
+ tagName:
+ description: TagName is the unique name of the custom
+ tag.
+ type: string
+ required:
+ - tagName
+ type: object
+ type: array
+ extensionService:
+ description: ExtensionService identifies the extension service
+ defining the otel-collector.
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
+ includePodDetail:
+ description: |-
+ IncludePodDetail defines a flag.
+ If it is true, contour will add the pod name and namespace to the span of the trace.
+ the default is true.
+ Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly.
+ type: boolean
+ maxPathTagLength:
+ description: |-
+ MaxPathTagLength defines maximum length of the request path
+ to extract and include in the HttpUrl tag.
+ contour's default is 256.
+ format: int32
+ type: integer
+ overallSampling:
+ description: |-
+ OverallSampling defines the sampling rate of trace data.
+ contour's default is 100.
+ type: string
+ serviceName:
+ description: |-
+ ServiceName defines the name for the service.
+ contour's default is contour.
+ type: string
+ required:
+ - extensionService
+ type: object
+ xdsServer:
+ description: XDSServer contains parameters for the xDS server.
+ properties:
+ address:
+ description: |-
+ Defines the xDS gRPC API address which Contour will serve.
+ Contour's default is "0.0.0.0".
+ minLength: 1
+ type: string
+ port:
+ description: |-
+ Defines the xDS gRPC API port which Contour will serve.
+ Contour's default is 8001.
+ type: integer
+ tls:
+ description: |-
+ TLS holds TLS file config details.
+ Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }.
+ properties:
+ caFile:
+ description: CA filename.
+ type: string
+ certFile:
+ description: Client certificate filename.
+ type: string
+ insecure:
+ description: Allow serving the xDS gRPC API without TLS.
+ type: boolean
+ keyFile:
+ description: Client key filename.
+ type: string
+ type: object
+ type:
+ description: |-
+ Defines the XDSServer to use for `contour serve`.
+ Values: `envoy` (default), `contour (deprecated)`.
+ Other values will produce an error.
+ Deprecated: this field will be removed in a future release when
+ the `contour` xDS server implementation is removed.
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ description: ContourDeploymentStatus defines the observed state of a ContourDeployment
+ resource.
+ properties:
+ conditions:
+ description: Conditions describe the current conditions of the ContourDeployment
+ resource.
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: extensionservices.projectcontour.io
+spec:
+ preserveUnknownFields: false
+ group: projectcontour.io
+ names:
+ kind: ExtensionService
+ listKind: ExtensionServiceList
+ plural: extensionservices
+ shortNames:
+ - extensionservice
+ - extensionservices
+ singular: extensionservice
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ExtensionService is the schema for the Contour extension services API.
+ An ExtensionService resource binds a network service to the Contour
+ API so that Contour API features can be implemented by collaborating
+ components.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ExtensionServiceSpec defines the desired state of an ExtensionService
+ resource.
+ properties:
+ circuitBreakerPolicy:
+ description: |-
+ CircuitBreakerPolicy specifies the circuit breaker budget across the extension service.
+ If defined this overrides the global circuit breaker budget.
+ properties:
+ maxConnections:
+ description: The maximum number of connections that a single Envoy
+ instance allows to the Kubernetes Service; defaults to 1024.
+ format: int32
+ type: integer
+ maxPendingRequests:
+ description: The maximum number of pending requests that a single
+ Envoy instance allows to the Kubernetes Service; defaults to
+ 1024.
+ format: int32
+ type: integer
+ maxRequests:
+ description: The maximum parallel requests a single Envoy instance
+ allows to the Kubernetes Service; defaults to 1024
+ format: int32
+ type: integer
+ maxRetries:
+ description: The maximum number of parallel retries a single Envoy
+ instance allows to the Kubernetes Service; defaults to 3.
+ format: int32
+ type: integer
+ perHostMaxConnections:
+ description: |-
+ PerHostMaxConnections is the maximum number of connections
+ that Envoy will allow to each individual host in a cluster.
+ format: int32
+ type: integer
+ type: object
+ loadBalancerPolicy:
+ description: |-
+ The policy for load balancing GRPC service requests. Note that the
+ `Cookie` and `RequestHash` load balancing strategies cannot be used
+ here.
+ properties:
+ requestHashPolicies:
+ description: |-
+ RequestHashPolicies contains a list of hash policies to apply when the
+ `RequestHash` load balancing strategy is chosen. If an element of the
+ supplied list of hash policies is invalid, it will be ignored. If the
+ list of hash policies is empty after validation, the load balancing
+ strategy will fall back to the default `RoundRobin`.
+ items:
+ description: |-
+ RequestHashPolicy contains configuration for an individual hash policy
+ on a request attribute.
+ properties:
+ hashSourceIP:
+ description: |-
+ HashSourceIP should be set to true when request source IP hash based
+ load balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ type: boolean
+ headerHashOptions:
+ description: |-
+ HeaderHashOptions should be set when request header hash based load
+ balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ properties:
+ headerName:
+ description: |-
+ HeaderName is the name of the HTTP request header that will be used to
+ calculate the hash key. If the header specified is not present on a
+ request, no hash will be produced.
+ minLength: 1
+ type: string
+ type: object
+ queryParameterHashOptions:
+ description: |-
+ QueryParameterHashOptions should be set when request query parameter hash based load
+ balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ properties:
+ parameterName:
+ description: |-
+ ParameterName is the name of the HTTP request query parameter that will be used to
+ calculate the hash key. If the query parameter specified is not present on a
+ request, no hash will be produced.
+ minLength: 1
+ type: string
+ type: object
+ terminal:
+ description: |-
+ Terminal is a flag that allows for short-circuiting computing of a hash
+ for a given request. If set to true, and the request attribute specified
+ in the attribute hash options is present, no further hash policies will
+ be used to calculate a hash for the request.
+ type: boolean
+ type: object
+ type: array
+ strategy:
+ description: |-
+ Strategy specifies the policy used to balance requests
+ across the pool of backend pods. Valid policy names are
+ `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
+ and `RequestHash`. If an unknown strategy name is specified
+ or no policy is supplied, the default `RoundRobin` policy
+ is used.
+ type: string
+ type: object
+ protocol:
+ description: |-
+ Protocol may be used to specify (or override) the protocol used to reach this Service.
+ Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.
+ enum:
+ - h2
+ - h2c
+ type: string
+ protocolVersion:
+ description: |-
+ This field sets the version of the GRPC protocol that Envoy uses to
+ send requests to the extension service. Since Contour always uses the
+ v3 Envoy API, this is currently fixed at "v3". However, other
+ protocol options will be available in future.
+ enum:
+ - v3
+ type: string
+ services:
+ description: |-
+ Services specifies the set of Kubernetes Service resources that
+ receive GRPC extension API requests.
+ If no weights are specified for any of the entries in
+ this array, traffic will be spread evenly across all the
+ services.
+ Otherwise, traffic is balanced proportionally to the
+ Weight field in each entry.
+ items:
+ description: |-
+ ExtensionServiceTarget defines an Kubernetes Service to target with
+ extension service traffic.
+ properties:
+ name:
+ description: |-
+ Name is the name of Kubernetes service that will accept service
+ traffic.
+ type: string
+ port:
+ description: Port (defined as Integer) to proxy traffic to since
+ a service can have multiple defined.
+ exclusiveMaximum: true
+ maximum: 65536
+ minimum: 1
+ type: integer
+ weight:
+ description: Weight defines proportion of traffic to balance
+ to the Kubernetes Service.
+ format: int32
+ type: integer
+ required:
+ - name
+ - port
+ type: object
+ minItems: 1
+ type: array
+ timeoutPolicy:
+ description: The timeout policy for requests to the services.
+ properties:
+ idle:
+ description: |-
+ Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
+ Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
+ If not specified, there is no per-route idle timeout, though a connection manager-wide
+ stream_idle_timeout default of 5m still applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ idleConnection:
+ description: |-
+ Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
+ If not supplied, Envoy's default value of 1h applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ response:
+ description: |-
+ Timeout for receiving a response from the server after processing a request from client.
+ If not supplied, Envoy's default value of 15s applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ type: object
+ validation:
+ description: UpstreamValidation defines how to verify the backend
+ service's certificate
+ properties:
+ caSecret:
+ description: |-
+ Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
+ The secret must contain key named ca.crt.
+ The name can be optionally prefixed with namespace "namespace/name".
+ When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+ Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
+ maxLength: 317
+ minLength: 1
+ type: string
+ subjectName:
+ description: |-
+ Key which is expected to be present in the 'subjectAltName' of the presented certificate.
+ Deprecated: migrate to using the plural field subjectNames.
+ maxLength: 250
+ minLength: 1
+ type: string
+ subjectNames:
+ description: |-
+ List of keys, of which at least one is expected to be present in the 'subjectAltName of the
+ presented certificate.
+ items:
+ type: string
+ maxItems: 8
+ minItems: 1
+ type: array
+ required:
+ - caSecret
+ - subjectName
+ type: object
+ x-kubernetes-validations:
+ - message: subjectNames[0] must equal subjectName if set
+ rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName
+ : true'
+ required:
+ - services
+ type: object
+ status:
+ description: |-
+ ExtensionServiceStatus defines the observed state of an
+ ExtensionService resource.
+ properties:
+ conditions:
+ description: |-
+ Conditions contains the current status of the ExtensionService resource.
+ Contour will update a single condition, `Valid`, that is in normal-true polarity.
+ Contour will not modify any other Conditions set in this block,
+ in case some other controller wants to add a Condition.
+ items:
+ description: |-
+ DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
+ fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
+ of the condition.
+ `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
+ `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
+ Remember that Conditions have a type, a status, and a reason.
+ The type is the type of the condition, the most important one in this CRD set is `Valid`.
+ `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
+ In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
+ `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
+ slice in this case.
+ `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
+ The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
+ slice if `status` is `false`.
+ For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
+ When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
+ When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
+ In either case, there may be entries in the `warnings` slice.
+ Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
+ (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
+ `MultipleReasons` if there is more than one entry.
+ properties:
+ errors:
+ description: |-
+ Errors contains a slice of relevant error subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
+ An empty slice here indicates no errors.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ warnings:
+ description: |-
+ Warnings contains a slice of relevant warning subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
+ An empty slice here indicates no warnings.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: httpproxies.projectcontour.io
+spec:
+ preserveUnknownFields: false
+ group: projectcontour.io
+ names:
+ kind: HTTPProxy
+ listKind: HTTPProxyList
+ plural: httpproxies
+ shortNames:
+ - proxy
+ - proxies
+ singular: httpproxy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Fully qualified domain name
+ jsonPath: .spec.virtualhost.fqdn
+ name: FQDN
+ type: string
+ - description: Secret with TLS credentials
+ jsonPath: .spec.virtualhost.tls.secretName
+ name: TLS Secret
+ type: string
+ - description: The current status of the HTTPProxy
+ jsonPath: .status.currentStatus
+ name: Status
+ type: string
+ - description: Description of the current status
+ jsonPath: .status.description
+ name: Status Description
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: HTTPProxy is an Ingress CRD specification.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: HTTPProxySpec defines the spec of the CRD.
+ properties:
+ includes:
+ description: |-
+ Includes allow for specific routing configuration to be included from another HTTPProxy,
+ possibly in another namespace.
+ items:
+ description: Include describes a set of policies that can be applied
+ to an HTTPProxy in a namespace.
+ properties:
+ conditions:
+ description: |-
+ Conditions are a set of rules that are applied to included HTTPProxies.
+ In effect, they are added onto the Conditions of included HTTPProxy Route
+ structs.
+ When applied, they are merged using AND, with one exception:
+ There can be only one Prefix MatchCondition per Conditions slice.
+ More than one Prefix, or contradictory Conditions, will make the
+ include invalid. Exact and Regex match conditions are not allowed
+ on includes.
+ items:
+ description: |-
+ MatchCondition are a general holder for matching rules for HTTPProxies.
+ One of Prefix, Exact, Regex, Header or QueryParameter must be provided.
+ properties:
+ exact:
+ description: |-
+ Exact defines a exact match for a request.
+ This field is not allowed in include match conditions.
+ type: string
+ header:
+ description: Header specifies the header condition to
+ match.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the header value.
+ type: string
+ exact:
+ description: Exact specifies a string that the header
+ value must be equal to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the header to match against. Name is required.
+ Header names are case insensitive.
+ type: string
+ notcontains:
+ description: |-
+ NotContains specifies a substring that must not be present
+ in the header value.
+ type: string
+ notexact:
+ description: |-
+ NoExact specifies a string that the header value must not be
+ equal to. The condition is true if the header has any other value.
+ type: string
+ notpresent:
+ description: |-
+ NotPresent specifies that condition is true when the named header
+ is not present. Note that setting NotPresent to false does not
+ make the condition true if the named header is present.
+ type: boolean
+ present:
+ description: |-
+ Present specifies that condition is true when the named header
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named header
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the header
+ value.
+ type: string
+ treatMissingAsEmpty:
+ description: |-
+ TreatMissingAsEmpty specifies if the header match rule specified header
+ does not exist, this header value will be treated as empty. Defaults to false.
+ Unlike the underlying Envoy implementation this is **only** supported for
+ negative matches (e.g. NotContains, NotExact).
+ type: boolean
+ required:
+ - name
+ type: object
+ prefix:
+ description: Prefix defines a prefix match for a request.
+ type: string
+ queryParameter:
+ description: QueryParameter specifies the query parameter
+ condition to match.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the query parameter value.
+ type: string
+ exact:
+ description: Exact specifies a string that the query
+ parameter value must be equal to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the query parameter to match against. Name is required.
+ Query parameter names are case insensitive.
+ type: string
+ prefix:
+ description: Prefix defines a prefix match for the
+ query parameter value.
+ type: string
+ present:
+ description: |-
+ Present specifies that condition is true when the named query parameter
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named query parameter
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the query
+ parameter value.
+ type: string
+ suffix:
+ description: Suffix defines a suffix match for a query
+ parameter value.
+ type: string
+ required:
+ - name
+ type: object
+ regex:
+ description: |-
+ Regex defines a regex match for a request.
+ This field is not allowed in include match conditions.
+ type: string
+ type: object
+ type: array
+ name:
+ description: Name of the HTTPProxy
+ type: string
+ namespace:
+ description: Namespace of the HTTPProxy to include. Defaults
+ to the current namespace if not supplied.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ ingressClassName:
+ description: |-
+ IngressClassName optionally specifies the ingress class to use for this
+ HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class`
+ annotation. For backwards compatibility, when that annotation is set, it
+ is given precedence over this field.
+ type: string
+ routes:
+ description: Routes are the ingress routes. If TCPProxy is present,
+ Routes is ignored.
+ items:
+ description: Route contains the set of routes for a virtual host.
+ properties:
+ authPolicy:
+ description: |-
+ AuthPolicy updates the authorization policy that was set
+ on the root HTTPProxy object for client requests that
+ match this route.
+ properties:
+ context:
+ additionalProperties:
+ type: string
+ description: |-
+ Context is a set of key/value pairs that are sent to the
+ authentication server in the check request. If a context
+ is provided at an enclosing scope, the entries are merged
+ such that the inner scope overrides matching keys from the
+ outer scope.
+ type: object
+ disabled:
+ description: |-
+ When true, this field disables client request authentication
+ for the scope of the policy.
+ type: boolean
+ type: object
+ conditions:
+ description: |-
+ Conditions are a set of rules that are applied to a Route.
+ When applied, they are merged using AND, with one exception:
+ There can be only one Prefix, Exact or Regex MatchCondition
+ per Conditions slice. More than one of these condition types,
+ or contradictory Conditions, will make the route invalid.
+ items:
+ description: |-
+ MatchCondition are a general holder for matching rules for HTTPProxies.
+ One of Prefix, Exact, Regex, Header or QueryParameter must be provided.
+ properties:
+ exact:
+ description: |-
+ Exact defines a exact match for a request.
+ This field is not allowed in include match conditions.
+ type: string
+ header:
+ description: Header specifies the header condition to
+ match.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the header value.
+ type: string
+ exact:
+ description: Exact specifies a string that the header
+ value must be equal to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the header to match against. Name is required.
+ Header names are case insensitive.
+ type: string
+ notcontains:
+ description: |-
+ NotContains specifies a substring that must not be present
+ in the header value.
+ type: string
+ notexact:
+ description: |-
+ NoExact specifies a string that the header value must not be
+ equal to. The condition is true if the header has any other value.
+ type: string
+ notpresent:
+ description: |-
+ NotPresent specifies that condition is true when the named header
+ is not present. Note that setting NotPresent to false does not
+ make the condition true if the named header is present.
+ type: boolean
+ present:
+ description: |-
+ Present specifies that condition is true when the named header
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named header
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the header
+ value.
+ type: string
+ treatMissingAsEmpty:
+ description: |-
+ TreatMissingAsEmpty specifies if the header match rule specified header
+ does not exist, this header value will be treated as empty. Defaults to false.
+ Unlike the underlying Envoy implementation this is **only** supported for
+ negative matches (e.g. NotContains, NotExact).
+ type: boolean
+ required:
+ - name
+ type: object
+ prefix:
+ description: Prefix defines a prefix match for a request.
+ type: string
+ queryParameter:
+ description: QueryParameter specifies the query parameter
+ condition to match.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the query parameter value.
+ type: string
+ exact:
+ description: Exact specifies a string that the query
+ parameter value must be equal to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the query parameter to match against. Name is required.
+ Query parameter names are case insensitive.
+ type: string
+ prefix:
+ description: Prefix defines a prefix match for the
+ query parameter value.
+ type: string
+ present:
+ description: |-
+ Present specifies that condition is true when the named query parameter
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named query parameter
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the query
+ parameter value.
+ type: string
+ suffix:
+ description: Suffix defines a suffix match for a query
+ parameter value.
+ type: string
+ required:
+ - name
+ type: object
+ regex:
+ description: |-
+ Regex defines a regex match for a request.
+ This field is not allowed in include match conditions.
+ type: string
+ type: object
+ type: array
+ cookieRewritePolicies:
+ description: |-
+ The policies for rewriting Set-Cookie header attributes. Note that
+ rewritten cookie names must be unique in this list. Order rewrite
+ policies are specified in does not matter.
+ items:
+ properties:
+ domainRewrite:
+ description: |-
+ DomainRewrite enables rewriting the Set-Cookie Domain element.
+ If not set, Domain will not be rewritten.
+ properties:
+ value:
+ description: |-
+ Value is the value to rewrite the Domain attribute to.
+ For now this is required.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - value
+ type: object
+ name:
+ description: Name is the name of the cookie for which
+ attributes will be rewritten.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
+ type: string
+ pathRewrite:
+ description: |-
+ PathRewrite enables rewriting the Set-Cookie Path element.
+ If not set, Path will not be rewritten.
+ properties:
+ value:
+ description: |-
+ Value is the value to rewrite the Path attribute to.
+ For now this is required.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
+ type: string
+ required:
+ - value
+ type: object
+ sameSite:
+ description: |-
+ SameSite enables rewriting the Set-Cookie SameSite element.
+ If not set, SameSite attribute will not be rewritten.
+ enum:
+ - Strict
+ - Lax
+ - None
+ type: string
+ secure:
+ description: |-
+ Secure enables rewriting the Set-Cookie Secure element.
+ If not set, Secure attribute will not be rewritten.
+ type: boolean
+ required:
+ - name
+ type: object
+ type: array
+ directResponsePolicy:
+ description: DirectResponsePolicy returns an arbitrary HTTP
+ response directly.
+ properties:
+ body:
+ description: |-
+ Body is the content of the response body.
+ If this setting is omitted, no body is included in the generated response.
+ Note: Body is not recommended to set too long
+ otherwise it can have significant resource usage impacts.
+ type: string
+ statusCode:
+ description: StatusCode is the HTTP response status to be
+ returned.
+ maximum: 599
+ minimum: 200
+ type: integer
+ required:
+ - statusCode
+ type: object
+ enableWebsockets:
+ description: Enables websocket support for the route.
+ type: boolean
+ healthCheckPolicy:
+ description: The health check policy for this route.
+ properties:
+ expectedStatuses:
+ description: |-
+ The ranges of HTTP response statuses considered healthy. Follow half-open
+ semantics, i.e. for each range the start is inclusive and the end is exclusive.
+ Must be within the range [100,600). If not specified, only a 200 response status
+ is considered healthy.
+ items:
+ properties:
+ end:
+ description: The end (exclusive) of a range of HTTP
+ status codes.
+ format: int64
+ maximum: 600
+ minimum: 101
+ type: integer
+ start:
+ description: The start (inclusive) of a range of HTTP
+ status codes.
+ format: int64
+ maximum: 599
+ minimum: 100
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ type: array
+ healthyThresholdCount:
+ description: The number of healthy health checks required
+ before a host is marked healthy
+ format: int64
+ minimum: 0
+ type: integer
+ host:
+ description: |-
+ The value of the host header in the HTTP health check request.
+ If left empty (default value), the name "contour-envoy-healthcheck"
+ will be used.
+ type: string
+ intervalSeconds:
+ description: The interval (seconds) between health checks
+ format: int64
+ type: integer
+ path:
+ description: HTTP endpoint used to perform health checks
+ on upstream service
+ type: string
+ timeoutSeconds:
+ description: The time to wait (seconds) for a health check
+ response
+ format: int64
+ type: integer
+ unhealthyThresholdCount:
+ description: The number of unhealthy health checks required
+ before a host is marked unhealthy
+ format: int64
+ minimum: 0
+ type: integer
+ required:
+ - path
+ type: object
+ internalRedirectPolicy:
+ description: The policy to define when to handle redirects responses
+ internally.
+ properties:
+ allowCrossSchemeRedirect:
+ default: Never
+ description: |-
+ AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme
+ than the value of x-forwarded-proto.
+ SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream
+ scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme
+ is HTTP, only HTTP redirect targets are allowed.
+ enum:
+ - Always
+ - Never
+ - SafeOnly
+ type: string
+ denyRepeatedRouteRedirect:
+ description: |-
+ If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has
+ been followed by a previous redirect from the current route.
+ type: boolean
+ maxInternalRedirects:
+ description: |-
+ MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal
+ redirects that a downstream request has encountered is lower than this value.
+ format: int32
+ type: integer
+ redirectResponseCodes:
+ description: |-
+ RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect.
+ Only 301, 302, 303, 307 and 308 are valid values.
+ items:
+ description: RedirectResponseCode is a uint32 type alias
+ with validation to ensure that the value is valid.
+ enum:
+ - 301
+ - 302
+ - 303
+ - 307
+ - 308
+ format: int32
+ type: integer
+ type: array
+ type: object
+ ipAllowPolicy:
+ description: |-
+ IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
+ requests should be allowed. All other requests will be denied.
+ Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+ The rules defined here override any rules set on the root HTTPProxy.
+ items:
+ properties:
+ cidr:
+ description: |-
+ CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
+ a bare IP address (without a mask) to filter on exactly one address.
+ type: string
+ source:
+ description: |-
+ Source indicates how to determine the ip address to filter on, and can be
+ one of two values:
+ - `Remote` filters on the ip address of the client, accounting for PROXY and
+ X-Forwarded-For as needed.
+ - `Peer` filters on the ip of the network request, ignoring PROXY and
+ X-Forwarded-For.
+ enum:
+ - Peer
+ - Remote
+ type: string
+ required:
+ - cidr
+ - source
+ type: object
+ type: array
+ ipDenyPolicy:
+ description: |-
+ IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
+ requests should be denied. All other requests will be allowed.
+ Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+ The rules defined here override any rules set on the root HTTPProxy.
+ items:
+ properties:
+ cidr:
+ description: |-
+ CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
+ a bare IP address (without a mask) to filter on exactly one address.
+ type: string
+ source:
+ description: |-
+ Source indicates how to determine the ip address to filter on, and can be
+ one of two values:
+ - `Remote` filters on the ip address of the client, accounting for PROXY and
+ X-Forwarded-For as needed.
+ - `Peer` filters on the ip of the network request, ignoring PROXY and
+ X-Forwarded-For.
+ enum:
+ - Peer
+ - Remote
+ type: string
+ required:
+ - cidr
+ - source
+ type: object
+ type: array
+ jwtVerificationPolicy:
+ description: The policy for verifying JWTs for requests to this
+ route.
+ properties:
+ disabled:
+ description: |-
+ Disabled defines whether to disable all JWT verification for this
+ route. This can be used to opt specific routes out of the default
+ JWT provider for the HTTPProxy. At most one of this field or the
+ "require" field can be specified.
+ type: boolean
+ require:
+ description: |-
+ Require names a specific JWT provider (defined in the virtual host)
+ to require for the route. If specified, this field overrides the
+ default provider if one exists. If this field is not specified,
+ the default provider will be required if one exists. At most one of
+ this field or the "disabled" field can be specified.
+ type: string
+ type: object
+ loadBalancerPolicy:
+ description: The load balancing policy for this route.
+ properties:
+ requestHashPolicies:
+ description: |-
+ RequestHashPolicies contains a list of hash policies to apply when the
+ `RequestHash` load balancing strategy is chosen. If an element of the
+ supplied list of hash policies is invalid, it will be ignored. If the
+ list of hash policies is empty after validation, the load balancing
+ strategy will fall back to the default `RoundRobin`.
+ items:
+ description: |-
+ RequestHashPolicy contains configuration for an individual hash policy
+ on a request attribute.
+ properties:
+ hashSourceIP:
+ description: |-
+ HashSourceIP should be set to true when request source IP hash based
+ load balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ type: boolean
+ headerHashOptions:
+ description: |-
+ HeaderHashOptions should be set when request header hash based load
+ balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ properties:
+ headerName:
+ description: |-
+ HeaderName is the name of the HTTP request header that will be used to
+ calculate the hash key. If the header specified is not present on a
+ request, no hash will be produced.
+ minLength: 1
+ type: string
+ type: object
+ queryParameterHashOptions:
+ description: |-
+ QueryParameterHashOptions should be set when request query parameter hash based load
+ balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ properties:
+ parameterName:
+ description: |-
+ ParameterName is the name of the HTTP request query parameter that will be used to
+ calculate the hash key. If the query parameter specified is not present on a
+ request, no hash will be produced.
+ minLength: 1
+ type: string
+ type: object
+ terminal:
+ description: |-
+ Terminal is a flag that allows for short-circuiting computing of a hash
+ for a given request. If set to true, and the request attribute specified
+ in the attribute hash options is present, no further hash policies will
+ be used to calculate a hash for the request.
+ type: boolean
+ type: object
+ type: array
+ strategy:
+ description: |-
+ Strategy specifies the policy used to balance requests
+ across the pool of backend pods. Valid policy names are
+ `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
+ and `RequestHash`. If an unknown strategy name is specified
+ or no policy is supplied, the default `RoundRobin` policy
+ is used.
+ type: string
+ type: object
+ pathRewritePolicy:
+ description: |-
+ The policy for rewriting the path of the request URL
+ after the request has been routed to a Service.
+ properties:
+ replacePrefix:
+ description: ReplacePrefix describes how the path prefix
+ should be replaced.
+ items:
+ description: ReplacePrefix describes a path prefix replacement.
+ properties:
+ prefix:
+ description: |-
+ Prefix specifies the URL path prefix to be replaced.
+ If Prefix is specified, it must exactly match the MatchCondition
+ prefix that is rendered by the chain of including HTTPProxies
+ and only that path prefix will be replaced by Replacement.
+ This allows HTTPProxies that are included through multiple
+ roots to only replace specific path prefixes, leaving others
+ unmodified.
+ If Prefix is not specified, all routing prefixes rendered
+ by the include chain will be replaced.
+ minLength: 1
+ type: string
+ replacement:
+ description: |-
+ Replacement is the string that the routing path prefix
+ will be replaced with. This must not be empty.
+ minLength: 1
+ type: string
+ required:
+ - replacement
+ type: object
+ type: array
+ type: object
+ permitInsecure:
+ description: |-
+ Allow this path to respond to insecure requests over HTTP which are normally
+ not permitted when a `virtualhost.tls` block is present.
+ type: boolean
+ rateLimitPolicy:
+ description: The policy for rate limiting on the route.
+ properties:
+ global:
+ description: |-
+ Global defines global rate limiting parameters, i.e. parameters
+ defining descriptors that are sent to an external rate limit
+ service (RLS) for a rate limit decision on each request.
+ properties:
+ descriptors:
+ description: |-
+ Descriptors defines the list of descriptors that will
+ be generated and sent to the rate limit service. Each
+ descriptor contains 1+ key-value pair entries.
+ items:
+ description: RateLimitDescriptor defines a list of
+ key-value pair generators.
+ properties:
+ entries:
+ description: Entries is the list of key-value
+ pair generators.
+ items:
+ description: |-
+ RateLimitDescriptorEntry is a key-value pair generator. Exactly
+ one field on this struct must be non-nil.
+ properties:
+ genericKey:
+ description: GenericKey defines a descriptor
+ entry with a static key and value.
+ properties:
+ key:
+ description: |-
+ Key defines the key of the descriptor entry. If not set, the
+ key is set to "generic_key".
+ type: string
+ value:
+ description: Value defines the value
+ of the descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ remoteAddress:
+ description: |-
+ RemoteAddress defines a descriptor entry with a key of "remote_address"
+ and a value equal to the client's IP address (from x-forwarded-for).
+ type: object
+ requestHeader:
+ description: |-
+ RequestHeader defines a descriptor entry that's populated only if
+ a given header is present on the request. The descriptor key is static,
+ and the descriptor value is equal to the value of the header.
+ properties:
+ descriptorKey:
+ description: DescriptorKey defines the
+ key to use on the descriptor entry.
+ minLength: 1
+ type: string
+ headerName:
+ description: HeaderName defines the
+ name of the header to look for on
+ the request.
+ minLength: 1
+ type: string
+ type: object
+ requestHeaderValueMatch:
+ description: |-
+ RequestHeaderValueMatch defines a descriptor entry that's populated
+ if the request's headers match a set of 1+ match criteria. The
+ descriptor key is "header_match", and the descriptor value is static.
+ properties:
+ expectMatch:
+ default: true
+ description: |-
+ ExpectMatch defines whether the request must positively match the match
+ criteria in order to generate a descriptor entry (i.e. true), or not
+ match the match criteria in order to generate a descriptor entry (i.e. false).
+ The default is true.
+ type: boolean
+ headers:
+ description: |-
+ Headers is a list of 1+ match criteria to apply against the request
+ to determine whether to populate the descriptor entry or not.
+ items:
+ description: |-
+ HeaderMatchCondition specifies how to conditionally match against HTTP
+ headers. The Name field is required, only one of Present, NotPresent,
+ Contains, NotContains, Exact, NotExact and Regex can be set.
+ For negative matching rules only (e.g. NotContains or NotExact) you can set
+ TreatMissingAsEmpty.
+ IgnoreCase has no effect for Regex.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the header value.
+ type: string
+ exact:
+ description: Exact specifies a
+ string that the header value
+ must be equal to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the header to match against. Name is required.
+ Header names are case insensitive.
+ type: string
+ notcontains:
+ description: |-
+ NotContains specifies a substring that must not be present
+ in the header value.
+ type: string
+ notexact:
+ description: |-
+ NoExact specifies a string that the header value must not be
+ equal to. The condition is true if the header has any other value.
+ type: string
+ notpresent:
+ description: |-
+ NotPresent specifies that condition is true when the named header
+ is not present. Note that setting NotPresent to false does not
+ make the condition true if the named header is present.
+ type: boolean
+ present:
+ description: |-
+ Present specifies that condition is true when the named header
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named header
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the header
+ value.
+ type: string
+ treatMissingAsEmpty:
+ description: |-
+ TreatMissingAsEmpty specifies if the header match rule specified header
+ does not exist, this header value will be treated as empty. Defaults to false.
+ Unlike the underlying Envoy implementation this is **only** supported for
+ negative matches (e.g. NotContains, NotExact).
+ type: boolean
+ required:
+ - name
+ type: object
+ minItems: 1
+ type: array
+ value:
+ description: Value defines the value
+ of the descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ minItems: 1
+ type: array
+ disabled:
+ description: |-
+ Disabled configures the HTTPProxy to not use
+ the default global rate limit policy defined by the Contour configuration.
+ type: boolean
+ type: object
+ local:
+ description: |-
+ Local defines local rate limiting parameters, i.e. parameters
+ for rate limiting that occurs within each Envoy pod as requests
+ are handled.
+ properties:
+ burst:
+ description: |-
+ Burst defines the number of requests above the requests per
+ unit that should be allowed within a short period of time.
+ format: int32
+ type: integer
+ requests:
+ description: |-
+ Requests defines how many requests per unit of time should
+ be allowed before rate limiting occurs.
+ format: int32
+ minimum: 1
+ type: integer
+ responseHeadersToAdd:
+ description: |-
+ ResponseHeadersToAdd is an optional list of response headers to
+ set when a request is rate-limited.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a header
+ specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ responseStatusCode:
+ description: |-
+ ResponseStatusCode is the HTTP status code to use for responses
+ to rate-limited requests. Codes must be in the 400-599 range
+ (inclusive). If not specified, the Envoy default of 429 (Too
+ Many Requests) is used.
+ format: int32
+ maximum: 599
+ minimum: 400
+ type: integer
+ unit:
+ description: |-
+ Unit defines the period of time within which requests
+ over the limit will be rate limited. Valid values are
+ "second", "minute" and "hour".
+ enum:
+ - second
+ - minute
+ - hour
+ type: string
+ required:
+ - requests
+ - unit
+ type: object
+ type: object
+ requestHeadersPolicy:
+ description: |-
+ The policy for managing request headers during proxying.
+ You may dynamically rewrite the Host header to be forwarded
+ upstream to the content of a request header using
+ the below format "%REQ(X-Header-Name)%". If the value of the header
+ is empty, it is ignored.
+ *NOTE: Pay attention to the potential security implications of using this option.
+ Provided header must come from trusted source.
+ **NOTE: The header rewrite is only done while forwarding and has no bearing
+ on the routing decision.
+ properties:
+ remove:
+ description: Remove specifies a list of HTTP header names
+ to remove.
+ items:
+ type: string
+ type: array
+ set:
+ description: |-
+ Set specifies a list of HTTP header values that will be set in the HTTP header.
+ If the header does not exist it will be added, otherwise it will be overwritten with the new value.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a header
+ specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ type: object
+ requestRedirectPolicy:
+ description: RequestRedirectPolicy defines an HTTP redirection.
+ properties:
+ hostname:
+ description: |-
+ Hostname is the precise hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname of the request is used.
+ No wildcards are allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path allows for redirection to a different path from the
+ original on the request. The path must start with a
+ leading slash.
+ Note: Only one of Path or Prefix can be defined.
+ pattern: ^\/.*$
+ type: string
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+ When empty, port (if specified) of the request is used.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ prefix:
+ description: |-
+ Prefix defines the value to swap the matched prefix or path with.
+ The prefix must start with a leading slash.
+ Note: Only one of Path or Prefix can be defined.
+ pattern: ^\/.*$
+ type: string
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location`
+ header in the response.
+ When empty, the scheme of the request is used.
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: StatusCode is the HTTP status code to be used
+ in response.
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeadersPolicy:
+ description: |-
+ The policy for managing response headers during proxying.
+ Rewriting the 'Host' header is not supported.
+ properties:
+ remove:
+ description: Remove specifies a list of HTTP header names
+ to remove.
+ items:
+ type: string
+ type: array
+ set:
+ description: |-
+ Set specifies a list of HTTP header values that will be set in the HTTP header.
+ If the header does not exist it will be added, otherwise it will be overwritten with the new value.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a header
+ specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ type: object
+ retryPolicy:
+ description: The retry policy for this route.
+ properties:
+ count:
+ default: 1
+ description: |-
+ NumRetries is maximum allowed number of retries.
+ If set to -1, then retries are disabled.
+ If set to 0 or not supplied, the value is set
+ to the Envoy default of 1.
+ format: int64
+ minimum: -1
+ type: integer
+ perTryTimeout:
+ description: |-
+ PerTryTimeout specifies the timeout per retry attempt.
+ Ignored if NumRetries is not supplied.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ retriableStatusCodes:
+ description: |-
+ RetriableStatusCodes specifies the HTTP status codes that should be retried.
+ This field is only respected when you include `retriable-status-codes` in the `RetryOn` field.
+ items:
+ format: int32
+ type: integer
+ type: array
+ retryOn:
+ description: |-
+ RetryOn specifies the conditions on which to retry a request.
+ Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):
+ - `5xx`
+ - `gateway-error`
+ - `reset`
+ - `connect-failure`
+ - `retriable-4xx`
+ - `refused-stream`
+ - `retriable-status-codes`
+ - `retriable-headers`
+ Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):
+ - `cancelled`
+ - `deadline-exceeded`
+ - `internal`
+ - `resource-exhausted`
+ - `unavailable`
+ items:
+ description: RetryOn is a string type alias with validation
+ to ensure that the value is valid.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - retriable-headers
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ services:
+ description: Services are the services to proxy traffic.
+ items:
+ description: Service defines an Kubernetes Service to proxy
+ traffic.
+ properties:
+ cookieRewritePolicies:
+ description: The policies for rewriting Set-Cookie header
+ attributes.
+ items:
+ properties:
+ domainRewrite:
+ description: |-
+ DomainRewrite enables rewriting the Set-Cookie Domain element.
+ If not set, Domain will not be rewritten.
+ properties:
+ value:
+ description: |-
+ Value is the value to rewrite the Domain attribute to.
+ For now this is required.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - value
+ type: object
+ name:
+ description: Name is the name of the cookie for
+ which attributes will be rewritten.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
+ type: string
+ pathRewrite:
+ description: |-
+ PathRewrite enables rewriting the Set-Cookie Path element.
+ If not set, Path will not be rewritten.
+ properties:
+ value:
+ description: |-
+ Value is the value to rewrite the Path attribute to.
+ For now this is required.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
+ type: string
+ required:
+ - value
+ type: object
+ sameSite:
+ description: |-
+ SameSite enables rewriting the Set-Cookie SameSite element.
+ If not set, SameSite attribute will not be rewritten.
+ enum:
+ - Strict
+ - Lax
+ - None
+ type: string
+ secure:
+ description: |-
+ Secure enables rewriting the Set-Cookie Secure element.
+ If not set, Secure attribute will not be rewritten.
+ type: boolean
+ required:
+ - name
+ type: object
+ type: array
+ healthPort:
+ description: |-
+ HealthPort is the port for this service healthcheck.
+ If not specified, Port is used for service healthchecks.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ mirror:
+ description: |-
+ If Mirror is true the Service will receive a read only mirror of the traffic for this route.
+ If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight
+ field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.
+ NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This
+ occurs since we cannot distinguish omitted fields from those explicitly set to their default
+ values
+ type: boolean
+ name:
+ description: |-
+ Name is the name of Kubernetes service to proxy traffic.
+ Names defined here will be used to look up corresponding endpoints which contain the ips to route.
+ type: string
+ port:
+ description: Port (defined as Integer) to proxy traffic
+ to since a service can have multiple defined.
+ exclusiveMaximum: true
+ maximum: 65536
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol may be used to specify (or override) the protocol used to reach this Service.
+ Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
+ enum:
+ - h2
+ - h2c
+ - tls
+ type: string
+ requestHeadersPolicy:
+ description: The policy for managing request headers during
+ proxying.
+ properties:
+ remove:
+ description: Remove specifies a list of HTTP header
+ names to remove.
+ items:
+ type: string
+ type: array
+ set:
+ description: |-
+ Set specifies a list of HTTP header values that will be set in the HTTP header.
+ If the header does not exist it will be added, otherwise it will be overwritten with the new value.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a
+ header specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ type: object
+ responseHeadersPolicy:
+ description: |-
+ The policy for managing response headers during proxying.
+ Rewriting the 'Host' header is not supported.
+ properties:
+ remove:
+ description: Remove specifies a list of HTTP header
+ names to remove.
+ items:
+ type: string
+ type: array
+ set:
+ description: |-
+ Set specifies a list of HTTP header values that will be set in the HTTP header.
+ If the header does not exist it will be added, otherwise it will be overwritten with the new value.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a
+ header specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ type: object
+ slowStartPolicy:
+ description: Slow start will gradually increase amount
+ of traffic to a newly added endpoint.
+ properties:
+ aggression:
+ default: "1.0"
+ description: |-
+ The speed of traffic increase over the slow start window.
+ Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic.
+ When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.
+ The value of aggression parameter should be greater than 0.0.
+ More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
+ pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
+ type: string
+ minWeightPercent:
+ default: 10
+ description: |-
+ The minimum or starting percentage of traffic to send to new endpoints.
+ A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.
+ If not specified, the default is 10%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ window:
+ description: |-
+ The duration of slow start window.
+ Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
+ type: string
+ required:
+ - window
+ type: object
+ validation:
+ description: UpstreamValidation defines how to verify
+ the backend service's certificate
+ properties:
+ caSecret:
+ description: |-
+ Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
+ The secret must contain key named ca.crt.
+ The name can be optionally prefixed with namespace "namespace/name".
+ When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+ Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
+ maxLength: 317
+ minLength: 1
+ type: string
+ subjectName:
+ description: |-
+ Key which is expected to be present in the 'subjectAltName' of the presented certificate.
+ Deprecated: migrate to using the plural field subjectNames.
+ maxLength: 250
+ minLength: 1
+ type: string
+ subjectNames:
+ description: |-
+ List of keys, of which at least one is expected to be present in the 'subjectAltName of the
+ presented certificate.
+ items:
+ type: string
+ maxItems: 8
+ minItems: 1
+ type: array
+ required:
+ - caSecret
+ - subjectName
+ type: object
+ x-kubernetes-validations:
+ - message: subjectNames[0] must equal subjectName if set
+ rule: 'has(self.subjectNames) ? self.subjectNames[0]
+ == self.subjectName : true'
+ weight:
+ description: Weight defines percentage of traffic to balance
+ traffic
+ format: int64
+ minimum: 0
+ type: integer
+ required:
+ - name
+ - port
+ type: object
+ type: array
+ timeoutPolicy:
+ description: The timeout policy for this route.
+ properties:
+ idle:
+ description: |-
+ Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
+ Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
+ If not specified, there is no per-route idle timeout, though a connection manager-wide
+ stream_idle_timeout default of 5m still applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ idleConnection:
+ description: |-
+ Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
+ If not supplied, Envoy's default value of 1h applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ response:
+ description: |-
+ Timeout for receiving a response from the server after processing a request from client.
+ If not supplied, Envoy's default value of 15s applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ type: object
+ type: object
+ type: array
+ tcpproxy:
+ description: TCPProxy holds TCP proxy information.
+ properties:
+ healthCheckPolicy:
+ description: The health check policy for this tcp proxy
+ properties:
+ healthyThresholdCount:
+ description: The number of healthy health checks required
+ before a host is marked healthy
+ format: int32
+ type: integer
+ intervalSeconds:
+ description: The interval (seconds) between health checks
+ format: int64
+ type: integer
+ timeoutSeconds:
+ description: The time to wait (seconds) for a health check
+ response
+ format: int64
+ type: integer
+ unhealthyThresholdCount:
+ description: The number of unhealthy health checks required
+ before a host is marked unhealthy
+ format: int32
+ type: integer
+ type: object
+ include:
+ description: Include specifies that this tcpproxy should be delegated
+ to another HTTPProxy.
+ properties:
+ name:
+ description: Name of the child HTTPProxy
+ type: string
+ namespace:
+ description: Namespace of the HTTPProxy to include. Defaults
+ to the current namespace if not supplied.
+ type: string
+ required:
+ - name
+ type: object
+ includes:
+ description: |-
+ IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.
+ Exists due to a mistake when developing HTTPProxy and the field was marked plural
+ when it should have been singular. This field should stay to not break backwards compatibility to v1 users.
+ properties:
+ name:
+ description: Name of the child HTTPProxy
+ type: string
+ namespace:
+ description: Namespace of the HTTPProxy to include. Defaults
+ to the current namespace if not supplied.
+ type: string
+ required:
+ - name
+ type: object
+ loadBalancerPolicy:
+ description: |-
+ The load balancing policy for the backend services. Note that the
+ `Cookie` and `RequestHash` load balancing strategies cannot be used
+ here.
+ properties:
+ requestHashPolicies:
+ description: |-
+ RequestHashPolicies contains a list of hash policies to apply when the
+ `RequestHash` load balancing strategy is chosen. If an element of the
+ supplied list of hash policies is invalid, it will be ignored. If the
+ list of hash policies is empty after validation, the load balancing
+ strategy will fall back to the default `RoundRobin`.
+ items:
+ description: |-
+ RequestHashPolicy contains configuration for an individual hash policy
+ on a request attribute.
+ properties:
+ hashSourceIP:
+ description: |-
+ HashSourceIP should be set to true when request source IP hash based
+ load balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ type: boolean
+ headerHashOptions:
+ description: |-
+ HeaderHashOptions should be set when request header hash based load
+ balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ properties:
+ headerName:
+ description: |-
+ HeaderName is the name of the HTTP request header that will be used to
+ calculate the hash key. If the header specified is not present on a
+ request, no hash will be produced.
+ minLength: 1
+ type: string
+ type: object
+ queryParameterHashOptions:
+ description: |-
+ QueryParameterHashOptions should be set when request query parameter hash based load
+ balancing is desired. It must be the only hash option field set,
+ otherwise this request hash policy object will be ignored.
+ properties:
+ parameterName:
+ description: |-
+ ParameterName is the name of the HTTP request query parameter that will be used to
+ calculate the hash key. If the query parameter specified is not present on a
+ request, no hash will be produced.
+ minLength: 1
+ type: string
+ type: object
+ terminal:
+ description: |-
+ Terminal is a flag that allows for short-circuiting computing of a hash
+ for a given request. If set to true, and the request attribute specified
+ in the attribute hash options is present, no further hash policies will
+ be used to calculate a hash for the request.
+ type: boolean
+ type: object
+ type: array
+ strategy:
+ description: |-
+ Strategy specifies the policy used to balance requests
+ across the pool of backend pods. Valid policy names are
+ `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
+ and `RequestHash`. If an unknown strategy name is specified
+ or no policy is supplied, the default `RoundRobin` policy
+ is used.
+ type: string
+ type: object
+ services:
+ description: Services are the services to proxy traffic
+ items:
+ description: Service defines an Kubernetes Service to proxy
+ traffic.
+ properties:
+ cookieRewritePolicies:
+ description: The policies for rewriting Set-Cookie header
+ attributes.
+ items:
+ properties:
+ domainRewrite:
+ description: |-
+ DomainRewrite enables rewriting the Set-Cookie Domain element.
+ If not set, Domain will not be rewritten.
+ properties:
+ value:
+ description: |-
+ Value is the value to rewrite the Domain attribute to.
+ For now this is required.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - value
+ type: object
+ name:
+ description: Name is the name of the cookie for which
+ attributes will be rewritten.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
+ type: string
+ pathRewrite:
+ description: |-
+ PathRewrite enables rewriting the Set-Cookie Path element.
+ If not set, Path will not be rewritten.
+ properties:
+ value:
+ description: |-
+ Value is the value to rewrite the Path attribute to.
+ For now this is required.
+ maxLength: 4096
+ minLength: 1
+ pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$
+ type: string
+ required:
+ - value
+ type: object
+ sameSite:
+ description: |-
+ SameSite enables rewriting the Set-Cookie SameSite element.
+ If not set, SameSite attribute will not be rewritten.
+ enum:
+ - Strict
+ - Lax
+ - None
+ type: string
+ secure:
+ description: |-
+ Secure enables rewriting the Set-Cookie Secure element.
+ If not set, Secure attribute will not be rewritten.
+ type: boolean
+ required:
+ - name
+ type: object
+ type: array
+ healthPort:
+ description: |-
+ HealthPort is the port for this service healthcheck.
+ If not specified, Port is used for service healthchecks.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ mirror:
+ description: |-
+ If Mirror is true the Service will receive a read only mirror of the traffic for this route.
+ If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight
+ field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring.
+ NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This
+ occurs since we cannot distinguish omitted fields from those explicitly set to their default
+ values
+ type: boolean
+ name:
+ description: |-
+ Name is the name of Kubernetes service to proxy traffic.
+ Names defined here will be used to look up corresponding endpoints which contain the ips to route.
+ type: string
+ port:
+ description: Port (defined as Integer) to proxy traffic
+ to since a service can have multiple defined.
+ exclusiveMaximum: true
+ maximum: 65536
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol may be used to specify (or override) the protocol used to reach this Service.
+ Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
+ enum:
+ - h2
+ - h2c
+ - tls
+ type: string
+ requestHeadersPolicy:
+ description: The policy for managing request headers during
+ proxying.
+ properties:
+ remove:
+ description: Remove specifies a list of HTTP header
+ names to remove.
+ items:
+ type: string
+ type: array
+ set:
+ description: |-
+ Set specifies a list of HTTP header values that will be set in the HTTP header.
+ If the header does not exist it will be added, otherwise it will be overwritten with the new value.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a header
+ specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ type: object
+ responseHeadersPolicy:
+ description: |-
+ The policy for managing response headers during proxying.
+ Rewriting the 'Host' header is not supported.
+ properties:
+ remove:
+ description: Remove specifies a list of HTTP header
+ names to remove.
+ items:
+ type: string
+ type: array
+ set:
+ description: |-
+ Set specifies a list of HTTP header values that will be set in the HTTP header.
+ If the header does not exist it will be added, otherwise it will be overwritten with the new value.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a header
+ specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ type: object
+ slowStartPolicy:
+ description: Slow start will gradually increase amount of
+ traffic to a newly added endpoint.
+ properties:
+ aggression:
+ default: "1.0"
+ description: |-
+ The speed of traffic increase over the slow start window.
+ Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic.
+ When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.
+ The value of aggression parameter should be greater than 0.0.
+ More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start
+ pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$
+ type: string
+ minWeightPercent:
+ default: 10
+ description: |-
+ The minimum or starting percentage of traffic to send to new endpoints.
+ A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window.
+ If not specified, the default is 10%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ window:
+ description: |-
+ The duration of slow start window.
+ Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
+ type: string
+ required:
+ - window
+ type: object
+ validation:
+ description: UpstreamValidation defines how to verify the
+ backend service's certificate
+ properties:
+ caSecret:
+ description: |-
+ Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
+ The secret must contain key named ca.crt.
+ The name can be optionally prefixed with namespace "namespace/name".
+ When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+ Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
+ maxLength: 317
+ minLength: 1
+ type: string
+ subjectName:
+ description: |-
+ Key which is expected to be present in the 'subjectAltName' of the presented certificate.
+ Deprecated: migrate to using the plural field subjectNames.
+ maxLength: 250
+ minLength: 1
+ type: string
+ subjectNames:
+ description: |-
+ List of keys, of which at least one is expected to be present in the 'subjectAltName of the
+ presented certificate.
+ items:
+ type: string
+ maxItems: 8
+ minItems: 1
+ type: array
+ required:
+ - caSecret
+ - subjectName
+ type: object
+ x-kubernetes-validations:
+ - message: subjectNames[0] must equal subjectName if set
+ rule: 'has(self.subjectNames) ? self.subjectNames[0] ==
+ self.subjectName : true'
+ weight:
+ description: Weight defines percentage of traffic to balance
+ traffic
+ format: int64
+ minimum: 0
+ type: integer
+ required:
+ - name
+ - port
+ type: object
+ type: array
+ type: object
+ virtualhost:
+ description: |-
+ Virtualhost appears at most once. If it is present, the object is considered
+ to be a "root" HTTPProxy.
+ properties:
+ authorization:
+ description: |-
+ This field configures an extension service to perform
+ authorization for this virtual host. Authorization can
+ only be configured on virtual hosts that have TLS enabled.
+ If the TLS configuration requires client certificate
+ validation, the client certificate is always included in the
+ authentication check request.
+ properties:
+ authPolicy:
+ description: |-
+ AuthPolicy sets a default authorization policy for client requests.
+ This policy will be used unless overridden by individual routes.
+ properties:
+ context:
+ additionalProperties:
+ type: string
+ description: |-
+ Context is a set of key/value pairs that are sent to the
+ authentication server in the check request. If a context
+ is provided at an enclosing scope, the entries are merged
+ such that the inner scope overrides matching keys from the
+ outer scope.
+ type: object
+ disabled:
+ description: |-
+ When true, this field disables client request authentication
+ for the scope of the policy.
+ type: boolean
+ type: object
+ extensionRef:
+ description: ExtensionServiceRef specifies the extension resource
+ that will authorize client requests.
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent.
+ If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
+ minLength: 1
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace of the referent.
+ If this field is not specifies, the namespace of the resource that targets the referent will be used.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+ minLength: 1
+ type: string
+ type: object
+ failOpen:
+ description: |-
+ If FailOpen is true, the client request is forwarded to the upstream service
+ even if the authorization server fails to respond. This field should not be
+ set in most cases. It is intended for use only while migrating applications
+ from internal authorization to Contour external authorization.
+ type: boolean
+ responseTimeout:
+ description: |-
+ ResponseTimeout configures maximum time to wait for a check response from the authorization server.
+ Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ The string "infinity" is also a valid input and specifies no timeout.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$
+ type: string
+ withRequestBody:
+ description: WithRequestBody specifies configuration for sending
+ the client request's body to authorization server.
+ properties:
+ allowPartialMessage:
+ description: If AllowPartialMessage is true, then Envoy
+ will buffer the body until MaxRequestBytes are reached.
+ type: boolean
+ maxRequestBytes:
+ default: 1024
+ description: MaxRequestBytes sets the maximum size of
+ message body ExtAuthz filter will hold in-memory.
+ format: int32
+ minimum: 1
+ type: integer
+ packAsBytes:
+ description: If PackAsBytes is true, the body sent to
+ Authorization Server is in raw bytes.
+ type: boolean
+ type: object
+ type: object
+ corsPolicy:
+ description: Specifies the cross-origin policy to apply to the
+ VirtualHost.
+ properties:
+ allowCredentials:
+ description: Specifies whether the resource allows credentials.
+ type: boolean
+ allowHeaders:
+ description: AllowHeaders specifies the content for the *access-control-allow-headers*
+ header.
+ items:
+ description: CORSHeaderValue specifies the value of the
+ string headers returned by a cross-domain request.
+ pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
+ type: string
+ minItems: 1
+ type: array
+ allowMethods:
+ description: AllowMethods specifies the content for the *access-control-allow-methods*
+ header.
+ items:
+ description: CORSHeaderValue specifies the value of the
+ string headers returned by a cross-domain request.
+ pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
+ type: string
+ minItems: 1
+ type: array
+ allowOrigin:
+ description: |-
+ AllowOrigin specifies the origins that will be allowed to do CORS requests.
+ Allowed values include "*" which signifies any origin is allowed, an exact
+ origin of the form "scheme://host[:port]" (where port is optional), or a valid
+ regex pattern.
+ Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com)
+ will be rejected or produce unexpected matches when applied as a regex.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowPrivateNetwork:
+ description: |-
+ AllowPrivateNetwork specifies whether to allow private network requests.
+ See https://developer.chrome.com/blog/private-network-access-preflight.
+ type: boolean
+ exposeHeaders:
+ description: ExposeHeaders Specifies the content for the *access-control-expose-headers*
+ header.
+ items:
+ description: CORSHeaderValue specifies the value of the
+ string headers returned by a cross-domain request.
+ pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
+ type: string
+ minItems: 1
+ type: array
+ maxAge:
+ description: |-
+ MaxAge indicates for how long the results of a preflight request can be cached.
+ MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS
+ check for all cross-origin requests.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$
+ type: string
+ required:
+ - allowMethods
+ - allowOrigin
+ type: object
+ fqdn:
+ description: |-
+ The fully qualified domain name of the root of the ingress tree
+ all leaves of the DAG rooted at this object relate to the fqdn.
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ ipAllowPolicy:
+ description: |-
+ IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
+ requests should be allowed. All other requests will be denied.
+ Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+ The rules defined here may be overridden in a Route.
+ items:
+ properties:
+ cidr:
+ description: |-
+ CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
+ a bare IP address (without a mask) to filter on exactly one address.
+ type: string
+ source:
+ description: |-
+ Source indicates how to determine the ip address to filter on, and can be
+ one of two values:
+ - `Remote` filters on the ip address of the client, accounting for PROXY and
+ X-Forwarded-For as needed.
+ - `Peer` filters on the ip of the network request, ignoring PROXY and
+ X-Forwarded-For.
+ enum:
+ - Peer
+ - Remote
+ type: string
+ required:
+ - cidr
+ - source
+ type: object
+ type: array
+ ipDenyPolicy:
+ description: |-
+ IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
+ requests should be denied. All other requests will be allowed.
+ Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+ The rules defined here may be overridden in a Route.
+ items:
+ properties:
+ cidr:
+ description: |-
+ CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
+ a bare IP address (without a mask) to filter on exactly one address.
+ type: string
+ source:
+ description: |-
+ Source indicates how to determine the ip address to filter on, and can be
+ one of two values:
+ - `Remote` filters on the ip address of the client, accounting for PROXY and
+ X-Forwarded-For as needed.
+ - `Peer` filters on the ip of the network request, ignoring PROXY and
+ X-Forwarded-For.
+ enum:
+ - Peer
+ - Remote
+ type: string
+ required:
+ - cidr
+ - source
+ type: object
+ type: array
+ jwtProviders:
+ description: Providers to use for verifying JSON Web Tokens (JWTs)
+ on the virtual host.
+ items:
+ description: JWTProvider defines how to verify JWTs on requests.
+ properties:
+ audiences:
+ description: |-
+ Audiences that JWTs are allowed to have in the "aud" field.
+ If not provided, JWT audiences are not checked.
+ items:
+ type: string
+ type: array
+ default:
+ description: |-
+ Whether the provider should apply to all
+ routes in the HTTPProxy/its includes by
+ default. At most one provider can be marked
+ as the default. If no provider is marked
+ as the default, individual routes must explicitly
+ identify the provider they require.
+ type: boolean
+ forwardJWT:
+ description: |-
+ Whether the JWT should be forwarded to the backend
+ service after successful verification. By default,
+ the JWT is not forwarded.
+ type: boolean
+ issuer:
+ description: |-
+ Issuer that JWTs are required to have in the "iss" field.
+ If not provided, JWT issuers are not checked.
+ type: string
+ name:
+ description: Unique name for the provider.
+ minLength: 1
+ type: string
+ remoteJWKS:
+ description: Remote JWKS to use for verifying JWT signatures.
+ properties:
+ cacheDuration:
+ description: |-
+ How long to cache the JWKS locally. If not specified,
+ Envoy's default of 5m applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
+ type: string
+ dnsLookupFamily:
+ description: |-
+ The DNS IP address resolution policy for the JWKS URI.
+ When configured as "v4", the DNS resolver will only perform a lookup
+ for addresses in the IPv4 family. If "v6" is configured, the DNS resolver
+ will only perform a lookup for addresses in the IPv6 family.
+ If "all" is configured, the DNS resolver
+ will perform a lookup for addresses in both the IPv4 and IPv6 family.
+ If "auto" is configured, the DNS resolver will first perform a lookup
+ for addresses in the IPv6 family and fallback to a lookup for addresses
+ in the IPv4 family. If not specified, the Contour-wide setting defined
+ in the config file or ContourConfiguration applies (defaults to "auto").
+ See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
+ for more information.
+ enum:
+ - auto
+ - v4
+ - v6
+ type: string
+ timeout:
+ description: |-
+ How long to wait for a response from the URI.
+ If not specified, a default of 1s applies.
+ pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$
+ type: string
+ uri:
+ description: The URI for the JWKS.
+ minLength: 1
+ type: string
+ validation:
+ description: UpstreamValidation defines how to verify
+ the JWKS's TLS certificate.
+ properties:
+ caSecret:
+ description: |-
+ Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
+ The secret must contain key named ca.crt.
+ The name can be optionally prefixed with namespace "namespace/name".
+ When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+ Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
+ maxLength: 317
+ minLength: 1
+ type: string
+ subjectName:
+ description: |-
+ Key which is expected to be present in the 'subjectAltName' of the presented certificate.
+ Deprecated: migrate to using the plural field subjectNames.
+ maxLength: 250
+ minLength: 1
+ type: string
+ subjectNames:
+ description: |-
+ List of keys, of which at least one is expected to be present in the 'subjectAltName of the
+ presented certificate.
+ items:
+ type: string
+ maxItems: 8
+ minItems: 1
+ type: array
+ required:
+ - caSecret
+ - subjectName
+ type: object
+ x-kubernetes-validations:
+ - message: subjectNames[0] must equal subjectName if
+ set
+ rule: 'has(self.subjectNames) ? self.subjectNames[0]
+ == self.subjectName : true'
+ required:
+ - uri
+ type: object
+ required:
+ - name
+ - remoteJWKS
+ type: object
+ type: array
+ rateLimitPolicy:
+ description: The policy for rate limiting on the virtual host.
+ properties:
+ global:
+ description: |-
+ Global defines global rate limiting parameters, i.e. parameters
+ defining descriptors that are sent to an external rate limit
+ service (RLS) for a rate limit decision on each request.
+ properties:
+ descriptors:
+ description: |-
+ Descriptors defines the list of descriptors that will
+ be generated and sent to the rate limit service. Each
+ descriptor contains 1+ key-value pair entries.
+ items:
+ description: RateLimitDescriptor defines a list of key-value
+ pair generators.
+ properties:
+ entries:
+ description: Entries is the list of key-value pair
+ generators.
+ items:
+ description: |-
+ RateLimitDescriptorEntry is a key-value pair generator. Exactly
+ one field on this struct must be non-nil.
+ properties:
+ genericKey:
+ description: GenericKey defines a descriptor
+ entry with a static key and value.
+ properties:
+ key:
+ description: |-
+ Key defines the key of the descriptor entry. If not set, the
+ key is set to "generic_key".
+ type: string
+ value:
+ description: Value defines the value of
+ the descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ remoteAddress:
+ description: |-
+ RemoteAddress defines a descriptor entry with a key of "remote_address"
+ and a value equal to the client's IP address (from x-forwarded-for).
+ type: object
+ requestHeader:
+ description: |-
+ RequestHeader defines a descriptor entry that's populated only if
+ a given header is present on the request. The descriptor key is static,
+ and the descriptor value is equal to the value of the header.
+ properties:
+ descriptorKey:
+ description: DescriptorKey defines the
+ key to use on the descriptor entry.
+ minLength: 1
+ type: string
+ headerName:
+ description: HeaderName defines the name
+ of the header to look for on the request.
+ minLength: 1
+ type: string
+ type: object
+ requestHeaderValueMatch:
+ description: |-
+ RequestHeaderValueMatch defines a descriptor entry that's populated
+ if the request's headers match a set of 1+ match criteria. The
+ descriptor key is "header_match", and the descriptor value is static.
+ properties:
+ expectMatch:
+ default: true
+ description: |-
+ ExpectMatch defines whether the request must positively match the match
+ criteria in order to generate a descriptor entry (i.e. true), or not
+ match the match criteria in order to generate a descriptor entry (i.e. false).
+ The default is true.
+ type: boolean
+ headers:
+ description: |-
+ Headers is a list of 1+ match criteria to apply against the request
+ to determine whether to populate the descriptor entry or not.
+ items:
+ description: |-
+ HeaderMatchCondition specifies how to conditionally match against HTTP
+ headers. The Name field is required, only one of Present, NotPresent,
+ Contains, NotContains, Exact, NotExact and Regex can be set.
+ For negative matching rules only (e.g. NotContains or NotExact) you can set
+ TreatMissingAsEmpty.
+ IgnoreCase has no effect for Regex.
+ properties:
+ contains:
+ description: |-
+ Contains specifies a substring that must be present in
+ the header value.
+ type: string
+ exact:
+ description: Exact specifies a string
+ that the header value must be
+ equal to.
+ type: string
+ ignoreCase:
+ description: |-
+ IgnoreCase specifies that string matching should be case insensitive.
+ Note that this has no effect on the Regex parameter.
+ type: boolean
+ name:
+ description: |-
+ Name is the name of the header to match against. Name is required.
+ Header names are case insensitive.
+ type: string
+ notcontains:
+ description: |-
+ NotContains specifies a substring that must not be present
+ in the header value.
+ type: string
+ notexact:
+ description: |-
+ NoExact specifies a string that the header value must not be
+ equal to. The condition is true if the header has any other value.
+ type: string
+ notpresent:
+ description: |-
+ NotPresent specifies that condition is true when the named header
+ is not present. Note that setting NotPresent to false does not
+ make the condition true if the named header is present.
+ type: boolean
+ present:
+ description: |-
+ Present specifies that condition is true when the named header
+ is present, regardless of its value. Note that setting Present
+ to false does not make the condition true if the named header
+ is absent.
+ type: boolean
+ regex:
+ description: |-
+ Regex specifies a regular expression pattern that must match the header
+ value.
+ type: string
+ treatMissingAsEmpty:
+ description: |-
+ TreatMissingAsEmpty specifies if the header match rule specified header
+ does not exist, this header value will be treated as empty. Defaults to false.
+ Unlike the underlying Envoy implementation this is **only** supported for
+ negative matches (e.g. NotContains, NotExact).
+ type: boolean
+ required:
+ - name
+ type: object
+ minItems: 1
+ type: array
+ value:
+ description: Value defines the value of
+ the descriptor entry.
+ minLength: 1
+ type: string
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ minItems: 1
+ type: array
+ disabled:
+ description: |-
+ Disabled configures the HTTPProxy to not use
+ the default global rate limit policy defined by the Contour configuration.
+ type: boolean
+ type: object
+ local:
+ description: |-
+ Local defines local rate limiting parameters, i.e. parameters
+ for rate limiting that occurs within each Envoy pod as requests
+ are handled.
+ properties:
+ burst:
+ description: |-
+ Burst defines the number of requests above the requests per
+ unit that should be allowed within a short period of time.
+ format: int32
+ type: integer
+ requests:
+ description: |-
+ Requests defines how many requests per unit of time should
+ be allowed before rate limiting occurs.
+ format: int32
+ minimum: 1
+ type: integer
+ responseHeadersToAdd:
+ description: |-
+ ResponseHeadersToAdd is an optional list of response headers to
+ set when a request is rate-limited.
+ items:
+ description: HeaderValue represents a header name/value
+ pair
+ properties:
+ name:
+ description: Name represents a key of a header
+ minLength: 1
+ type: string
+ value:
+ description: Value represents the value of a header
+ specified by a key
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ responseStatusCode:
+ description: |-
+ ResponseStatusCode is the HTTP status code to use for responses
+ to rate-limited requests. Codes must be in the 400-599 range
+ (inclusive). If not specified, the Envoy default of 429 (Too
+ Many Requests) is used.
+ format: int32
+ maximum: 599
+ minimum: 400
+ type: integer
+ unit:
+ description: |-
+ Unit defines the period of time within which requests
+ over the limit will be rate limited. Valid values are
+ "second", "minute" and "hour".
+ enum:
+ - second
+ - minute
+ - hour
+ type: string
+ required:
+ - requests
+ - unit
+ type: object
+ type: object
+ tls:
+ description: |-
+ If present the fields describes TLS properties of the virtual
+ host. The SNI names that will be matched on are described in fqdn,
+ the tls.secretName secret must contain a certificate that itself
+ contains a name that matches the FQDN.
+ properties:
+ clientValidation:
+ description: |-
+ ClientValidation defines how to verify the client certificate
+ when an external client establishes a TLS connection to Envoy.
+ This setting:
+ 1. Enables TLS client certificate validation.
+ 2. Specifies how the client certificate will be validated (i.e.
+ validation required or skipped).
+ Note: Setting client certificate validation to be skipped should
+ be only used in conjunction with an external authorization server that
+ performs client validation as Contour will ensure client certificates
+ are passed along.
+ properties:
+ caSecret:
+ description: |-
+ Name of a Kubernetes secret that contains a CA certificate bundle.
+ The secret must contain key named ca.crt.
+ The client certificate must validate against the certificates in the bundle.
+ If specified and SkipClientCertValidation is true, client certificates will
+ be required on requests.
+ The name can be optionally prefixed with namespace "namespace/name".
+ When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+ minLength: 1
+ type: string
+ crlOnlyVerifyLeafCert:
+ description: |-
+ If this option is set to true, only the certificate at the end of the
+ certificate chain will be subject to validation by CRL.
+ type: boolean
+ crlSecret:
+ description: |-
+ Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs.
+ The secret must contain key named crl.pem.
+ This field will be used to verify that a client certificate has not been revoked.
+ CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true.
+ Large CRL lists are not supported since individual secrets are limited to 1MiB in size.
+ The name can be optionally prefixed with namespace "namespace/name".
+ When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+ minLength: 1
+ type: string
+ forwardClientCertificate:
+ description: |-
+ ForwardClientCertificate adds the selected data from the passed client TLS certificate
+ to the x-forwarded-client-cert header.
+ properties:
+ cert:
+ description: Client cert in URL encoded PEM format.
+ type: boolean
+ chain:
+ description: Client cert chain (including the leaf
+ cert) in URL encoded PEM format.
+ type: boolean
+ dns:
+ description: DNS type Subject Alternative Names of
+ the client cert.
+ type: boolean
+ subject:
+ description: Subject of the client cert.
+ type: boolean
+ uri:
+ description: URI type Subject Alternative Name of
+ the client cert.
+ type: boolean
+ type: object
+ optionalClientCertificate:
+ description: |-
+ OptionalClientCertificate when set to true will request a client certificate
+ but allow the connection to continue if the client does not provide one.
+ If a client certificate is sent, it will be verified according to the
+ other properties, which includes disabling validation if
+ SkipClientCertValidation is set. Defaults to false.
+ type: boolean
+ skipClientCertValidation:
+ description: |-
+ SkipClientCertValidation disables downstream client certificate
+ validation. Defaults to false. This field is intended to be used in
+ conjunction with external authorization in order to enable the external
+ authorization server to validate client certificates. When this field
+ is set to true, client certificates are requested but not verified by
+ Envoy. If CACertificate is specified, client certificates are required on
+ requests, but not verified. If external authorization is in use, they are
+ presented to the external authorization server.
+ type: boolean
+ type: object
+ enableFallbackCertificate:
+ description: |-
+ EnableFallbackCertificate defines if the vhost should allow a default certificate to
+ be applied which handles all requests which don't match the SNI defined in this vhost.
+ type: boolean
+ maximumProtocolVersion:
+ description: |-
+ MaximumProtocolVersion is the maximum TLS version this vhost should
+ negotiate. Valid options are `1.2` and `1.3` (default). Any other value
+ defaults to TLS 1.3.
+ type: string
+ minimumProtocolVersion:
+ description: |-
+ MinimumProtocolVersion is the minimum TLS version this vhost should
+ negotiate. Valid options are `1.2` (default) and `1.3`. Any other value
+ defaults to TLS 1.2.
+ type: string
+ passthrough:
+ description: |-
+ Passthrough defines whether the encrypted TLS handshake will be
+ passed through to the backing cluster. Either Passthrough or
+ SecretName must be specified, but not both.
+ type: boolean
+ secretName:
+ description: |-
+ SecretName is the name of a TLS secret.
+ Either SecretName or Passthrough must be specified, but not both.
+ If specified, the named secret must contain a matching certificate
+ for the virtual host's FQDN.
+ The name can be optionally prefixed with namespace "namespace/name".
+ When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+ type: string
+ type: object
+ required:
+ - fqdn
+ type: object
+ type: object
+ status:
+ default:
+ currentStatus: NotReconciled
+ description: Waiting for controller
+ description: Status is a container for computed information about the
+ HTTPProxy.
+ properties:
+ conditions:
+ description: |-
+ Conditions contains information about the current status of the HTTPProxy,
+ in an upstream-friendly container.
+ Contour will update a single condition, `Valid`, that is in normal-true polarity.
+ That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,
+ and vice versa.
+ Contour will leave untouched any other Conditions set in this block,
+ in case some other controller wants to add a Condition.
+ If you are another controller owner and wish to add a condition, you *should*
+ namespace your condition with a label, like `controller.domain.com/ConditionName`.
+ items:
+ description: |-
+ DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
+ fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
+ of the condition.
+ `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
+ `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
+ Remember that Conditions have a type, a status, and a reason.
+ The type is the type of the condition, the most important one in this CRD set is `Valid`.
+ `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
+ In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
+ `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
+ slice in this case.
+ `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
+ The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
+ slice if `status` is `false`.
+ For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
+ When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
+ When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
+ In either case, there may be entries in the `warnings` slice.
+ Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
+ (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
+ `MultipleReasons` if there is more than one entry.
+ properties:
+ errors:
+ description: |-
+ Errors contains a slice of relevant error subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
+ An empty slice here indicates no errors.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ warnings:
+ description: |-
+ Warnings contains a slice of relevant warning subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
+ An empty slice here indicates no warnings.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentStatus:
+ type: string
+ description:
+ type: string
+ loadBalancer:
+ description: LoadBalancer contains the current status of the load
+ balancer.
+ properties:
+ ingress:
+ description: |-
+ Ingress is a list containing ingress points for the load-balancer.
+ Traffic intended for the service should be sent to these ingress points.
+ items:
+ description: |-
+ LoadBalancerIngress represents the status of a load-balancer ingress point:
+ traffic intended for the service should be sent to an ingress point.
+ properties:
+ hostname:
+ description: |-
+ Hostname is set for load-balancer ingress points that are DNS based
+ (typically AWS load-balancers)
+ type: string
+ ip:
+ description: |-
+ IP is set for load-balancer ingress points that are IP based
+ (typically GCE or OpenStack load-balancers)
+ type: string
+ ipMode:
+ description: |-
+ IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.
+ Setting this to "VIP" indicates that traffic is delivered to the node with
+ the destination set to the load-balancer's IP and port.
+ Setting this to "Proxy" indicates that traffic is delivered to the node or pod with
+ the destination set to the node's IP and node port or the pod's IP and port.
+ Service implementations may use this information to adjust traffic routing.
+ type: string
+ ports:
+ description: |-
+ Ports is a list of records of service ports
+ If used, every port defined in the service should have an entry in it
+ items:
+ properties:
+ error:
+ description: |-
+ Error is to record the problem with the service port
+ The format of the error shall comply with the following rules:
+ - built-in error values shall be specified in this file and those shall use
+ CamelCase names
+ - cloud provider specific error values must have names that comply with the
+ format foo.example.com/CamelCase.
+ ---
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ port:
+ description: Port is the port number of the service
+ port of which status is recorded here
+ format: int32
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the protocol of the service port of which status is recorded here
+ The supported values are: "TCP", "UDP", "SCTP"
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: tlscertificatedelegations.projectcontour.io
+spec:
+ preserveUnknownFields: false
+ group: projectcontour.io
+ names:
+ kind: TLSCertificateDelegation
+ listKind: TLSCertificateDelegationList
+ plural: tlscertificatedelegations
+ shortNames:
+ - tlscerts
+ singular: tlscertificatedelegation
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ TLSCertificateDelegation is an TLS Certificate Delegation CRD specification.
+ See design/tls-certificate-delegation.md for details.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TLSCertificateDelegationSpec defines the spec of the CRD
+ properties:
+ delegations:
+ items:
+ description: |-
+ CertificateDelegation maps the authority to reference a secret
+ in the current namespace to a set of namespaces.
+ properties:
+ secretName:
+ description: required, the name of a secret in the current namespace.
+ type: string
+ targetNamespaces:
+ description: |-
+ required, the namespaces the authority to reference the
+ secret will be delegated to.
+ If TargetNamespaces is nil or empty, the CertificateDelegation'
+ is ignored. If the TargetNamespace list contains the character, "*"
+ the secret will be delegated to all namespaces.
+ items:
+ type: string
+ type: array
+ required:
+ - secretName
+ - targetNamespaces
+ type: object
+ type: array
+ required:
+ - delegations
+ type: object
+ status:
+ description: |-
+ TLSCertificateDelegationStatus allows for the status of the delegation
+ to be presented to the user.
+ properties:
+ conditions:
+ description: |-
+ Conditions contains information about the current status of the HTTPProxy,
+ in an upstream-friendly container.
+ Contour will update a single condition, `Valid`, that is in normal-true polarity.
+ That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,
+ and vice versa.
+ Contour will leave untouched any other Conditions set in this block,
+ in case some other controller wants to add a Condition.
+ If you are another controller owner and wish to add a condition, you *should*
+ namespace your condition with a label, like `controller.domain.com\ConditionName`.
+ items:
+ description: |-
+ DetailedCondition is an extension of the normal Kubernetes conditions, with two extra
+ fields to hold sub-conditions, which provide more detailed reasons for the state (True or False)
+ of the condition.
+ `errors` holds information about sub-conditions which are fatal to that condition and render its state False.
+ `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False.
+ Remember that Conditions have a type, a status, and a reason.
+ The type is the type of the condition, the most important one in this CRD set is `Valid`.
+ `Valid` is a positive-polarity condition: when it is `status: true` there are no problems.
+ In more detail, `status: true` means that the object is has been ingested into Contour with no errors.
+ `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors`
+ slice in this case.
+ `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour.
+ The details of the errors will be present under the `errors` field. There must be at least one error in the `errors`
+ slice if `status` is `false`.
+ For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity.
+ When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice.
+ When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice.
+ In either case, there may be entries in the `warnings` slice.
+ Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason
+ (if there is one and only one entry in total across both the `errors` and `warnings` slices), or
+ `MultipleReasons` if there is more than one entry.
+ properties:
+ errors:
+ description: |-
+ Errors contains a slice of relevant error subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant.
+ An empty slice here indicates no errors.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ warnings:
+ description: |-
+ Warnings contains a slice of relevant warning subconditions for this object.
+ Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant.
+ An empty slice here indicates no warnings.
+ items:
+ description: |-
+ SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition.
+ It contains a subset of the Condition fields.
+ It is intended for warnings and errors, so `type` names should use abnormal-true polarity,
+ that is, they should be of the form "ErrorPresent: true".
+ The expected lifecycle for these errors is that they should only be present when the error or warning is,
+ and should be removed when they are not relevant.
+ properties:
+ message:
+ description: |-
+ Message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ reason:
+ description: |-
+ Reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ Type of condition in `CamelCase` or in `foo.example.com/CamelCase`.
+ This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/default-backend/deployment.yaml b/charts/contour/contour/charts/contour/templates/default-backend/deployment.yaml
index 91bd060cb..ff08051d7 100644
--- a/charts/contour/contour/charts/contour/templates/default-backend/deployment.yaml
+++ b/charts/contour/contour/charts/contour/templates/default-backend/deployment.yaml
@@ -1,20 +1,25 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if .Values.defaultBackend.enabled }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ printf "%s-default-backend" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.defaultBackend.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: default-backend
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.defaultBackend.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
selector:
- matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: default-backend
replicas: {{ .Values.defaultBackend.replicaCount }}
{{- if .Values.defaultBackend.updateStrategy }}
@@ -23,22 +28,11 @@ spec:
template:
metadata:
{{- if or .Values.defaultBackend.podAnnotations .Values.commonAnnotations }}
- annotations:
- {{- if .Values.defaultBackend.podAnnotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.podAnnotations "context" $) | nindent 8 }}
- {{- end }}
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }}
- {{- end }}
+ {{- $podAnnotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.defaultBackend.podAnnotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" (dict "value" $podAnnotations "context" $) | nindent 8 }}
{{- end }}
- labels: {{- include "common.labels.standard" . | nindent 8 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: default-backend
- {{- if .Values.defaultBackend.podLabels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.podLabels "context" $) | nindent 8 }}
- {{- end }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
- {{- end }}
spec:
{{- include "common.images.pullSecrets" ( dict "images" (list .Values.defaultBackend.image) "global" .Values.global) | nindent 6 }}
{{- if .Values.defaultBackend.hostAliases }}
@@ -51,8 +45,8 @@ spec:
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.defaultBackend.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
- podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.defaultBackend.podAffinityPreset "component" "default-backend" "context" $) | nindent 10 }}
- podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.defaultBackend.podAntiAffinityPreset "component" "default-backend" "context" $) | nindent 10 }}
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.defaultBackend.podAffinityPreset "component" "default-backend" "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.defaultBackend.podAntiAffinityPreset "component" "default-backend" "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.defaultBackend.nodeAffinityPreset.type "key" .Values.defaultBackend.nodeAffinityPreset.key "values" .Values.defaultBackend.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.defaultBackend.nodeSelector }}
@@ -62,7 +56,7 @@ spec:
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.defaultBackend.podSecurityContext.enabled }}
- securityContext: {{- omit .Values.defaultBackend.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.defaultBackend.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
automountServiceAccountToken: false
serviceAccountName: {{ include "envoy.envoyServiceAccountName" . }}
@@ -83,7 +77,7 @@ spec:
image: {{ include "common.images.image" ( dict "imageRoot" .Values.defaultBackend.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy | quote }}
{{- if .Values.defaultBackend.containerSecurityContext.enabled }}
- securityContext: {{- omit .Values.defaultBackend.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.defaultBackend.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.defaultBackend.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.command "context" $) | nindent 12 }}
@@ -121,10 +115,8 @@ spec:
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.defaultBackend.livenessProbe.enabled }}
livenessProbe:
- httpGet:
- path: /
+ tcpSocket:
port: http
- scheme: HTTP
initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.defaultBackend.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.defaultBackend.livenessProbe.timeoutSeconds }}
@@ -165,10 +157,12 @@ spec:
protocol: TCP
{{- if .Values.defaultBackend.resources }}
resources: {{- toYaml .Values.defaultBackend.resources | nindent 12 }}
+ {{- else if ne .Values.defaultBackend.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.defaultBackend.resourcesPreset) | nindent 12 }}
+ {{- end }}
{{- if .Values.defaultBackend.extraVolumeMounts }}
volumeMounts: {{- include "common.tplvalues.render" ( dict "value" .Values.contour.extraVolumeMounts "context" $ ) | nindent 12 }}
{{- end }}
- {{- end }}
{{- if .Values.defaultBackend.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.defaultBackend.sidecars "context" $) | nindent 8 }}
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/default-backend/ingress.yaml b/charts/contour/contour/charts/contour/templates/default-backend/ingress.yaml
index d92510b01..f8fb490b4 100644
--- a/charts/contour/contour/charts/contour/templates/default-backend/ingress.yaml
+++ b/charts/contour/contour/charts/contour/templates/default-backend/ingress.yaml
@@ -1,23 +1,25 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if .Values.defaultBackend.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ printf "%s-default-backend" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.defaultBackend.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
annotations:
kubernetes.io/ingress.class: {{ include "contour.ingressClassName" . }}
{{- if .Values.ingress.certManager }}
kubernetes.io/tls-acme: "true"
{{- end }}
- {{- if .Values.ingress.annotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
- {{- end }}
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- if or .Values.ingress.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
diff --git a/charts/contour/contour/charts/contour/templates/default-backend/networkpolicy.yaml b/charts/contour/contour/charts/contour/templates/default-backend/networkpolicy.yaml
new file mode 100644
index 000000000..1947cb07d
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/default-backend/networkpolicy.yaml
@@ -0,0 +1,67 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ printf "%s-default-backend" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: default-backend
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: default-backend
+ policyTypes:
+ - Ingress
+ - Egress
+ {{- if .Values.defaultBackend.networkPolicy.allowExternalEgress }}
+ egress:
+ - {}
+ {{- else }}
+ egress:
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ {{- if .Values.defaultBackend.networkPolicy.extraEgress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.defaultBackend.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ ingress:
+ - ports:
+ - port: {{ .Values.defaultBackend.containerPorts.http }}
+ {{- if not .Values.defaultBackend.networkPolicy.allowExternal }}
+ from:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+ - podSelector:
+ matchLabels:
+ {{ template "common.names.fullname" . }}-client: "true"
+ {{- if .Values.defaultBackend.networkPolicy.ingressNSMatchLabels }}
+ - namespaceSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.defaultBackend.networkPolicy.ingressNSMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- if .Values.defaultBackend.networkPolicy.ingressNSPodMatchLabels }}
+ podSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.defaultBackend.networkPolicy.ingressNSPodMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.defaultBackend.networkPolicy.extraIngress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.defaultBackend.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/default-backend/poddisruptionbudget.yaml b/charts/contour/contour/charts/contour/templates/default-backend/poddisruptionbudget.yaml
index 7d287c944..26303a60b 100644
--- a/charts/contour/contour/charts/contour/templates/default-backend/poddisruptionbudget.yaml
+++ b/charts/contour/contour/charts/contour/templates/default-backend/poddisruptionbudget.yaml
@@ -1,14 +1,19 @@
-{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.pdb.create }}
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $replicaCount := int .Values.defaultBackend.replicaCount }}
+{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.pdb.create (gt $replicaCount 1) }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ printf "%s-default-backend" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.defaultBackend.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: default-backend
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -16,10 +21,11 @@ spec:
{{- if .Values.defaultBackend.pdb.minAvailable }}
minAvailable: {{ .Values.defaultBackend.pdb.minAvailable }}
{{- end }}
- {{- if .Values.defaultBackend.pdb.maxUnavailable }}
- maxUnavailable: {{ .Values.defaultBackend.pdb.maxUnavailable }}
+ {{- if or .Values.defaultBackend.pdb.maxUnavailable ( not .Values.defaultBackend.pdb.minAvailable ) }}
+ maxUnavailable: {{ .Values.defaultBackend.pdb.maxUnavailable | default 1 }}
{{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.defaultBackend.podLabels .Values.commonLabels ) "context" . ) }}
selector:
- matchLabels: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: default-backend
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/default-backend/service.yaml b/charts/contour/contour/charts/contour/templates/default-backend/service.yaml
index b04f04a40..0c0ea0684 100644
--- a/charts/contour/contour/charts/contour/templates/default-backend/service.yaml
+++ b/charts/contour/contour/charts/contour/templates/default-backend/service.yaml
@@ -1,22 +1,21 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if .Values.defaultBackend.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-default-backend" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.defaultBackend.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: default-backend
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
- {{- end }}
{{- if or .Values.defaultBackend.service.annotations .Values.commonAnnotations }}
- annotations:
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
- {{- end }}
- {{- if .Values.defaultBackend.service.annotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.service.annotations "context" $) | nindent 4 }}
- {{- end }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.defaultBackend.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.defaultBackend.service.type }}
@@ -25,6 +24,7 @@ spec:
port: {{ .Values.defaultBackend.service.ports.http }}
protocol: TCP
targetPort: http
- selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.defaultBackend.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/default-backend/tls-secrets.yaml b/charts/contour/contour/charts/contour/templates/default-backend/tls-secrets.yaml
index 5448bb664..602a18245 100644
--- a/charts/contour/contour/charts/contour/templates/default-backend/tls-secrets.yaml
+++ b/charts/contour/contour/charts/contour/templates/default-backend/tls-secrets.yaml
@@ -1,4 +1,11 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if .Values.ingress.enabled }}
+{{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.defaultBackend.image "chart" .Chart ) ) }}
+{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
{{- if .Values.ingress.secrets }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
@@ -6,10 +13,7 @@ kind: Secret
metadata:
name: {{ .name }}
namespace: {{ include "common.names.namespace" $ | quote }}
- labels: {{- include "common.labels.standard" $ | nindent 4 }}
- {{- if $.Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -29,10 +33,7 @@ kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/envoy/daemonset.yaml b/charts/contour/contour/charts/contour/templates/envoy/daemonset.yaml
index 728c6e5b5..4a160fe62 100644
--- a/charts/contour/contour/charts/contour/templates/envoy/daemonset.yaml
+++ b/charts/contour/contour/charts/contour/templates/envoy/daemonset.yaml
@@ -1,14 +1,18 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.envoy.enabled (eq .Values.envoy.kind "daemonset") }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: envoy
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -16,30 +20,21 @@ spec:
{{- if .Values.envoy.updateStrategy }}
updateStrategy: {{- toYaml .Values.envoy.updateStrategy | nindent 4 }}
{{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
selector:
- matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: envoy
template:
metadata:
{{- if or .Values.envoy.podAnnotations .Values.commonAnnotations }}
- annotations:
- {{- if .Values.envoy.podAnnotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.envoy.podAnnotations "context" $) | nindent 8 }}
- {{- end }}
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }}
- {{- end }}
+ {{- $podAnnotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podAnnotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" (dict "value" $podAnnotations "context" $) | nindent 8 }}
{{- end }}
- labels: {{- include "common.labels.standard" . | nindent 8 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: envoy
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
- {{- end }}
- {{- if .Values.envoy.podLabels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.envoy.podLabels "context" $) | nindent 8 }}
- {{- end }}
spec:
{{- include "common.images.pullSecrets" ( dict "images" (list .Values.contour.image .Values.envoy.image) "global" .Values.global) | nindent 6 }}
+ automountServiceAccountToken: {{ .Values.envoy.automountServiceAccountToken }}
{{- if .Values.envoy.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.hostAliases "context" $) | nindent 8 }}
{{- end }}
@@ -50,8 +45,8 @@ spec:
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
- podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAffinityPreset "component" "envoy" "context" $) | nindent 10 }}
- podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAntiAffinityPreset "component" "envoy" "context" $) | nindent 10 }}
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAffinityPreset "component" "envoy" "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAntiAffinityPreset "component" "envoy" "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.envoy.nodeAffinityPreset.type "key" .Values.envoy.nodeAffinityPreset.key "values" .Values.envoy.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.envoy.nodeSelector }}
@@ -64,7 +59,7 @@ spec:
hostNetwork: {{ .Values.envoy.hostNetwork }}
dnsPolicy: {{ .Values.envoy.dnsPolicy }}
{{- if .Values.envoy.podSecurityContext.enabled }}
- securityContext: {{- omit .Values.envoy.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
containers:
{{- if .Values.envoy.shutdownManager.enabled }}
@@ -73,6 +68,7 @@ spec:
args:
- envoy
- shutdown-manager
+ - --serve-port={{ .Values.envoy.shutdownManager.containerPorts.http }}
{{- if .Values.envoy.shutdownManager.extraArgs }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.extraArgs "context" $) | nindent 12 }}
{{- end }}
@@ -93,6 +89,9 @@ spec:
name: {{ include "common.tplvalues.render" ( dict "value" .Values.contour.extraEnvVarsSecret "context" $ ) }}
{{- end }}
{{- end }}
+ {{- if .Values.envoy.shutdownManager.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.shutdownManager.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
{{- if .Values.envoy.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.lifecycleHooks "context" $) | nindent 12 }}
{{- else }}
@@ -105,13 +104,60 @@ spec:
- shutdown
{{- end }}
name: shutdown-manager
+ {{- if .Values.envoy.shutdownManager.resources }}
resources: {{- toYaml .Values.envoy.shutdownManager.resources | nindent 12 }}
+ {{- else if ne .Values.envoy.shutdownManager.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.envoy.shutdownManager.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.envoy.shutdownManager.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.shutdownManager.startupProbe.enabled }}
+ startupProbe:
+ exec:
+ command:
+ - pgrep
+ - contour
+ initialDelaySeconds: {{ .Values.envoy.shutdownManager.startupProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.envoy.shutdownManager.startupProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.envoy.shutdownManager.startupProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.envoy.shutdownManager.startupProbe.successThreshold }}
+ failureThreshold: {{ .Values.envoy.shutdownManager.startupProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.envoy.shutdownManager.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.shutdownManager.livenessProbe.enabled }}
+ livenessProbe:
+ tcpSocket:
+ port: http-shutdown
+ initialDelaySeconds: {{ .Values.envoy.shutdownManager.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.envoy.shutdownManager.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.envoy.shutdownManager.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.envoy.shutdownManager.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.envoy.shutdownManager.livenessProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.envoy.shutdownManager.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.shutdownManager.readinessProbe.enabled }}
+ readinessProbe:
+ httpGet:
+ port: http-shutdown
+ path: /healthz
+ initialDelaySeconds: {{ .Values.envoy.shutdownManager.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.envoy.shutdownManager.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.envoy.shutdownManager.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.envoy.shutdownManager.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.envoy.shutdownManager.readinessProbe.failureThreshold }}
+ {{- end }}
+ ports:
+ - containerPort: {{ .Values.envoy.shutdownManager.containerPorts.http }}
+ name: http-shutdown
volumeMounts:
- - name: envoy-admin
+ - name: empty-dir
mountPath: /admin
- {{- if .Values.envoy.extraVolumeMounts }}
+ subPath: app-admin-dir
+ {{- if .Values.envoy.extraVolumeMounts }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.extraVolumeMounts "context" $ ) | nindent 12 }}
- {{- end }}
+ {{- end }}
{{- end }}
- name: envoy
{{- if .Values.envoy.command }}
@@ -136,7 +182,7 @@ spec:
image: {{ include "common.images.image" ( dict "imageRoot" .Values.envoy.image "global" .Values.global ) }}
imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
{{- if .Values.envoy.containerSecurityContext.enabled }}
- securityContext: {{- omit .Values.envoy.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
env:
- name: CONTOUR_NAMESPACE
@@ -165,7 +211,7 @@ spec:
{{- end }}
ports:
- containerPort: {{ .Values.envoy.containerPorts.http }}
- {{- if .Values.envoy.useHostPort }}
+ {{- if .Values.envoy.useHostPort.http }}
hostPort: {{ .Values.envoy.hostPorts.http }}
{{- end }}
{{- if .Values.envoy.useHostIP }}
@@ -174,7 +220,7 @@ spec:
name: http
protocol: TCP
- containerPort: {{ .Values.envoy.containerPorts.https }}
- {{- if .Values.envoy.useHostPort }}
+ {{- if .Values.envoy.useHostPort.https }}
hostPort: {{ .Values.envoy.hostPorts.https }}
{{- end }}
{{- if .Values.envoy.useHostIP }}
@@ -183,7 +229,7 @@ spec:
name: https
protocol: TCP
- containerPort: {{ .Values.envoy.containerPorts.metrics }}
- {{- if .Values.envoy.useHostPort }}
+ {{- if .Values.envoy.useHostPort.metrics }}
hostPort: {{ .Values.envoy.hostPorts.metrics }}
{{- end }}
{{- if .Values.envoy.useHostIP }}
@@ -191,7 +237,9 @@ spec:
{{- end }}
name: metrics
protocol: TCP
- {{- if .Values.envoy.readinessProbe.enabled }}
+ {{- if .Values.envoy.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /ready
@@ -204,8 +252,7 @@ spec:
{{- end }}
{{- if .Values.envoy.livenessProbe.enabled }}
livenessProbe:
- httpGet:
- path: /ready
+ tcpSocket:
port: {{ .Values.envoy.containerPorts.metrics }}
initialDelaySeconds: {{ .Values.envoy.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.envoy.livenessProbe.periodSeconds }}
@@ -213,14 +260,21 @@ spec:
successThreshold: {{ .Values.envoy.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.envoy.livenessProbe.failureThreshold }}
{{- end }}
- resources: {{ toYaml .Values.envoy.resources | nindent 12 }}
+ {{- if .Values.envoy.resources }}
+ resources: {{- toYaml .Values.envoy.resources | nindent 12 }}
+ {{- else if ne .Values.envoy.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.envoy.resourcesPreset) | nindent 12 }}
+ {{- end }}
volumeMounts:
- - name: envoy-config
+ - name: empty-dir
mountPath: /config
+ subPath: app-conf-dir
- name: envoycert
mountPath: /certs
- - name: envoy-admin
+ readOnly: true
+ - name: empty-dir
mountPath: /admin
+ subPath: app-admin-dir
{{- if .Values.envoy.extraVolumeMounts }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.extraVolumeMounts "context" $ ) | nindent 12 }}
{{- end }}
@@ -229,7 +283,7 @@ spec:
{{- if .Values.envoy.shutdownManager.enabled }}
httpGet:
path: /shutdown
- port: {{ .Values.envoy.shutdownManager.port }}
+ port: {{ coalesce .Values.envoy.shutdownManager.port .Values.envoy.shutdownManager.containerPorts.http }}
scheme: HTTP
{{- else }}
exec:
@@ -259,15 +313,21 @@ spec:
image: {{ include "common.images.image" ( dict "imageRoot" .Values.contour.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.contour.image.pullPolicy }}
name: envoy-initconfig
- resources: {{ toYaml .Values.contour.resources | nindent 12 }}
+ {{- if .Values.envoy.resources }}
+ resources: {{ toYaml .Values.envoy.resources | nindent 12 }}
+ {{- else if ne .Values.envoy.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.envoy.resourcesPreset) | nindent 12 }}
+ {{- end }}
volumeMounts:
- - name: envoy-config
+ - name: empty-dir
mountPath: /config
+ subPath: app-conf-dir
- name: envoycert
mountPath: /certs
readOnly: true
- - name: envoy-admin
+ - name: empty-dir
mountPath: /admin
+ subPath: app-admin-dir
{{- if .Values.envoy.extraVolumeMounts }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.extraVolumeMounts "context" $ ) | nindent 12 }}
{{- end }}
@@ -290,15 +350,15 @@ spec:
name: {{ include "common.tplvalues.render" ( dict "value" .Values.contour.extraEnvVarsSecret "context" $ ) }}
{{- end }}
{{- end }}
+ {{- if .Values.envoy.initConfig.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.initConfig.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
{{- if .Values.envoy.initContainers }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.initContainers "context" $ ) | nindent 8 }}
{{- end }}
- automountServiceAccountToken: {{ .Values.envoy.serviceAccount.automountServiceAccountToken }}
serviceAccountName: {{ include "envoy.envoyServiceAccountName" . }}
volumes:
- - name: envoy-admin
- emptyDir: {}
- - name: envoy-config
+ - name: empty-dir
emptyDir: {}
- name: envoycert
secret:
diff --git a/charts/contour/contour/charts/contour/templates/envoy/deployment.yaml b/charts/contour/contour/charts/contour/templates/envoy/deployment.yaml
index 4f49811d4..e4b24c640 100644
--- a/charts/contour/contour/charts/contour/templates/envoy/deployment.yaml
+++ b/charts/contour/contour/charts/contour/templates/envoy/deployment.yaml
@@ -1,14 +1,18 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.envoy.enabled (eq .Values.envoy.kind "deployment") }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: envoy
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -21,24 +25,21 @@ spec:
strategy: {{- toYaml .Values.envoy.updateStrategy | nindent 4 }}
{{- end }}
minReadySeconds: {{ .Values.envoy.minReadySeconds }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
selector:
- matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: envoy
template:
metadata:
- {{- if .Values.envoy.podAnnotations }}
- annotations: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.podAnnotations "context" $) | nindent 8 }}
+ {{- if or .Values.envoy.podAnnotations .Values.commonAnnotations }}
+ {{- $podAnnotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podAnnotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" (dict "value" $podAnnotations "context" $) | nindent 8 }}
{{- end }}
- labels: {{- include "common.labels.standard" . | nindent 8 }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: envoy
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }}
- {{- end }}
- {{- if .Values.envoy.podLabels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.envoy.podLabels "context" $) | nindent 8 }}
- {{- end }}
spec:
{{- include "common.images.pullSecrets" ( dict "images" (list .Values.contour.image .Values.envoy.image) "global" .Values.global) | nindent 6 }}
+ automountServiceAccountToken: {{ .Values.envoy.automountServiceAccountToken }}
{{- if .Values.envoy.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.hostAliases "context" $) | nindent 8 }}
{{- end }}
@@ -46,8 +47,8 @@ spec:
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
- podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAffinityPreset "component" "envoy" "context" $) | nindent 10 }}
- podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAntiAffinityPreset "component" "envoy" "context" $) | nindent 10 }}
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAffinityPreset "component" "envoy" "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.envoy.podAntiAffinityPreset "component" "envoy" "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.envoy.nodeAffinityPreset.type "key" .Values.envoy.nodeAffinityPreset.key "values" .Values.envoy.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.envoy.priorityClassName }}
@@ -69,7 +70,7 @@ spec:
hostNetwork: {{ .Values.envoy.hostNetwork }}
dnsPolicy: {{ .Values.envoy.dnsPolicy }}
{{- if .Values.envoy.podSecurityContext.enabled }}
- securityContext: {{- omit .Values.envoy.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
containers:
{{- if .Values.envoy.shutdownManager.enabled }}
@@ -78,6 +79,7 @@ spec:
args:
- envoy
- shutdown-manager
+ - --serve-port={{ coalesce .Values.envoy.shutdownManager.port .Values.envoy.shutdownManager.containerPorts.http }}
{{- if .Values.envoy.shutdownManager.extraArgs }}
{{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.extraArgs "context" $) | nindent 12 }}
{{- end }}
@@ -98,6 +100,55 @@ spec:
name: {{ include "common.tplvalues.render" ( dict "value" .Values.contour.extraEnvVarsSecret "context" $ ) }}
{{- end }}
{{- end }}
+ ports:
+ - containerPort: {{ coalesce .Values.envoy.shutdownManager.containerPorts.http .Values.envoy.shutdownManager.port }}
+ name: http-shutdown
+ protocol: TCP
+ {{- if .Values.envoy.shutdownManager.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.shutdownManager.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.envoy.shutdownManager.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.shutdownManager.startupProbe.enabled }}
+ startupProbe:
+ exec:
+ command:
+ - pgrep
+ - contour
+ initialDelaySeconds: {{ .Values.envoy.shutdownManager.startupProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.envoy.shutdownManager.startupProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.envoy.shutdownManager.startupProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.envoy.shutdownManager.startupProbe.successThreshold }}
+ failureThreshold: {{ .Values.envoy.shutdownManager.startupProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.envoy.shutdownManager.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.shutdownManager.livenessProbe.enabled }}
+ livenessProbe:
+ tcpSocket:
+ port: http-shutdown
+ initialDelaySeconds: {{ .Values.envoy.shutdownManager.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.envoy.shutdownManager.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.envoy.shutdownManager.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.envoy.shutdownManager.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.envoy.shutdownManager.livenessProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.envoy.shutdownManager.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.shutdownManager.readinessProbe.enabled }}
+ readinessProbe:
+ httpGet:
+ port: http-shutdown
+ path: /healthz
+ initialDelaySeconds: {{ .Values.envoy.shutdownManager.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.envoy.shutdownManager.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.envoy.shutdownManager.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.envoy.shutdownManager.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.envoy.shutdownManager.readinessProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.envoy.shutdownManager.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.shutdownManager.lifecycleHooks "context" $) | nindent 12 }}
+ {{- else }}
lifecycle:
preStop:
exec:
@@ -105,14 +156,17 @@ spec:
- contour
- envoy
- shutdown
- {{- if .Values.envoy.customReadinessProbe }}
- readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
name: shutdown-manager
+ {{- if .Values.envoy.shutdownManager.resources }}
resources: {{- toYaml .Values.envoy.shutdownManager.resources | nindent 12 }}
+ {{- else if ne .Values.envoy.shutdownManager.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.envoy.shutdownManager.resourcesPreset) | nindent 12 }}
+ {{- end }}
volumeMounts:
- - name: envoy-admin
+ - name: empty-dir
mountPath: /admin
+ subPath: app-admin-dir
{{- if .Values.envoy.extraVolumeMounts }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.extraVolumeMounts "context" $ ) | nindent 12 }}
{{- end }}
@@ -140,7 +194,7 @@ spec:
image: {{ include "common.images.image" ( dict "imageRoot" .Values.envoy.image "global" .Values.global ) }}
imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
{{- if .Values.envoy.containerSecurityContext.enabled }}
- securityContext: {{- omit .Values.envoy.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
env:
- name: CONTOUR_NAMESPACE
@@ -169,7 +223,8 @@ spec:
{{- end }}
ports:
- containerPort: {{ .Values.envoy.containerPorts.http }}
- {{- if .Values.envoy.useHostPort }}
+ # Use of .Values.envoy.useHostPort as boolean is DEPRECATED. Support will be removed in upcoming versions.
+ {{- if or (and (kindIs "boolean" .Values.envoy.useHostPort) .Values.envoy.useHostPort) (and (kindIs "map" .Values.envoy.useHostPort) .Values.envoy.useHostPort.http) }}
hostPort: {{ .Values.envoy.hostPorts.http }}
{{- end }}
{{- if .Values.envoy.useHostIP }}
@@ -178,7 +233,8 @@ spec:
name: http
protocol: TCP
- containerPort: {{ .Values.envoy.containerPorts.https }}
- {{- if .Values.envoy.useHostPort }}
+ # Use of .Values.envoy.useHostPort as boolean is DEPRECATED. Support will be removed in upcoming versions.
+ {{- if or (and (kindIs "boolean" .Values.envoy.useHostPort) .Values.envoy.useHostPort) (and (kindIs "map" .Values.envoy.useHostPort) .Values.envoy.useHostPort.https) }}
hostPort: {{ .Values.envoy.hostPorts.https }}
{{- end }}
{{- if .Values.envoy.useHostIP }}
@@ -187,7 +243,8 @@ spec:
name: https
protocol: TCP
- containerPort: {{ .Values.envoy.containerPorts.metrics }}
- {{- if .Values.envoy.useHostPort }}
+ # Use of .Values.envoy.useHostPort as boolean is DEPRECATED. Support will be removed in upcoming versions.
+ {{- if or (and (kindIs "boolean" .Values.envoy.useHostPort) .Values.envoy.useHostPort) (and (kindIs "map" .Values.envoy.useHostPort) .Values.envoy.useHostPort.metrics) }}
hostPort: {{ .Values.envoy.hostPorts.metrics }}
{{- end }}
{{- if .Values.envoy.useHostIP }}
@@ -195,7 +252,9 @@ spec:
{{- end }}
name: metrics
protocol: TCP
- {{- if .Values.envoy.readinessProbe.enabled }}
+ {{- if .Values.envoy.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.envoy.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /ready
@@ -210,8 +269,7 @@ spec:
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.envoy.livenessProbe.enabled }}
livenessProbe:
- httpGet:
- path: /ready
+ tcpSocket:
port: {{ .Values.envoy.containerPorts.metrics }}
initialDelaySeconds: {{ .Values.envoy.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.envoy.livenessProbe.periodSeconds }}
@@ -232,23 +290,32 @@ spec:
successThreshold: {{ .Values.envoy.startupProbe.successThreshold }}
failureThreshold: {{ .Values.envoy.startupProbe.failureThreshold }}
{{- end }}
+ {{- if .Values.envoy.resources }}
resources: {{- toYaml .Values.envoy.resources | nindent 12 }}
+ {{- else if ne .Values.envoy.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.envoy.resourcesPreset) | nindent 12 }}
+ {{- end }}
volumeMounts:
- - name: envoy-config
+ - name: empty-dir
mountPath: /config
+ subPath: app-conf-dir
- name: envoycert
mountPath: /certs
- - name: envoy-admin
+ - name: empty-dir
mountPath: /admin
+ subPath: app-admin-dir
{{- if .Values.envoy.extraVolumeMounts }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.extraVolumeMounts "context" $ ) | nindent 12 }}
{{- end }}
+ {{- if .Values.envoy.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.lifecycleHooks "context" $) | nindent 12 }}
+ {{- else }}
lifecycle:
preStop:
{{- if .Values.envoy.shutdownManager.enabled }}
httpGet:
path: /shutdown
- port: {{ .Values.envoy.shutdownManager.port }}
+ port: {{ coalesce .Values.envoy.shutdownManager.port .Values.envoy.shutdownManager.containerPorts.http }}
scheme: HTTP
{{- else }}
exec:
@@ -257,6 +324,7 @@ spec:
- '-c'
- sleep {{ .Values.envoy.terminationGracePeriodSeconds }}; kill 1
{{- end }}
+ {{- end }}
{{- if .Values.envoy.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.sidecars "context" $ ) | nindent 8 }}
{{- end }}
@@ -278,15 +346,21 @@ spec:
image: {{ include "common.images.image" ( dict "imageRoot" .Values.contour.image "global" .Values.global) }}
imagePullPolicy: {{ .Values.contour.image.pullPolicy }}
name: envoy-initconfig
- resources: {{ toYaml .Values.contour.resources | nindent 12 }}
+ {{- if .Values.envoy.resources }}
+ resources: {{ toYaml .Values.envoy.resources | nindent 12 }}
+ {{- else if ne .Values.envoy.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.envoy.resourcesPreset) | nindent 12 }}
+ {{- end }}
volumeMounts:
- - name: envoy-config
+ - name: empty-dir
mountPath: /config
+ subPath: app-conf-dir
- name: envoycert
mountPath: /certs
readOnly: true
- - name: envoy-admin
+ - name: empty-dir
mountPath: /admin
+ subPath: app-admin-dir
{{- if .Values.envoy.extraVolumeMounts }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.extraVolumeMounts "context" $ ) | nindent 12 }}
{{- end }}
@@ -309,15 +383,15 @@ spec:
name: {{ include "common.tplvalues.render" ( dict "value" .Values.contour.extraEnvVarsSecret "context" $ ) }}
{{- end }}
{{- end }}
+ {{- if .Values.envoy.initConfig.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.initConfig.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
{{- if .Values.envoy.initContainers }}
{{- include "common.tplvalues.render" ( dict "value" .Values.envoy.initContainers "context" $ ) | nindent 8 }}
{{- end }}
- automountServiceAccountToken: {{ .Values.envoy.serviceAccount.automountServiceAccountToken }}
serviceAccountName: {{ include "envoy.envoyServiceAccountName" . }}
volumes:
- - name: envoy-admin
- emptyDir: {}
- - name: envoy-config
+ - name: empty-dir
emptyDir: {}
- name: envoycert
secret:
diff --git a/charts/contour/contour/charts/contour/templates/envoy/extra-list.yaml b/charts/contour/contour/charts/contour/templates/envoy/extra-list.yaml
index 9ac65f9e1..329f5c653 100644
--- a/charts/contour/contour/charts/contour/templates/envoy/extra-list.yaml
+++ b/charts/contour/contour/charts/contour/templates/envoy/extra-list.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
diff --git a/charts/contour/contour/charts/contour/templates/envoy/hpa.yaml b/charts/contour/contour/charts/contour/templates/envoy/hpa.yaml
index ade8c8503..ac419e33a 100644
--- a/charts/contour/contour/charts/contour/templates/envoy/hpa.yaml
+++ b/charts/contour/contour/charts/contour/templates/envoy/hpa.yaml
@@ -1,18 +1,26 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.envoy.enabled .Values.envoy.autoscaling.enabled (eq .Values.envoy.kind "deployment") }}
apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: envoy
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
+ {{- if .Values.envoy.autoscaling.behavior }}
+ behavior:
+ {{- toYaml .Values.envoy.autoscaling.behavior | nindent 4 }}
+ {{- end }}
scaleTargetRef:
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
diff --git a/charts/contour/contour/charts/contour/templates/envoy/networkpolicy.yaml b/charts/contour/contour/charts/contour/templates/envoy/networkpolicy.yaml
new file mode 100644
index 000000000..ff686276f
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/envoy/networkpolicy.yaml
@@ -0,0 +1,97 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.envoy.enabled .Values.envoy.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: envoy
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: envoy
+ policyTypes:
+ - Ingress
+ - Egress
+ {{- if .Values.envoy.networkPolicy.allowExternalEgress }}
+ egress:
+ - {}
+ {{- else }}
+ egress:
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ # Allow outbound connections to envoy
+ - ports:
+ - port: {{ .Values.envoy.containerPorts.http }}
+ - port: {{ .Values.envoy.containerPorts.https }}
+ - port: {{ .Values.envoy.containerPorts.metrics }}
+ to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
+ app.kubernetes.io/component: envoy
+ {{- if .Values.contour.enabled }}
+ # Allow outbound connections to other contour pods
+ - ports:
+ - port: {{ .Values.contour.containerPorts.xds }}
+ - port: {{ .Values.contour.containerPorts.metrics }}
+ to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
+ app.kubernetes.io/component: contour
+ {{- end }}
+ {{- if .Values.defaultBackend.enabled }}
+ # Allow outbound connections to envoy
+ - ports:
+ - port: {{ .Values.defaultBackend.containerPorts.http }}
+ to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
+ app.kubernetes.io/component: default-backend
+ {{- end }}
+ {{- if .Values.envoy.networkPolicy.extraEgress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ ingress:
+ - ports:
+ - port: {{ .Values.envoy.containerPorts.http }}
+ - port: {{ .Values.envoy.containerPorts.https }}
+ - port: {{ .Values.envoy.containerPorts.metrics }}
+ {{- if not .Values.envoy.networkPolicy.allowExternal }}
+ from:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+ - podSelector:
+ matchLabels:
+ {{ template "common.names.fullname" . }}-client: "true"
+ {{- if .Values.envoy.networkPolicy.ingressNSMatchLabels }}
+ - namespaceSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.envoy.networkPolicy.ingressNSMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- if .Values.envoy.networkPolicy.ingressNSPodMatchLabels }}
+ podSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.envoy.networkPolicy.ingressNSPodMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.envoy.networkPolicy.extraIngress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/envoy/poddisruptionbudget.yaml b/charts/contour/contour/charts/contour/templates/envoy/poddisruptionbudget.yaml
new file mode 100644
index 000000000..70e1baea0
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/envoy/poddisruptionbudget.yaml
@@ -0,0 +1,31 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $replicaCount := int .Values.envoy.replicaCount }}
+{{- if and .Values.envoy.enabled (eq .Values.envoy.kind "deployment") .Values.envoy.pdb.create (or (gt $replicaCount 1) .Values.envoy.autoscaling.enabled) }}
+apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+ name: {{ printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: envoy
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.envoy.pdb.minAvailable }}
+ minAvailable: {{ .Values.envoy.pdb.minAvailable }}
+ {{- end }}
+ {{- if or .Values.envoy.pdb.maxUnavailable ( not .Values.envoy.pdb.minAvailable ) }}
+ maxUnavailable: {{ .Values.envoy.pdb.maxUnavailable | default 1 }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podLabels .Values.commonLabels ) "context" . ) }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: envoy
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/envoy/prometheusrule.yaml b/charts/contour/contour/charts/contour/templates/envoy/prometheusrule.yaml
new file mode 100644
index 000000000..e44fbd759
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/envoy/prometheusrule.yaml
@@ -0,0 +1,26 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.prometheusRule.enabled .Values.envoy.enabled .Values.metrics.enabled}}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if .Values.metrics.prometheusRule.additionalLabels }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ groups:
+ - name: {{ include "common.names.fullname" . }}
+ rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }}
+{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/envoy/service.yaml b/charts/contour/contour/charts/contour/templates/envoy/service.yaml
index 0692d39ba..0643eca7c 100644
--- a/charts/contour/contour/charts/contour/templates/envoy/service.yaml
+++ b/charts/contour/contour/charts/contour/templates/envoy/service.yaml
@@ -1,94 +1,24 @@
-{{- if .Values.envoy.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ default (printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-") .Values.envoy.service.name }}
- namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
- app.kubernetes.io/component: envoy
- {{- if .Values.envoy.service.labels }}
- {{- include "common.tplvalues.render" (dict "value" .Values.envoy.service.labels "context" $) | nindent 4 }}
- {{- end }}
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
- annotations:
- {{- if (ne (index .Values.envoy.service.annotations "service.beta.kubernetes.io/aws-load-balancer-type" | toString ) "nlb") }}
- # This annotation puts the AWS ELB into "TCP" mode so that it does not
- # do HTTP negotiation for HTTPS connections at the ELB edge.
- # The downside of this is the remote IP address of all connections will
- # appear to be the internal address of the ELB. See docs/proxy-proto.md
- # for information about enabling the PROXY protocol on the ELB to recover
- # the original remote IP address.
- # We don't set this for nlb, per the contour docs.
- service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
- {{- end }}
- {{- if .Values.envoy.service.annotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.envoy.service.annotations "context" $) | nindent 4 }}
- {{- end }}
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
- {{- end }}
-spec:
- {{- if .Values.envoy.service.externalTrafficPolicy }}
- externalTrafficPolicy: {{ .Values.envoy.service.externalTrafficPolicy | quote }}
- {{- end }}
- {{- if not (empty .Values.envoy.service.clusterIP) }}
- clusterIP: {{ .Values.envoy.service.clusterIP | quote }}
- {{- end }}
- {{- if .Values.envoy.service.sessionAffinity }}
- sessionAffinity: {{ .Values.envoy.service.sessionAffinity }}
- {{- end }}
- {{- if .Values.envoy.service.sessionAffinityConfig }}
- sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.service.sessionAffinityConfig "context" $) | nindent 4 }}
- {{- end }}
- {{- if .Values.envoy.service.externalIPs }}
- externalIPs: {{- toYaml .Values.envoy.service.externalIPs | nindent 4 }}
- {{- end }}
- {{- if .Values.envoy.service.loadBalancerIP }}
- loadBalancerIP: {{ .Values.envoy.service.loadBalancerIP | quote }}
- {{- end }}
- {{- if .Values.envoy.service.loadBalancerSourceRanges }}
- loadBalancerSourceRanges: {{- toYaml .Values.envoy.service.loadBalancerSourceRanges | nindent 4 }}
- {{- end }}
- {{- if .Values.envoy.service.ipFamilyPolicy }}
- ipFamilyPolicy: {{ .Values.envoy.service.ipFamilyPolicy }}
- {{- end }}
- {{- if and .Values.envoy.service.loadBalancerClass (eq .Values.envoy.service.type "LoadBalancer") }}
- loadBalancerClass: {{ .Values.envoy.service.loadBalancerClass }}
- {{- end }}
- ports:
- - name: http
- port: {{ .Values.envoy.service.ports.http }}
- protocol: TCP
- targetPort: {{ .Values.envoy.service.targetPorts.http }}
- {{- if and (or (eq .Values.envoy.service.type "NodePort") (eq .Values.envoy.service.type "LoadBalancer")) (not (empty .Values.envoy.service.nodePorts.http)) }}
- nodePort: {{ .Values.envoy.service.nodePorts.http }}
- {{- else if eq .Values.envoy.service.type "ClusterIP" }}
- nodePort: null
- {{- end }}
- - name: https
- port: {{ .Values.envoy.service.ports.https }}
- protocol: TCP
- targetPort: {{ .Values.envoy.service.targetPorts.https }}
- {{- if and (or (eq .Values.envoy.service.type "NodePort") (eq .Values.envoy.service.type "LoadBalancer")) (not (empty .Values.envoy.service.nodePorts.https)) }}
- nodePort: {{ .Values.envoy.service.nodePorts.https }}
- {{- else if eq .Values.envoy.service.type "ClusterIP" }}
- nodePort: null
- {{- end }}
- {{- if .Values.envoy.service.extraPorts }}
- {{- include "common.tplvalues.render" (dict "value" .Values.envoy.service.extraPorts "context" $) | nindent 4 }}
- {{- end }}
- selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
- app.kubernetes.io/component: envoy
- type: {{ .Values.envoy.service.type }}
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podLabels .Values.commonLabels ) "context" . ) }}
+{{- if and .Values.envoy.service.multiAz.enabled .Values.envoy.service.multiAz.zones .Values.envoy.enabled }}
+{{ include "envoy.envoyServiceMultiAZ" . }}
+{{- else if .Values.envoy.enabled }}
+{{ include "envoy.envoyService" . }}
+{{- end }}
{{- if .Values.metrics.serviceMonitor.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-envoy-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: envoy
spec:
type: ClusterIP
@@ -96,12 +26,11 @@ spec:
{{- if not .Values.envoy.shutdownManager.enabled }}
publishNotReadyAddresses: true
{{- end }}
- selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: envoy
ports:
- name: metrics
- port: 8002
+ port: {{ .Values.envoy.service.ports.metrics }}
protocol: TCP
- targetPort: 8002
-{{- end }}
+ targetPort: {{ .Values.envoy.service.targetPorts.metrics }}
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/envoy/serviceaccount.yaml b/charts/contour/contour/charts/contour/templates/envoy/serviceaccount.yaml
index 65fdf043f..51b67eafb 100644
--- a/charts/contour/contour/charts/contour/templates/envoy/serviceaccount.yaml
+++ b/charts/contour/contour/charts/contour/templates/envoy/serviceaccount.yaml
@@ -1,22 +1,21 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.envoy.serviceAccount.create .Values.envoy.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "envoy.envoyServiceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: envoy
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
{{- if or .Values.envoy.serviceAccount.annotations .Values.commonAnnotations }}
- annotations:
- {{- if .Values.commonAnnotations }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
- {{- end }}
- {{- if .Values.envoy.serviceAccount.annotations }}
- {{- include "common.tplvalues.render" (dict "value" .Values.envoy.serviceAccount.annotations "context" $) | nindent 4 }}
- {{- end }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.envoy.serviceAccount.automountServiceAccountToken }}
{{- end }}
diff --git a/charts/contour/contour/charts/contour/templates/envoy/servicemonitor.yaml b/charts/contour/contour/charts/contour/templates/envoy/servicemonitor.yaml
index aa9779449..fb77a6f2d 100644
--- a/charts/contour/contour/charts/contour/templates/envoy/servicemonitor.yaml
+++ b/charts/contour/contour/charts/contour/templates/envoy/servicemonitor.yaml
@@ -1,32 +1,29 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
{{- if and .Values.metrics.serviceMonitor.enabled .Values.envoy.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
- {{- if .Values.metrics.serviceMonitor.namespace }}
- namespace: {{ .Values.metrics.serviceMonitor.namespace }}
- {{- else }}
- namespace: {{ include "common.names.namespace" . | quote }}
- {{- end }}
- labels: {{- include "common.labels.standard" . | nindent 4 }}
- {{- if .Values.metrics.serviceMonitor.labels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }}
- {{- end }}
+ namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }}
+ {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: envoy
- {{- if .Values.commonLabels }}
- {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
- {{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }}
selector:
- matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: envoy
- {{- if .Values.metrics.serviceMonitor.selector }}
- {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 4 }}
- {{- end }}
+ {{- if .Values.metrics.serviceMonitor.selector }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
+ {{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
diff --git a/charts/contour/contour/charts/contour/templates/service_helpers.yaml b/charts/contour/contour/charts/contour/templates/service_helpers.yaml
new file mode 100644
index 000000000..2b466fb34
--- /dev/null
+++ b/charts/contour/contour/charts/contour/templates/service_helpers.yaml
@@ -0,0 +1,140 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Create the standalone envoyService
+*/}}
+{{- define "envoy.envoyService" -}}
+{{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ default (printf "%s-envoy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-") .Values.envoy.service.name }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.service.labels .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: envoy
+ annotations:
+ {{- if (ne (index .Values.envoy.service.annotations "service.beta.kubernetes.io/aws-load-balancer-type" | toString ) "nlb") }}
+ # This annotation puts the AWS ELB into "TCP" mode so that it does not
+ # do HTTP negotiation for HTTPS connections at the ELB edge.
+ # The downside of this is the remote IP address of all connections will
+ # appear to be the internal address of the ELB. See docs/proxy-proto.md
+ # for information about enabling the PROXY protocol on the ELB to recover
+ # the original remote IP address.
+ # We don't set this for nlb, per the contour docs.
+ service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+ {{- end }}
+ {{- if or .Values.envoy.service.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.envoy.service.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.envoy.service.loadBalancerIP | quote }}
+ {{- end }}
+{{- include "envoy.envoyServiceSpec" . }}
+{{- end -}}
+
+{{/*
+Create the multi az envoyService
+*/}}
+{{- define "envoy.envoyServiceMultiAZ" -}}
+{{- range $azArray := .Values.envoy.service.multiAz.zones }}
+{{- with $ -}}
+{{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.envoy.image "chart" .Chart ) ) }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ default (printf "%s-%s-envoy" (include "common.names.fullname" .) $azArray.name | trunc 63 | trimSuffix "-") .Values.envoy.service.name }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.service.labels .Values.commonLabels $versionLabel ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: envoy
+ annotations:
+ {{- if (ne (index .Values.envoy.service.annotations "service.beta.kubernetes.io/aws-load-balancer-type" | toString ) "nlb") }}
+ # This annotation puts the AWS ELB into "TCP" mode so that it does not
+ # do HTTP negotiation for HTTPS connections at the ELB edge.
+ # The downside of this is the remote IP address of all connections will
+ # appear to be the internal address of the ELB. See docs/proxy-proto.md
+ # for information about enabling the PROXY protocol on the ELB to recover
+ # the original remote IP address.
+ # We don't set this for nlb, per the contour docs.
+ service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+ {{- end }}
+ {{- if or .Values.envoy.service.annotations .Values.commonAnnotations $azArray.annotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.service.annotations .Values.commonAnnotations $azArray.annotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if $azArray.loadBalancerIP }}
+ loadBalancerIP: {{ $azArray.loadBalancerIP | quote }}
+ {{- end }}
+{{- include "envoy.envoyServiceSpec" . }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+The default envoy service spec
+*/}}
+{{- define "envoy.envoyServiceSpec" -}}
+{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.envoy.podLabels .Values.commonLabels ) "context" . ) }}
+ {{- if .Values.envoy.service.externalTrafficPolicy }}
+ externalTrafficPolicy: {{ .Values.envoy.service.externalTrafficPolicy | quote }}
+ {{- end }}
+ {{- if not (empty .Values.envoy.service.clusterIP) }}
+ clusterIP: {{ .Values.envoy.service.clusterIP | quote }}
+ {{- end }}
+ {{- if .Values.envoy.service.sessionAffinity }}
+ sessionAffinity: {{ .Values.envoy.service.sessionAffinity }}
+ {{- end }}
+ {{- if .Values.envoy.service.sessionAffinityConfig }}
+ sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.service.sessionAffinityConfig "context" $) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.envoy.service.externalIPs }}
+ externalIPs: {{- toYaml .Values.envoy.service.externalIPs | nindent 4 }}
+ {{- end }}
+ {{- if .Values.envoy.service.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges: {{- toYaml .Values.envoy.service.loadBalancerSourceRanges | nindent 4 }}
+ {{- end }}
+ {{- if .Values.envoy.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.envoy.service.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.envoy.service.ipFamilies }}
+ ipFamilies: {{ toYaml .Values.envoy.service.ipFamilies | nindent 4 }}
+ {{- end }}
+ {{- if and .Values.envoy.service.loadBalancerClass (eq .Values.envoy.service.type "LoadBalancer") }}
+ loadBalancerClass: {{ .Values.envoy.service.loadBalancerClass }}
+ {{- end }}
+ ports:
+ - name: http
+ port: {{ .Values.envoy.service.ports.http }}
+ protocol: TCP
+ targetPort: {{ .Values.envoy.service.targetPorts.http }}
+ {{- if and (or (eq .Values.envoy.service.type "NodePort") (eq .Values.envoy.service.type "LoadBalancer")) (not (empty .Values.envoy.service.nodePorts.http)) }}
+ nodePort: {{ .Values.envoy.service.nodePorts.http }}
+ {{- else if eq .Values.envoy.service.type "ClusterIP" }}
+ nodePort: null
+ {{- end }}
+ - name: https
+ port: {{ .Values.envoy.service.ports.https }}
+ protocol: TCP
+ targetPort: {{ .Values.envoy.service.targetPorts.https }}
+ {{- if and (or (eq .Values.envoy.service.type "NodePort") (eq .Values.envoy.service.type "LoadBalancer")) (not (empty .Values.envoy.service.nodePorts.https)) }}
+ nodePort: {{ .Values.envoy.service.nodePorts.https }}
+ {{- else if eq .Values.envoy.service.type "ClusterIP" }}
+ nodePort: null
+ {{- end }}
+ {{- if .Values.envoy.service.extraPorts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.envoy.service.extraPorts "context" $) | nindent 4 }}
+ {{- end }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: envoy
+ type: {{ .Values.envoy.service.type }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/contour/contour/charts/contour/values.yaml b/charts/contour/contour/charts/contour/values.yaml
index 3e5c1f01f..7507b40d1 100644
--- a/charts/contour/contour/charts/contour/values.yaml
+++ b/charts/contour/contour/charts/contour/values.yaml
@@ -1,3 +1,6 @@
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
@@ -6,7 +9,8 @@
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets [array] Global Docker registry secret names as an array
-## @param global.storageClass Global StorageClass for Persistent Volume(s)
+## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
+## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
##
global:
imageRegistry: ""
@@ -15,8 +19,17 @@ global:
## - myRegistryKeySecretName
##
imagePullSecrets: []
+ defaultStorageClass: ""
storageClass: ""
-
+ ## Compatibility adaptations for Kubernetes platforms
+ ##
+ compatibility:
+ ## Compatibility adaptations for Openshift
+ ##
+ openshift:
+ ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+ ##
+ adaptSecurityContext: auto
## @section Common parameters
##
@@ -41,7 +54,6 @@ commonLabels: {}
## @param commonAnnotations Annotations to add to all deployed objects
##
commonAnnotations: {}
-
## Diagnostic mode in the deployment
##
diagnosticMode:
@@ -56,7 +68,6 @@ diagnosticMode:
##
args:
- infinity
-
## @section Contour parameters
##
@@ -77,14 +88,13 @@ configInline:
tls:
fallback-certificate: {}
accesslog-format: envoy
-
contour:
## @param contour.enabled Contour Deployment creation.
##
enabled: true
- ## @param contour.image.registry Contour image registry
- ## @param contour.image.repository Contour image name
- ## @param contour.image.tag Contour image tag
+ ## @param contour.image.registry [default: REGISTRY_NAME] Contour image registry
+ ## @param contour.image.repository [default: REPOSITORY_NAME/contour] Contour image name
+ ## @skip contour.image.tag Contour image tag
## @param contour.image.digest Contour image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param contour.image.pullPolicy Contour Image pull policy
## @param contour.image.pullSecrets [array] Contour Image pull secrets
@@ -93,11 +103,11 @@ contour:
image:
registry: docker.io
repository: bitnami/contour
- tag: 1.25.0-debian-11-r13
+ tag: 1.30.0-debian-12-r5
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -109,8 +119,14 @@ contour:
##
pullSecrets: []
debug: false
- ## @param contour.replicaCount Number of Contour Pod replicas
+ ## @param contour.contourConfigName Contour Deployment with ContourConfiguration CRD.
+ #
+ contourConfigName: "contour"
+ ## @param contour.configPath Contour Deployment with configmap.
##
+ configPath: true
+ ## @param contour.replicaCount Number of Contour Pod replicas
+ #
replicaCount: 1
## @param contour.priorityClassName Priority class assigned to the pods
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
@@ -136,6 +152,9 @@ contour:
containerPorts:
xds: 8001
metrics: 8000
+ ## @param contour.automountServiceAccountToken Mount Service Account token in pod
+ ##
+ automountServiceAccountToken: true
## @param contour.hostAliases [array] Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
@@ -148,28 +167,27 @@ contour:
##
extraArgs: []
## Contour container resource requests and limits
- ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## ref: https://projectcontour.io/guides/resource-limits/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- ## @param contour.resources.limits [object] Specify resource limits which the container is not allowed to succeed.
- ## @param contour.resources.requests [object] Specify resource requests which the container needs to spawn.
+ ## @param contour.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
- resources:
- ## Example:
- ## limits:
- ## cpu: 400m
- ## memory: 258Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 100m
- ## memory: 25Mi
- ##
- requests: {}
+ resourcesPreset: "nano"
+ ## @param contour.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ ##
+ resources: {}
## @param contour.manageCRDs Manage the creation, upgrade and deletion of Contour CRDs.
##
manageCRDs: true
@@ -239,7 +257,7 @@ contour:
##
affinity: {}
## @param contour.nodeSelector [object] Node labels for Contour pod assignment
- ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param contour.tolerations [array] Tolerations for Contour pod assignment
@@ -258,26 +276,48 @@ contour:
serviceAccount:
create: true
name: ""
- automountServiceAccountToken: true
+ automountServiceAccountToken: false
annotations: {}
## Contour Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param contour.podSecurityContext.enabled Default backend Pod securityContext
+ ## @param contour.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ ## @param contour.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ ## @param contour.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param contour.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: []
+ supplementalGroups: []
fsGroup: 1001
## Envoy container security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
- ## @param contour.containerSecurityContext.enabled Envoy Container securityContext
- ## @param contour.containerSecurityContext.runAsUser User ID for the Contour container (to change this, http and https containerPorts must be set to >1024)
- ## @param contour.containerSecurityContext.runAsNonRoot Run as non root
+ ## @param contour.containerSecurityContext.enabled Enabled contour containers' Security Context
+ ## @param contour.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param contour.containerSecurityContext.runAsUser Set contour containers' Security Context runAsUser
+ ## @param contour.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup
+ ## @param contour.containerSecurityContext.runAsNonRoot Set contour containers' Security Context runAsNonRoot
+ ## @param contour.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param contour.containerSecurityContext.privileged Set contour container's Security Context privileged
+ ## @param contour.containerSecurityContext.allowPrivilegeEscalation Set contour container's Security Context allowPrivilegeEscalation
+ ## @param contour.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param contour.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
+ seLinuxOptions: {}
runAsUser: 1001
+ runAsGroup: 1001
runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## @param contour.livenessProbe.enabled Enable/disable the Liveness probe
## @param contour.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated
## @param contour.livenessProbe.periodSeconds How often to perform the probe
@@ -331,11 +371,72 @@ contour:
serviceAccount:
create: true
name: ""
- automountServiceAccountToken: true
+ automountServiceAccountToken: false
annotations: {}
## @param contour.certgen.certificateLifetime Generated certificate lifetime (in days).
##
certificateLifetime: 365
+ ## @param contour.certgen.automountServiceAccountToken Mount Service Account token in pod
+ ##
+ automountServiceAccountToken: true
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+ ##
+ networkPolicy:
+ ## @param contour.certgen.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param contour.certgen.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param contour.certgen.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param contour.certgen.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
+ ##
+ kubeAPIServerPorts: [443, 6443, 8443]
+ ## @param contour.certgen.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param contour.certgen.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param contour.certgen.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param contour.certgen.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
## @param contour.tlsExistingSecret Name of the existingSecret to be use in Contour deployment. If it is not nil `contour.certgen` will be disabled.
## It will override `tlsExistingSecret`
##
@@ -400,6 +501,64 @@ contour:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+ ##
+ networkPolicy:
+ ## @param contour.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param contour.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param contour.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param contour.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
+ ##
+ kubeAPIServerPorts: [443, 6443, 8443]
+ ## @param contour.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param contour.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param contour.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param contour.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
## @param contour.initContainers [array] Attach additional init containers to Contour pods
## For example:
## initContainers:
@@ -452,23 +611,18 @@ contour:
name: ""
create: true
default: true
-
## @param contour.debug Enable Contour debug log level
##
debug: false
-
## @param contour.logFormat Set contour log-format. Default text, either text or json.
##
logFormat: text
-
## @param contour.kubernetesDebug Contour kubernetes debug log level, Default 0, minimum 0, maximum 9.
##
kubernetesDebug: 0
-
## @param contour.rootNamespaces Restrict Contour to searching these namespaces for root ingress routes.
##
rootNamespaces: ""
-
## Exposes configuration of Envoy's Overload Manager through Contour's bootstrapping process
## When 95% of max heap size is reached for an Envoy, "shrink heap" operation is triggered.
## When 98% of max heap size is reached for an Envoy, it no longer accepts requests.
@@ -479,19 +633,29 @@ contour:
overloadManager:
enabled: false
maxHeapBytes: "2147483648"
+ ## PodDisruptionBudget for default backend
+ ## Contour Pod Disruption Budget configuration
+ ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+ ## @param contour.pdb.create Enable Pod Disruption Budget configuration
+ ## @param contour.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled
+ ## @param contour.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
+ ##
+ pdb:
+ create: true
+ minAvailable: ""
+ maxUnavailable: ""
## @section Envoy parameters
##
-
envoy:
## @param envoy.enabled Envoy Proxy creation
##
enabled: true
## Bitnami Envoy image
## ref: https://hub.docker.com/r/bitnami/envoy/tags/
- ## @param envoy.image.registry Envoy Proxy image registry
- ## @param envoy.image.repository Envoy Proxy image repository
- ## @param envoy.image.tag Envoy Proxy image tag (immutable tags are recommended)
+ ## @param envoy.image.registry [default: REGISTRY_NAME] Envoy Proxy image registry
+ ## @param envoy.image.repository [default: REPOSITORY_NAME/envoy] Envoy Proxy image repository
+ ## @skip envoy.image.tag Envoy Proxy image tag (immutable tags are recommended)
## @param envoy.image.digest Envoy Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param envoy.image.pullPolicy Envoy image pull policy
## @param envoy.image.pullSecrets [array] Envoy image pull secrets
@@ -499,11 +663,11 @@ envoy:
image:
registry: docker.io
repository: bitnami/envoy
- tag: 1.26.2-debian-11-r4
+ tag: 1.31.0-debian-12-r3
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -530,33 +694,35 @@ envoy:
## @param envoy.extraArgs [array] Extra arguments passed to Envoy container
##
extraArgs: []
+ ## @param envoy.automountServiceAccountToken Mount Service Account token in pod
+ ##
+ automountServiceAccountToken: false
## @param envoy.hostAliases [array] Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## Envoy container resource requests and limits
- ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## ref: https://projectcontour.io/guides/resource-limits/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- ## @param envoy.resources.limits [object] Specify resource limits which the container is not allowed to succeed.
- ## @param envoy.resources.requests [object] Specify resource requests which the container needs to spawn.
+ ## @param envoy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
- resources:
- ## Example:
- ## limits:
- ## cpu: 400m
- ## memory: 250Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 100m
- ## memory: 25Mi
- ##
- requests: {}
+ resourcesPreset: "nano"
+ ## @param envoy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ ##
+ resources: {}
## @param envoy.command Override default command
##
command: []
@@ -565,27 +731,132 @@ envoy:
args: []
## @param envoy.shutdownManager.enabled Contour shutdownManager sidecar
## @param envoy.shutdownManager.extraArgs [array] Extra arguments passed to shutdown container
- ## @param envoy.shutdownManager.port Specify Port for shutdown container
- ## @param envoy.shutdownManager.resources.limits [object] Specify resource limits which the container is not allowed to succeed.
- ## @param envoy.shutdownManager.resources.requests [object] Specify resource requests which the container needs to spawn.
+ ## @param envoy.shutdownManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+ ## @param envoy.shutdownManager.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## @param envoy.shutdownManager.containerPorts.http Specify Port for shutdown container
+ ## @param envoy.shutdownManager.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.
##
shutdownManager:
+ lifecycleHooks: {}
extraArgs: []
- port: "8090"
enabled: true
- resources:
- ## Example:
- ## limits:
- ## cpu: 50m
- ## memory: 32Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 10m
- ## memory: 16Mi
- ##
- requests: {}
+ resourcesPreset: "nano"
+ containerPorts:
+ http: 8090
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ resources: {}
+ ## Shutdown Manager container security context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param envoy.shutdownManager.containerSecurityContext.enabled Enabled envoy shutdownManager containers' Security Context
+ ## @param envoy.shutdownManager.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param envoy.shutdownManager.containerSecurityContext.runAsUser Set envoy shutdownManager containers' Security Context runAsUser
+ ## @param envoy.shutdownManager.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup
+ ## @param envoy.shutdownManager.containerSecurityContext.runAsNonRoot Set envoy shutdownManager containers' Security Context runAsNonRoot
+ ## @param envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param envoy.shutdownManager.containerSecurityContext.privileged Set envoy.shutdownManager container's Security Context privileged
+ ## @param envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation Set envoy shutdownManager container's Security Context allowPrivilegeEscalation
+ ## @param envoy.shutdownManager.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param envoy.shutdownManager.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ ##
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: {}
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ ## @param envoy.shutdownManager.livenessProbe.enabled Enable livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 120
+ periodSeconds: 20
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param envoy.shutdownManager.readinessProbe.enabled Enable/disable the readiness probe
+ ## @param envoy.shutdownManager.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
+ ## @param envoy.shutdownManager.readinessProbe.periodSeconds How often to perform the probe
+ ## @param envoy.shutdownManager.readinessProbe.timeoutSeconds When the probe times out
+ ## @param envoy.shutdownManager.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ ## @param envoy.shutdownManager.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 3
+ timeoutSeconds: 1
+ failureThreshold: 3
+ successThreshold: 1
+ ## @param envoy.shutdownManager.startupProbe.enabled Enable/disable the startup probe
+ ## @param envoy.shutdownManager.startupProbe.initialDelaySeconds Delay before startup probe is initiated
+ ## @param envoy.shutdownManager.startupProbe.periodSeconds How often to perform the probe
+ ## @param envoy.shutdownManager.startupProbe.timeoutSeconds When the probe times out
+ ## @param envoy.shutdownManager.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ ## @param envoy.shutdownManager.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+ ## @param envoy.shutdownManager.customLivenessProbe Override default liveness probe
+ ##
+ customLivenessProbe: {}
+ ## @param envoy.shutdownManager.customReadinessProbe Override default readiness probe
+ ##
+ customReadinessProbe: {}
+ ## @param envoy.shutdownManager.customStartupProbe Override default startup probe
+ ##
+ customStartupProbe: {}
+ ## Envoy Initconfig initcontainer security context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param envoy.initConfig.containerSecurityContext.enabled Enabled envoy initConfig containers' Security Context
+ ## @param envoy.initConfig.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param envoy.initConfig.containerSecurityContext.runAsUser Set envoy initConfig containers' Security Context runAsUser
+ ## @param envoy.initConfig.containerSecurityContext.runAsGroup Set envoy initConfig containers' Security Context runAsUser
+ ## @param envoy.initConfig.containerSecurityContext.runAsNonRoot Set envoy initConfig containers' Security Context runAsNonRoot
+ ## @param envoy.initConfig.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param envoy.initConfig.containerSecurityContext.privileged Set contraller container's Security Context privileged
+ ## @param envoy.initConfig.containerSecurityContext.allowPrivilegeEscalation Set contraller container's Security Context allowPrivilegeEscalation
+ ## @param envoy.initConfig.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param envoy.initConfig.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ ##
+ initConfig:
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: {}
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## @param envoy.kind Install as deployment or daemonset
##
kind: daemonset
@@ -618,6 +889,7 @@ envoy:
## @param envoy.autoscaling.maxReplicas Maximum number of Controller replicas
## @param envoy.autoscaling.targetCPU Target CPU utilization percentage
## @param envoy.autoscaling.targetMemory Target Memory utilization percentage
+ ## @param envoy.autoscaling.behavior HPA Behavior
##
autoscaling:
enabled: false
@@ -625,6 +897,7 @@ envoy:
maxReplicas: 11
targetCPU: ""
targetMemory: ""
+ behavior: {}
## @param envoy.podAffinityPreset Envoy Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## Allowed values: soft, hard
@@ -656,7 +929,7 @@ envoy:
##
affinity: {}
## @param envoy.nodeSelector [object] Node labels for Envoy pod assignment
- ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param envoy.tolerations [array] Tolerations for Envoy pod assignment
@@ -674,23 +947,43 @@ envoy:
## Pod security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param envoy.podSecurityContext.enabled Envoy Pod securityContext
+ ## @param envoy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ ## @param envoy.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param envoy.podSecurityContext.fsGroup User ID for the for the mounted volumes
## @param envoy.podSecurityContext.sysctls Array of sysctl options to allow
##
podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ supplementalGroups: []
fsGroup: 0
sysctls: []
- enabled: false
## Envoy container security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
- ## @param envoy.containerSecurityContext.enabled Envoy Container securityContext
- ## @param envoy.containerSecurityContext.runAsUser User ID for the Envoy container (to change this, http and https containerPorts must be set to >1024)
- ## @param envoy.containerSecurityContext.runAsNonRoot Run as non root
+ ## @param envoy.containerSecurityContext.enabled Enabled envoy containers' Security Context
+ ## @param envoy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param envoy.containerSecurityContext.runAsUser Set envoy containers' Security Context runAsUser
+ ## @param envoy.containerSecurityContext.runAsGroup Set envoy containers' Security Context runAsGroup
+ ## @param envoy.containerSecurityContext.runAsNonRoot Set envoy containers' Security Context runAsNonRoot
+ ## @param envoy.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param envoy.containerSecurityContext.privileged Set envoy container's Security Context privileged
+ ## @param envoy.containerSecurityContext.allowPrivilegeEscalation Set envoy container's Security Context allowPrivilegeEscalation
+ ## @param envoy.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param envoy.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
+ seLinuxOptions: {}
runAsUser: 1001
+ runAsGroup: 1001
runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## @param envoy.hostNetwork Envoy Pod host network access
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
##
@@ -782,11 +1075,30 @@ envoy:
## @param envoy.service.name envoy service name
##
name: ""
+ ## The multi az feature renders multiple service, so you could attach different service provider loadbalancer to it.
+ ## This feature is primarily used to achieve a high availability with multiple loadbalancer
+ ## @param envoy.service.multiAz.enabled enables the rendering of the multiple services
+ ## @param envoy.service.multiAz.zones defines different zones their annotations and loadBalancerIPs
+ ##
+ multiAz:
+ enabled: false
+ zones: []
+ ## Example
+ ## - name: "zone1"
+ ## loadBalancerIP: "1.2.3.4"
+ ## annotations:
+ ## service.beta.kubernetes.io/loadbalancer-zone: zone1
+ ## - name: "zone2"
+ ## loadBalancerIP: "5.6.7.8"
+ ## annotations:
+ ## service.beta.kubernetes.io/loadbalancer-zone: zone2
+ ##
## @param envoy.service.targetPorts [object] Map the controller service HTTP/HTTPS port
##
targetPorts:
http: http
https: https
+ metrics: metrics
## @param envoy.service.type Type of Envoy service to create
##
type: LoadBalancer
@@ -817,6 +1129,13 @@ envoy:
## @param envoy.service.ipFamilyPolicy [string], support SingleStack, PreferDualStack and RequireDualStack
##
ipFamilyPolicy: ""
+ ## @param envoy.service.ipFamilies [array] List of IP families (e.g. IPv4, IPv6) assigned to the service.
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
+ ## E.g.
+ ## ipFamilies:
+ ## - IPv6
+ ##
+ ipFamilies: []
## @param envoy.service.annotations [object] Annotations for Envoy service
##
annotations: {}
@@ -827,6 +1146,9 @@ envoy:
## @param envoy.service.ports.https Sets service https port
##
https: 443
+ ## @param envoy.service.ports.metrics Sets service metrics port
+ ##
+ metrics: 8002
## Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
## @param envoy.service.nodePorts.http HTTP Port. If `envoy.service.type` is NodePort and this is non-empty
@@ -850,9 +1172,69 @@ envoy:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
- ## @param envoy.useHostPort Enable/disable `hostPort` for TCP/80 and TCP/443
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
- useHostPort: true
+ networkPolicy:
+ ## @param envoy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param envoy.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param envoy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param envoy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param envoy.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param envoy.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param envoy.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
+ ## @param envoy.useHostPort.http Enable/disable `hostPort` for TCP/80
+ ## @param envoy.useHostPort.https Enable/disable `hostPort` TCP/443
+ ## @param envoy.useHostPort.metrics Enable/disable `hostPort` for TCP/8002
+ ##
+ useHostPort:
+ http: false
+ https: false
+ metrics: false
## @param envoy.useHostIP Enable/disable `hostIP`
##
useHostIP: false
@@ -919,6 +1301,17 @@ envoy:
## @param envoy.extraEnvVarsSecret Secret containing extra env vars to be added to all Envoy containers
##
extraEnvVarsSecret: ""
+ ## PodDisruptionBudget for default backend
+ ## Envoy Pod Disruption Budget configuration
+ ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+ ## @param envoy.pdb.create Enable Pod Disruption Budget configuration
+ ## @param envoy.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled
+ ## @param envoy.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
+ ##
+ pdb:
+ create: true
+ minAvailable: ""
+ maxUnavailable: ""
## @section Default backend parameters
##
@@ -931,9 +1324,9 @@ defaultBackend:
enabled: false
## Bitnami NGINX image
## ref: https://hub.docker.com/r/bitnami/nginx/tags/
- ## @param defaultBackend.image.registry Default backend image registry
- ## @param defaultBackend.image.repository Default backend image name
- ## @param defaultBackend.image.tag Default backend image tag
+ ## @param defaultBackend.image.registry [default: REGISTRY_NAME] Default backend image registry
+ ## @param defaultBackend.image.repository [default: REPOSITORY_NAME/nginx] Default backend image name
+ ## @skip defaultBackend.image.tag Default backend image tag
## @param defaultBackend.image.digest Default backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param defaultBackend.image.pullPolicy Image pull policy
## @param defaultBackend.image.pullSecrets [array] Specify docker-registry secret names as an array
@@ -941,11 +1334,11 @@ defaultBackend:
image:
registry: docker.io
repository: bitnami/nginx
- tag: 1.25.1-debian-11-r1
+ tag: 1.27.1-debian-12-r3
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -1025,42 +1418,63 @@ defaultBackend:
## Default backend pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param defaultBackend.podSecurityContext.enabled Default backend Pod securityContext
+ ## @param defaultBackend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ ## @param defaultBackend.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ ## @param defaultBackend.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param defaultBackend.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: []
+ supplementalGroups: []
fsGroup: 1001
## Default backend containers' Security Context (only main container)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
- ## @param defaultBackend.containerSecurityContext.enabled Default backend container securityContext
- ## @param defaultBackend.containerSecurityContext.runAsUser User ID for the Envoy container (to change this, http and https containerPorts must be set to >1024)
- ## @param defaultBackend.containerSecurityContext.runAsNonRoot Run as non root
+ ## @param defaultBackend.containerSecurityContext.enabled Enabled defaultBackend containers' Security Context
+ ## @param defaultBackend.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param defaultBackend.containerSecurityContext.runAsUser Set defaultBackend containers' Security Context runAsUser
+ ## @param defaultBackend.containerSecurityContext.runAsGroup Set defaultBackend containers' Security Context runAsGroup
+ ## @param defaultBackend.containerSecurityContext.runAsNonRoot Set defaultBackend containers' Security Context runAsNonRoot
+ ## @param defaultBackend.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param defaultBackend.containerSecurityContext.privileged Set defaultBackend container's Security Context privileged
+ ## @param defaultBackend.containerSecurityContext.allowPrivilegeEscalation Set defaultBackend container's Security Context allowPrivilegeEscalation
+ ## @param defaultBackend.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param defaultBackend.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
+ seLinuxOptions: {}
runAsUser: 1001
+ runAsGroup: 1001
runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## Default backend containers' resource requests and limits
- ## ref: https://kubernetes.io/docs/user-guide/compute-resources
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube.
- ## @param defaultBackend.resources.limits [object] The resources limits for the Default backend container
- ## @param defaultBackend.resources.requests [object] The requested resources for the Default backend container
+ ## @param defaultBackend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
- resources:
- ## Example:
- ## limits:
- ## cpu: 250m
- ## memory: 256Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 250m
- ## memory: 256Mi
- ##
- requests: {}
+ resourcesPreset: "nano"
+ ## @param defaultBackend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ ##
+ resources: {}
## Default backend containers' liveness probe. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param defaultBackend.livenessProbe.enabled Enable livenessProbe
@@ -1174,7 +1588,7 @@ defaultBackend:
##
affinity: {}
## @param defaultBackend.nodeSelector [object] Node labels for pod assignment. Evaluated as a template.
- ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param defaultBackend.tolerations [array] Tolerations for pod assignment. Evaluated as a template.
@@ -1191,6 +1605,61 @@ defaultBackend:
ports:
http: 80
annotations: {}
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+ ##
+ networkPolicy:
+ ## @param defaultBackend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param defaultBackend.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param defaultBackend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param defaultBackend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param defaultBackend.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param defaultBackend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param defaultBackend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
## PodDisruptionBudget for default backend
## Default backend Pod Disruption Budget configuration
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
@@ -1199,15 +1668,14 @@ defaultBackend:
## @param defaultBackend.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
##
pdb:
- create: false
- minAvailable: 1
+ create: true
+ minAvailable: ""
maxUnavailable: ""
-
## Ingress parameters
##
ingress:
## @param ingress.enabled Ingress configuration enabled
- ## Ref: https://kubernetes.io/docs/user-guide/ingress/
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
## Enable Ingress.
##
@@ -1302,10 +1770,8 @@ ingress:
## name: http
##
extraRules: []
-
## @section Metrics parameters
##
-
metrics:
## Prometheus Operator service monitors
##
@@ -1340,7 +1806,6 @@ metrics:
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
##
labels: {}
-
## Prometheus Operator prometheusRules
##
prometheusRule:
@@ -1356,7 +1821,6 @@ metrics:
## @param metrics.prometheusRule.rules Prometheus Rule definitions
##
rules: []
-
## @section Other parameters
##
diff --git a/charts/contour/contour/values.yaml b/charts/contour/contour/values.yaml
index fdbb463a6..c74a1a688 100644
--- a/charts/contour/contour/values.yaml
+++ b/charts/contour/contour/values.yaml
@@ -1,5 +1,8 @@
# child values
contour:
+ # Copyright Broadcom, Inc. All Rights Reserved.
+ # SPDX-License-Identifier: APACHE-2.0
+
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
@@ -8,7 +11,8 @@ contour:
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets [array] Global Docker registry secret names as an array
- ## @param global.storageClass Global StorageClass for Persistent Volume(s)
+ ## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
+ ## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
##
global:
imageRegistry: ""
@@ -17,7 +21,17 @@ contour:
## - myRegistryKeySecretName
##
imagePullSecrets: []
+ defaultStorageClass: ""
storageClass: ""
+ ## Compatibility adaptations for Kubernetes platforms
+ ##
+ compatibility:
+ ## Compatibility adaptations for Openshift
+ ##
+ openshift:
+ ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+ ##
+ adaptSecurityContext: auto
## @section Common parameters
##
@@ -80,9 +94,9 @@ contour:
## @param contour.enabled Contour Deployment creation.
##
enabled: true
- ## @param contour.image.registry Contour image registry
- ## @param contour.image.repository Contour image name
- ## @param contour.image.tag Contour image tag
+ ## @param contour.image.registry [default: REGISTRY_NAME] Contour image registry
+ ## @param contour.image.repository [default: REPOSITORY_NAME/contour] Contour image name
+ ## @skip contour.image.tag Contour image tag
## @param contour.image.digest Contour image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param contour.image.pullPolicy Contour Image pull policy
## @param contour.image.pullSecrets [array] Contour Image pull secrets
@@ -91,11 +105,11 @@ contour:
image:
registry: docker.m.daocloud.io
repository: bitnami/contour
- tag: 1.25.0-debian-11-r13
+ tag: 1.30.0-debian-12-r5
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -107,8 +121,14 @@ contour:
##
pullSecrets: []
debug: false
- ## @param contour.replicaCount Number of Contour Pod replicas
+ ## @param contour.contourConfigName Contour Deployment with ContourConfiguration CRD.
+ #
+ contourConfigName: "contour"
+ ## @param contour.configPath Contour Deployment with configmap.
##
+ configPath: true
+ ## @param contour.replicaCount Number of Contour Pod replicas
+ #
replicaCount: 2
## @param contour.priorityClassName Priority class assigned to the pods
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
@@ -134,6 +154,9 @@ contour:
containerPorts:
xds: 8001
metrics: 8000
+ ## @param contour.automountServiceAccountToken Mount Service Account token in pod
+ ##
+ automountServiceAccountToken: true
## @param contour.hostAliases [array] Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
@@ -148,27 +171,27 @@ contour:
- '--envoy-service-http-address=::'
- '--envoy-service-https-address=::'
## Contour container resource requests and limits
- ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## ref: https://projectcontour.io/guides/resource-limits/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- ## @param contour.resources.limits [object] Specify resource limits which the container is not allowed to succeed.
- ## @param contour.resources.requests [object] Specify resource requests which the container needs to spawn.
+ ## @param contour.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+ ##
+ resourcesPreset: "nano"
+ ## @param contour.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
##
resources:
- ## Example:
- ## limits:
- ## cpu: 400m
- ## memory: 258Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 100m
- ## memory: 25Mi
- ##
requests:
cpu: 15m
memory: 30Mi
@@ -241,7 +264,7 @@ contour:
##
affinity: {}
## @param contour.nodeSelector [object] Node labels for Contour pod assignment
- ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param contour.tolerations [array] Tolerations for Contour pod assignment
@@ -260,26 +283,48 @@ contour:
serviceAccount:
create: true
name: ""
- automountServiceAccountToken: true
+ automountServiceAccountToken: false
annotations: {}
## Contour Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param contour.podSecurityContext.enabled Default backend Pod securityContext
+ ## @param contour.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ ## @param contour.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ ## @param contour.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param contour.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: []
+ supplementalGroups: []
fsGroup: 1001
## Envoy container security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
- ## @param contour.containerSecurityContext.enabled Envoy Container securityContext
- ## @param contour.containerSecurityContext.runAsUser User ID for the Contour container (to change this, http and https containerPorts must be set to >1024)
- ## @param contour.containerSecurityContext.runAsNonRoot Run as non root
+ ## @param contour.containerSecurityContext.enabled Enabled contour containers' Security Context
+ ## @param contour.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param contour.containerSecurityContext.runAsUser Set contour containers' Security Context runAsUser
+ ## @param contour.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup
+ ## @param contour.containerSecurityContext.runAsNonRoot Set contour containers' Security Context runAsNonRoot
+ ## @param contour.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param contour.containerSecurityContext.privileged Set contour container's Security Context privileged
+ ## @param contour.containerSecurityContext.allowPrivilegeEscalation Set contour container's Security Context allowPrivilegeEscalation
+ ## @param contour.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param contour.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
+ seLinuxOptions: {}
runAsUser: 1001
+ runAsGroup: 1001
runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## @param contour.livenessProbe.enabled Enable/disable the Liveness probe
## @param contour.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated
## @param contour.livenessProbe.periodSeconds How often to perform the probe
@@ -333,11 +378,72 @@ contour:
serviceAccount:
create: true
name: ""
- automountServiceAccountToken: true
+ automountServiceAccountToken: false
annotations: {}
## @param contour.certgen.certificateLifetime Generated certificate lifetime (in days).
##
certificateLifetime: 365
+ ## @param contour.certgen.automountServiceAccountToken Mount Service Account token in pod
+ ##
+ automountServiceAccountToken: true
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+ ##
+ networkPolicy:
+ ## @param contour.certgen.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param contour.certgen.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param contour.certgen.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param contour.certgen.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
+ ##
+ kubeAPIServerPorts: [443, 6443, 8443]
+ ## @param contour.certgen.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param contour.certgen.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param contour.certgen.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param contour.certgen.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
## @param contour.tlsExistingSecret Name of the existingSecret to be use in Contour deployment. If it is not nil `contour.certgen` will be disabled.
## It will override `tlsExistingSecret`
##
@@ -402,6 +508,64 @@ contour:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+ ##
+ networkPolicy:
+ ## @param contour.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param contour.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param contour.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param contour.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
+ ##
+ kubeAPIServerPorts: [443, 6443, 8443]
+ ## @param contour.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param contour.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param contour.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param contour.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
## @param contour.initContainers [array] Attach additional init containers to Contour pods
## For example:
## initContainers:
@@ -476,6 +640,17 @@ contour:
overloadManager:
enabled: false
maxHeapBytes: "2147483648"
+ ## PodDisruptionBudget for default backend
+ ## Contour Pod Disruption Budget configuration
+ ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+ ## @param contour.pdb.create Enable Pod Disruption Budget configuration
+ ## @param contour.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled
+ ## @param contour.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
+ ##
+ pdb:
+ create: true
+ minAvailable: ""
+ maxUnavailable: ""
## @section Envoy parameters
##
envoy:
@@ -484,9 +659,9 @@ contour:
enabled: true
## Bitnami Envoy image
## ref: https://hub.docker.com/r/bitnami/envoy/tags/
- ## @param envoy.image.registry Envoy Proxy image registry
- ## @param envoy.image.repository Envoy Proxy image repository
- ## @param envoy.image.tag Envoy Proxy image tag (immutable tags are recommended)
+ ## @param envoy.image.registry [default: REGISTRY_NAME] Envoy Proxy image registry
+ ## @param envoy.image.repository [default: REPOSITORY_NAME/envoy] Envoy Proxy image repository
+ ## @skip envoy.image.tag Envoy Proxy image tag (immutable tags are recommended)
## @param envoy.image.digest Envoy Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param envoy.image.pullPolicy Envoy image pull policy
## @param envoy.image.pullSecrets [array] Envoy image pull secrets
@@ -494,11 +669,11 @@ contour:
image:
registry: docker.m.daocloud.io
repository: bitnami/envoy
- tag: 1.26.2-debian-11-r4
+ tag: 1.31.0-debian-12-r3
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -525,32 +700,35 @@ contour:
## @param envoy.extraArgs [array] Extra arguments passed to Envoy container
##
extraArgs: []
+ ## @param envoy.automountServiceAccountToken Mount Service Account token in pod
+ ##
+ automountServiceAccountToken: false
## @param envoy.hostAliases [array] Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## Envoy container resource requests and limits
- ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## ref: https://projectcontour.io/guides/resource-limits/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- ## @param envoy.resources.limits [object] Specify resource limits which the container is not allowed to succeed.
- ## @param envoy.resources.requests [object] Specify resource requests which the container needs to spawn.
+ ## @param envoy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+ ##
+ resourcesPreset: "nano"
+ ## @param envoy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
##
resources:
- ## Example:
- ## limits:
- ## cpu: 400m
- ## memory: 250Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 100m
- ## memory: 25Mi
- ##
requests:
cpu: 15m
memory: 30Mi
@@ -562,27 +740,132 @@ contour:
args: []
## @param envoy.shutdownManager.enabled Contour shutdownManager sidecar
## @param envoy.shutdownManager.extraArgs [array] Extra arguments passed to shutdown container
- ## @param envoy.shutdownManager.port Specify Port for shutdown container
- ## @param envoy.shutdownManager.resources.limits [object] Specify resource limits which the container is not allowed to succeed.
- ## @param envoy.shutdownManager.resources.requests [object] Specify resource requests which the container needs to spawn.
+ ## @param envoy.shutdownManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+ ## @param envoy.shutdownManager.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## @param envoy.shutdownManager.containerPorts.http Specify Port for shutdown container
+ ## @param envoy.shutdownManager.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.
##
shutdownManager:
+ lifecycleHooks: {}
extraArgs: []
- port: "8090"
enabled: true
- resources:
- ## Example:
- ## limits:
- ## cpu: 50m
- ## memory: 32Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 10m
- ## memory: 16Mi
- ##
- requests: {}
+ resourcesPreset: "nano"
+ containerPorts:
+ http: 8090
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ resources: {}
+ ## Shutdown Manager container security context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param envoy.shutdownManager.containerSecurityContext.enabled Enabled envoy shutdownManager containers' Security Context
+ ## @param envoy.shutdownManager.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param envoy.shutdownManager.containerSecurityContext.runAsUser Set envoy shutdownManager containers' Security Context runAsUser
+ ## @param envoy.shutdownManager.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup
+ ## @param envoy.shutdownManager.containerSecurityContext.runAsNonRoot Set envoy shutdownManager containers' Security Context runAsNonRoot
+ ## @param envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param envoy.shutdownManager.containerSecurityContext.privileged Set envoy.shutdownManager container's Security Context privileged
+ ## @param envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation Set envoy shutdownManager container's Security Context allowPrivilegeEscalation
+ ## @param envoy.shutdownManager.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param envoy.shutdownManager.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ ##
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: {}
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ ## @param envoy.shutdownManager.livenessProbe.enabled Enable livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param envoy.shutdownManager.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 120
+ periodSeconds: 20
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param envoy.shutdownManager.readinessProbe.enabled Enable/disable the readiness probe
+ ## @param envoy.shutdownManager.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
+ ## @param envoy.shutdownManager.readinessProbe.periodSeconds How often to perform the probe
+ ## @param envoy.shutdownManager.readinessProbe.timeoutSeconds When the probe times out
+ ## @param envoy.shutdownManager.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ ## @param envoy.shutdownManager.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 10
+ periodSeconds: 3
+ timeoutSeconds: 1
+ failureThreshold: 3
+ successThreshold: 1
+ ## @param envoy.shutdownManager.startupProbe.enabled Enable/disable the startup probe
+ ## @param envoy.shutdownManager.startupProbe.initialDelaySeconds Delay before startup probe is initiated
+ ## @param envoy.shutdownManager.startupProbe.periodSeconds How often to perform the probe
+ ## @param envoy.shutdownManager.startupProbe.timeoutSeconds When the probe times out
+ ## @param envoy.shutdownManager.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ ## @param envoy.shutdownManager.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+ ## @param envoy.shutdownManager.customLivenessProbe Override default liveness probe
+ ##
+ customLivenessProbe: {}
+ ## @param envoy.shutdownManager.customReadinessProbe Override default readiness probe
+ ##
+ customReadinessProbe: {}
+ ## @param envoy.shutdownManager.customStartupProbe Override default startup probe
+ ##
+ customStartupProbe: {}
+ ## Envoy Initconfig initcontainer security context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param envoy.initConfig.containerSecurityContext.enabled Enabled envoy initConfig containers' Security Context
+ ## @param envoy.initConfig.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param envoy.initConfig.containerSecurityContext.runAsUser Set envoy initConfig containers' Security Context runAsUser
+ ## @param envoy.initConfig.containerSecurityContext.runAsGroup Set envoy initConfig containers' Security Context runAsUser
+ ## @param envoy.initConfig.containerSecurityContext.runAsNonRoot Set envoy initConfig containers' Security Context runAsNonRoot
+ ## @param envoy.initConfig.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param envoy.initConfig.containerSecurityContext.privileged Set contraller container's Security Context privileged
+ ## @param envoy.initConfig.containerSecurityContext.allowPrivilegeEscalation Set contraller container's Security Context allowPrivilegeEscalation
+ ## @param envoy.initConfig.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param envoy.initConfig.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ ##
+ initConfig:
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: {}
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## @param envoy.kind Install as deployment or daemonset
##
kind: deployment
@@ -615,6 +898,7 @@ contour:
## @param envoy.autoscaling.maxReplicas Maximum number of Controller replicas
## @param envoy.autoscaling.targetCPU Target CPU utilization percentage
## @param envoy.autoscaling.targetMemory Target Memory utilization percentage
+ ## @param envoy.autoscaling.behavior HPA Behavior
##
autoscaling:
enabled: false
@@ -622,6 +906,7 @@ contour:
maxReplicas: 11
targetCPU: ""
targetMemory: ""
+ behavior: {}
## @param envoy.podAffinityPreset Envoy Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## Allowed values: soft, hard
@@ -668,7 +953,7 @@ contour:
matchLabels:
app.kubernetes.io/instance: metallb
## @param envoy.nodeSelector [object] Node labels for Envoy pod assignment
- ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param envoy.tolerations [array] Tolerations for Envoy pod assignment
@@ -686,23 +971,43 @@ contour:
## Pod security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param envoy.podSecurityContext.enabled Envoy Pod securityContext
+ ## @param envoy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ ## @param envoy.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param envoy.podSecurityContext.fsGroup User ID for the for the mounted volumes
## @param envoy.podSecurityContext.sysctls Array of sysctl options to allow
##
podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ supplementalGroups: []
fsGroup: 0
sysctls: []
- enabled: false
## Envoy container security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
- ## @param envoy.containerSecurityContext.enabled Envoy Container securityContext
- ## @param envoy.containerSecurityContext.runAsUser User ID for the Envoy container (to change this, http and https containerPorts must be set to >1024)
- ## @param envoy.containerSecurityContext.runAsNonRoot Run as non root
+ ## @param envoy.containerSecurityContext.enabled Enabled envoy containers' Security Context
+ ## @param envoy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param envoy.containerSecurityContext.runAsUser Set envoy containers' Security Context runAsUser
+ ## @param envoy.containerSecurityContext.runAsGroup Set envoy containers' Security Context runAsGroup
+ ## @param envoy.containerSecurityContext.runAsNonRoot Set envoy containers' Security Context runAsNonRoot
+ ## @param envoy.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param envoy.containerSecurityContext.privileged Set envoy container's Security Context privileged
+ ## @param envoy.containerSecurityContext.allowPrivilegeEscalation Set envoy container's Security Context allowPrivilegeEscalation
+ ## @param envoy.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param envoy.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
+ seLinuxOptions: {}
runAsUser: 1001
+ runAsGroup: 1001
runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## @param envoy.hostNetwork Envoy Pod host network access
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
##
@@ -794,11 +1099,30 @@ contour:
## @param envoy.service.name envoy service name
##
name: ""
+ ## The multi az feature renders multiple service, so you could attach different service provider loadbalancer to it.
+ ## This feature is primarily used to achieve a high availability with multiple loadbalancer
+ ## @param envoy.service.multiAz.enabled enables the rendering of the multiple services
+ ## @param envoy.service.multiAz.zones defines different zones their annotations and loadBalancerIPs
+ ##
+ multiAz:
+ enabled: false
+ zones: []
+ ## Example
+ ## - name: "zone1"
+ ## loadBalancerIP: "1.2.3.4"
+ ## annotations:
+ ## service.beta.kubernetes.io/loadbalancer-zone: zone1
+ ## - name: "zone2"
+ ## loadBalancerIP: "5.6.7.8"
+ ## annotations:
+ ## service.beta.kubernetes.io/loadbalancer-zone: zone2
+ ##
## @param envoy.service.targetPorts [object] Map the controller service HTTP/HTTPS port
##
targetPorts:
http: http
https: https
+ metrics: metrics
## @param envoy.service.type Type of Envoy service to create
##
type: LoadBalancer
@@ -829,6 +1153,13 @@ contour:
## @param envoy.service.ipFamilyPolicy [string], support SingleStack, PreferDualStack and RequireDualStack
##
ipFamilyPolicy: "SingleStack"
+ ## @param envoy.service.ipFamilies [array] List of IP families (e.g. IPv4, IPv6) assigned to the service.
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
+ ## E.g.
+ ## ipFamilies:
+ ## - IPv6
+ ##
+ ipFamilies: []
## @param envoy.service.annotations [object] Annotations for Envoy service
##
annotations: {}
@@ -839,6 +1170,9 @@ contour:
## @param envoy.service.ports.https Sets service https port
##
https: 443
+ ## @param envoy.service.ports.metrics Sets service metrics port
+ ##
+ metrics: 8002
## Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
## @param envoy.service.nodePorts.http HTTP Port. If `envoy.service.type` is NodePort and this is non-empty
@@ -862,7 +1196,64 @@ contour:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
- ## @param envoy.useHostPort Enable/disable `hostPort` for TCP/80 and TCP/443
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+ ##
+ networkPolicy:
+ ## @param envoy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param envoy.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param envoy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param envoy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param envoy.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param envoy.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param envoy.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
+ ## @param envoy.useHostPort.http Enable/disable `hostPort` for TCP/80
+ ## @param envoy.useHostPort.https Enable/disable `hostPort` TCP/443
+ ## @param envoy.useHostPort.metrics Enable/disable `hostPort` for TCP/8002
##
useHostPort: false
## @param envoy.useHostIP Enable/disable `hostIP`
@@ -931,6 +1322,17 @@ contour:
## @param envoy.extraEnvVarsSecret Secret containing extra env vars to be added to all Envoy containers
##
extraEnvVarsSecret: ""
+ ## PodDisruptionBudget for default backend
+ ## Envoy Pod Disruption Budget configuration
+ ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+ ## @param envoy.pdb.create Enable Pod Disruption Budget configuration
+ ## @param envoy.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled
+ ## @param envoy.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
+ ##
+ pdb:
+ create: true
+ minAvailable: ""
+ maxUnavailable: ""
## @section Default backend parameters
##
@@ -942,9 +1344,9 @@ contour:
enabled: false
## Bitnami NGINX image
## ref: https://hub.docker.com/r/bitnami/nginx/tags/
- ## @param defaultBackend.image.registry Default backend image registry
- ## @param defaultBackend.image.repository Default backend image name
- ## @param defaultBackend.image.tag Default backend image tag
+ ## @param defaultBackend.image.registry [default: REGISTRY_NAME] Default backend image registry
+ ## @param defaultBackend.image.repository [default: REPOSITORY_NAME/nginx] Default backend image name
+ ## @skip defaultBackend.image.tag Default backend image tag
## @param defaultBackend.image.digest Default backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param defaultBackend.image.pullPolicy Image pull policy
## @param defaultBackend.image.pullSecrets [array] Specify docker-registry secret names as an array
@@ -952,11 +1354,11 @@ contour:
image:
registry: docker.io
repository: bitnami/nginx
- tag: 1.25.1-debian-11-r1
+ tag: 1.27.1-debian-12-r3
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -1036,42 +1438,63 @@ contour:
## Default backend pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param defaultBackend.podSecurityContext.enabled Default backend Pod securityContext
+ ## @param defaultBackend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ ## @param defaultBackend.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ ## @param defaultBackend.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param defaultBackend.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: []
+ supplementalGroups: []
fsGroup: 1001
## Default backend containers' Security Context (only main container)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
- ## @param defaultBackend.containerSecurityContext.enabled Default backend container securityContext
- ## @param defaultBackend.containerSecurityContext.runAsUser User ID for the Envoy container (to change this, http and https containerPorts must be set to >1024)
- ## @param defaultBackend.containerSecurityContext.runAsNonRoot Run as non root
+ ## @param defaultBackend.containerSecurityContext.enabled Enabled defaultBackend containers' Security Context
+ ## @param defaultBackend.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param defaultBackend.containerSecurityContext.runAsUser Set defaultBackend containers' Security Context runAsUser
+ ## @param defaultBackend.containerSecurityContext.runAsGroup Set defaultBackend containers' Security Context runAsGroup
+ ## @param defaultBackend.containerSecurityContext.runAsNonRoot Set defaultBackend containers' Security Context runAsNonRoot
+ ## @param defaultBackend.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
+ ## @param defaultBackend.containerSecurityContext.privileged Set defaultBackend container's Security Context privileged
+ ## @param defaultBackend.containerSecurityContext.allowPrivilegeEscalation Set defaultBackend container's Security Context allowPrivilegeEscalation
+ ## @param defaultBackend.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param defaultBackend.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
+ seLinuxOptions: {}
runAsUser: 1001
+ runAsGroup: 1001
runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
## Default backend containers' resource requests and limits
- ## ref: https://kubernetes.io/docs/user-guide/compute-resources
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube.
- ## @param defaultBackend.resources.limits [object] The resources limits for the Default backend container
- ## @param defaultBackend.resources.requests [object] The requested resources for the Default backend container
+ ## @param defaultBackend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
- resources:
- ## Example:
- ## limits:
- ## cpu: 250m
- ## memory: 256Mi
- ##
- limits: {}
- ## Examples:
- ## requests:
- ## cpu: 250m
- ## memory: 256Mi
- ##
- requests: {}
+ resourcesPreset: "nano"
+ ## @param defaultBackend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ ##
+ resources: {}
## Default backend containers' liveness probe. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param defaultBackend.livenessProbe.enabled Enable livenessProbe
@@ -1185,7 +1608,7 @@ contour:
##
affinity: {}
## @param defaultBackend.nodeSelector [object] Node labels for pod assignment. Evaluated as a template.
- ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param defaultBackend.tolerations [array] Tolerations for pod assignment. Evaluated as a template.
@@ -1202,6 +1625,61 @@ contour:
ports:
http: 80
annotations: {}
+ ## Network Policies
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+ ##
+ networkPolicy:
+ ## @param defaultBackend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+ ## @param defaultBackend.networkPolicy.allowExternal Don't require server label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## server label will have network access to the ports server is listening
+ ## on. When true, server will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param defaultBackend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param defaultBackend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ extraIngress: []
+ ## @param defaultBackend.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param defaultBackend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param defaultBackend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
## PodDisruptionBudget for default backend
## Default backend Pod Disruption Budget configuration
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
@@ -1210,14 +1688,14 @@ contour:
## @param defaultBackend.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
##
pdb:
- create: false
- minAvailable: 1
+ create: true
+ minAvailable: ""
maxUnavailable: ""
## Ingress parameters
##
ingress:
## @param ingress.enabled Ingress configuration enabled
- ## Ref: https://kubernetes.io/docs/user-guide/ingress/
+ ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
## Enable Ingress.
##