mirror of
https://github.com/fluxcd/flagger.git
synced 2026-03-02 17:51:00 +00:00
1028 lines
43 KiB
Go
1028 lines
43 KiB
Go
// Copyright Project Contour Authors
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package v1
|
|
|
|
import (
|
|
corev1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
// HTTPProxySpec defines the spec of the CRD.
|
|
type HTTPProxySpec struct {
|
|
// Virtualhost appears at most once. If it is present, the object is considered
|
|
// to be a "root" HTTPProxy.
|
|
// +optional
|
|
VirtualHost *VirtualHost `json:"virtualhost,omitempty"`
|
|
// Routes are the ingress routes. If TCPProxy is present, Routes is ignored.
|
|
// +optional
|
|
Routes []Route `json:"routes,omitempty"`
|
|
// TCPProxy holds TCP proxy information.
|
|
// +optional
|
|
TCPProxy *TCPProxy `json:"tcpproxy,omitempty"`
|
|
// Includes allow for specific routing configuration to be included from another HTTPProxy,
|
|
// possibly in another namespace.
|
|
// +optional
|
|
Includes []Include `json:"includes,omitempty"`
|
|
// IngressClassName optionally specifies the ingress class to use for this
|
|
// HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class`
|
|
// annotation. For backwards compatibility, when that annotation is set, it
|
|
// is given precedence over this field.
|
|
// +optional
|
|
IngressClassName string `json:"ingressClassName,omitempty"`
|
|
}
|
|
|
|
// Include describes a set of policies that can be applied to an HTTPProxy in a namespace.
|
|
type Include struct {
|
|
// Name of the HTTPProxy
|
|
Name string `json:"name"`
|
|
// Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.
|
|
// +optional
|
|
Namespace string `json:"namespace,omitempty"`
|
|
// Conditions are a set of rules that are applied to included HTTPProxies.
|
|
// In effect, they are added onto the Conditions of included HTTPProxy Route
|
|
// structs.
|
|
// When applied, they are merged using AND, with one exception:
|
|
// There can be only one Prefix MatchCondition per Conditions slice.
|
|
// More than one Prefix, or contradictory Conditions, will make the
|
|
// include invalid.
|
|
// +optional
|
|
Conditions []MatchCondition `json:"conditions,omitempty"`
|
|
}
|
|
|
|
// MatchCondition are a general holder for matching rules for HTTPProxies.
|
|
// One of Prefix or Header must be provided.
|
|
type MatchCondition struct {
|
|
// Prefix defines a prefix match for a request.
|
|
// +optional
|
|
Prefix string `json:"prefix,omitempty"`
|
|
|
|
// Header specifies the header condition to match.
|
|
// +optional
|
|
Header *HeaderMatchCondition `json:"header,omitempty"`
|
|
}
|
|
|
|
// HeaderMatchCondition specifies how to conditionally match against HTTP
|
|
// headers. The Name field is required, but only one of the remaining
|
|
// fields should be be provided.
|
|
type HeaderMatchCondition struct {
|
|
// Name is the name of the header to match against. Name is required.
|
|
// Header names are case insensitive.
|
|
Name string `json:"name"`
|
|
|
|
// Present specifies that condition is true when the named header
|
|
// is present, regardless of its value. Note that setting Present
|
|
// to false does not make the condition true if the named header
|
|
// is absent.
|
|
// +optional
|
|
Present bool `json:"present,omitempty"`
|
|
|
|
// NotPresent specifies that condition is true when the named header
|
|
// is not present. Note that setting NotPresent to false does not
|
|
// make the condition true if the named header is present.
|
|
// +optional
|
|
NotPresent bool `json:"notpresent,omitempty"`
|
|
|
|
// Contains specifies a substring that must be present in
|
|
// the header value.
|
|
// +optional
|
|
Contains string `json:"contains,omitempty"`
|
|
|
|
// NotContains specifies a substring that must not be present
|
|
// in the header value.
|
|
// +optional
|
|
NotContains string `json:"notcontains,omitempty"`
|
|
|
|
// Exact specifies a string that the header value must be equal to.
|
|
// +optional
|
|
Exact string `json:"exact,omitempty"`
|
|
|
|
// NoExact specifies a string that the header value must not be
|
|
// equal to. The condition is true if the header has any other value.
|
|
// +optional
|
|
NotExact string `json:"notexact,omitempty"`
|
|
}
|
|
|
|
// ExtensionServiceReference names an ExtensionService resource.
|
|
type ExtensionServiceReference struct {
|
|
// API version of the referent.
|
|
// If this field is not specified, the default "projectcontour.io/v1alpha1" will be used
|
|
//
|
|
// +optional
|
|
// +kubebuilder:validation:MinLength=1
|
|
APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,5,opt,name=apiVersion"`
|
|
|
|
// Namespace of the referent.
|
|
// If this field is not specifies, the namespace of the resource that targets the referent will be used.
|
|
//
|
|
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
//
|
|
// +optional
|
|
// +kubebuilder:validation:MinLength=1
|
|
Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
|
|
|
|
// Name of the referent.
|
|
//
|
|
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
//
|
|
// +required
|
|
// +kubebuilder:validation:MinLength=1
|
|
Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"`
|
|
}
|
|
|
|
// AuthorizationServer configures an external server to authenticate
|
|
// client requests. The external server must implement the v3 Envoy
|
|
// external authorization GRPC protocol (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).
|
|
type AuthorizationServer struct {
|
|
// ExtensionServiceRef specifies the extension resource that will authorize client requests.
|
|
//
|
|
// +required
|
|
ExtensionServiceRef ExtensionServiceReference `json:"extensionRef"`
|
|
|
|
// AuthPolicy sets a default authorization policy for client requests.
|
|
// This policy will be used unless overridden by individual routes.
|
|
//
|
|
// +optional
|
|
AuthPolicy *AuthorizationPolicy `json:"authPolicy,omitempty"`
|
|
|
|
// ResponseTimeout configures maximum time to wait for a check response from the authorization server.
|
|
// Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
|
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
|
// The string "infinity" is also a valid input and specifies no timeout.
|
|
//
|
|
// +optional
|
|
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
|
|
ResponseTimeout string `json:"responseTimeout,omitempty"`
|
|
|
|
// If FailOpen is true, the client request is forwarded to the upstream service
|
|
// even if the authorization server fails to respond. This field should not be
|
|
// set in most cases. It is intended for use only while migrating applications
|
|
// from internal authorization to Contour external authorization.
|
|
//
|
|
// +optional
|
|
FailOpen bool `json:"failOpen,omitempty"`
|
|
|
|
// WithRequestBody specifies configuration for sending the client request's body to authorization server.
|
|
// +optional
|
|
WithRequestBody *AuthorizationServerBufferSettings `json:"withRequestBody,omitempty"`
|
|
}
|
|
|
|
// AuthorizationServerBufferSettings enables ExtAuthz filter to buffer client request data and send it as part of authorization request
|
|
type AuthorizationServerBufferSettings struct {
|
|
// MaxRequestBytes sets the maximum size of message body ExtAuthz filter will hold in-memory.
|
|
// +optional
|
|
// +kubebuilder:validation:Minimum=1
|
|
// +kubebuilder:default=1024
|
|
MaxRequestBytes uint32 `json:"maxRequestBytes,omitempty"`
|
|
|
|
// If AllowPartialMessage is true, then Envoy will buffer the body until MaxRequestBytes are reached.
|
|
// +optional
|
|
AllowPartialMessage bool `json:"allowPartialMessage,omitempty"`
|
|
|
|
// If PackAsBytes is true, the body sent to Authorization Server is in raw bytes.
|
|
// +optional
|
|
PackAsBytes bool `json:"packAsBytes,omitempty"`
|
|
}
|
|
|
|
// AuthorizationPolicy modifies how client requests are authenticated.
|
|
type AuthorizationPolicy struct {
|
|
// When true, this field disables client request authentication
|
|
// for the scope of the policy.
|
|
//
|
|
// +optional
|
|
Disabled bool `json:"disabled,omitempty"`
|
|
|
|
// Context is a set of key/value pairs that are sent to the
|
|
// authentication server in the check request. If a context
|
|
// is provided at an enclosing scope, the entries are merged
|
|
// such that the inner scope overrides matching keys from the
|
|
// outer scope.
|
|
//
|
|
// +optional
|
|
Context map[string]string `json:"context,omitempty"`
|
|
}
|
|
|
|
// VirtualHost appears at most once. If it is present, the object is considered
|
|
// to be a "root".
|
|
type VirtualHost struct {
|
|
// The fully qualified domain name of the root of the ingress tree
|
|
// all leaves of the DAG rooted at this object relate to the fqdn.
|
|
//
|
|
// +kubebuilder:validation:Pattern="^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
|
|
Fqdn string `json:"fqdn"`
|
|
|
|
// If present the fields describes TLS properties of the virtual
|
|
// host. The SNI names that will be matched on are described in fqdn,
|
|
// the tls.secretName secret must contain a certificate that itself
|
|
// contains a name that matches the FQDN.
|
|
//
|
|
// +optional
|
|
TLS *TLS `json:"tls,omitempty"`
|
|
|
|
// This field configures an extension service to perform
|
|
// authorization for this virtual host. Authorization can
|
|
// only be configured on virtual hosts that have TLS enabled.
|
|
// If the TLS configuration requires client certificate
|
|
// validation, the client certificate is always included in the
|
|
// authentication check request.
|
|
//
|
|
// +optional
|
|
Authorization *AuthorizationServer `json:"authorization,omitempty"`
|
|
// Specifies the cross-origin policy to apply to the VirtualHost.
|
|
// +optional
|
|
CORSPolicy *CORSPolicy `json:"corsPolicy,omitempty"`
|
|
// The policy for rate limiting on the virtual host.
|
|
// +optional
|
|
RateLimitPolicy *RateLimitPolicy `json:"rateLimitPolicy,omitempty"`
|
|
}
|
|
|
|
// TLS describes tls properties. The SNI names that will be matched on
|
|
// are described in the HTTPProxy's Spec.VirtualHost.Fqdn field.
|
|
type TLS struct {
|
|
// SecretName is the name of a TLS secret in the current namespace.
|
|
// Either SecretName or Passthrough must be specified, but not both.
|
|
// If specified, the named secret must contain a matching certificate
|
|
// for the virtual host's FQDN.
|
|
SecretName string `json:"secretName,omitempty"`
|
|
// MinimumProtocolVersion is the minimum TLS version this vhost should
|
|
// negotiate. Valid options are `1.2` (default) and `1.3`. Any other value
|
|
// defaults to TLS 1.2.
|
|
// +optional
|
|
MinimumProtocolVersion string `json:"minimumProtocolVersion,omitempty"`
|
|
// Passthrough defines whether the encrypted TLS handshake will be
|
|
// passed through to the backing cluster. Either Passthrough or
|
|
// SecretName must be specified, but not both.
|
|
// +optional
|
|
Passthrough bool `json:"passthrough,omitempty"`
|
|
// ClientValidation defines how to verify the client certificate
|
|
// when an external client establishes a TLS connection to Envoy.
|
|
//
|
|
// This setting:
|
|
//
|
|
// 1. Enables TLS client certificate validation.
|
|
// 2. Specifies how the client certificate will be validated (i.e.
|
|
// validation required or skipped).
|
|
//
|
|
// Note: Setting client certificate validation to be skipped should
|
|
// be only used in conjunction with an external authorization server that
|
|
// performs client validation as Contour will ensure client certificates
|
|
// are passed along.
|
|
//
|
|
// +optional
|
|
ClientValidation *DownstreamValidation `json:"clientValidation,omitempty"`
|
|
|
|
// EnableFallbackCertificate defines if the vhost should allow a default certificate to
|
|
// be applied which handles all requests which don't match the SNI defined in this vhost.
|
|
EnableFallbackCertificate bool `json:"enableFallbackCertificate,omitempty"`
|
|
}
|
|
|
|
// CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
|
|
// +kubebuilder:validation:Pattern="^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$"
|
|
type CORSHeaderValue string
|
|
|
|
// CORSPolicy allows setting the CORS policy
|
|
type CORSPolicy struct {
|
|
// Specifies whether the resource allows credentials.
|
|
// +optional
|
|
AllowCredentials bool `json:"allowCredentials,omitempty"`
|
|
// AllowOrigin specifies the origins that will be allowed to do CORS requests. "*" means
|
|
// allow any origin.
|
|
// +kubebuilder:validation:Required
|
|
AllowOrigin []string `json:"allowOrigin"`
|
|
// AllowMethods specifies the content for the *access-control-allow-methods* header.
|
|
// +kubebuilder:validation:Required
|
|
AllowMethods []CORSHeaderValue `json:"allowMethods"`
|
|
// AllowHeaders specifies the content for the *access-control-allow-headers* header.
|
|
// +optional
|
|
AllowHeaders []CORSHeaderValue `json:"allowHeaders,omitempty"`
|
|
// ExposeHeaders Specifies the content for the *access-control-expose-headers* header.
|
|
// +optional
|
|
ExposeHeaders []CORSHeaderValue `json:"exposeHeaders,omitempty"`
|
|
// MaxAge indicates for how long the results of a preflight request can be cached.
|
|
// MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
|
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
|
// Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS
|
|
// check for all cross-origin requests.
|
|
// +optional
|
|
MaxAge string `json:"maxAge,omitempty"`
|
|
}
|
|
|
|
// Route contains the set of routes for a virtual host.
|
|
type Route struct {
|
|
// Conditions are a set of rules that are applied to a Route.
|
|
// When applied, they are merged using AND, with one exception:
|
|
// There can be only one Prefix MatchCondition per Conditions slice.
|
|
// More than one Prefix, or contradictory Conditions, will make the
|
|
// route invalid.
|
|
// +optional
|
|
Conditions []MatchCondition `json:"conditions,omitempty"`
|
|
// Services are the services to proxy traffic.
|
|
// +optional
|
|
Services []Service `json:"services,omitempty"`
|
|
// Enables websocket support for the route.
|
|
// +optional
|
|
EnableWebsockets bool `json:"enableWebsockets,omitempty"`
|
|
// Allow this path to respond to insecure requests over HTTP which are normally
|
|
// not permitted when a `virtualhost.tls` block is present.
|
|
// +optional
|
|
PermitInsecure bool `json:"permitInsecure,omitempty"`
|
|
// AuthPolicy updates the authorization policy that was set
|
|
// on the root HTTPProxy object for client requests that
|
|
// match this route.
|
|
// +optional
|
|
AuthPolicy *AuthorizationPolicy `json:"authPolicy,omitempty"`
|
|
// The timeout policy for this route.
|
|
// +optional
|
|
TimeoutPolicy *TimeoutPolicy `json:"timeoutPolicy,omitempty"`
|
|
// The retry policy for this route.
|
|
// +optional
|
|
RetryPolicy *RetryPolicy `json:"retryPolicy,omitempty"`
|
|
// The health check policy for this route.
|
|
// +optional
|
|
HealthCheckPolicy *HTTPHealthCheckPolicy `json:"healthCheckPolicy,omitempty"`
|
|
// The load balancing policy for this route.
|
|
// +optional
|
|
LoadBalancerPolicy *LoadBalancerPolicy `json:"loadBalancerPolicy,omitempty"`
|
|
// The policy for rewriting the path of the request URL
|
|
// after the request has been routed to a Service.
|
|
//
|
|
// +optional
|
|
PathRewritePolicy *PathRewritePolicy `json:"pathRewritePolicy,omitempty"`
|
|
// The policy for managing request headers during proxying.
|
|
// +optional
|
|
RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
|
|
// The policy for managing response headers during proxying.
|
|
// Rewriting the 'Host' header is not supported.
|
|
// +optional
|
|
ResponseHeadersPolicy *HeadersPolicy `json:"responseHeadersPolicy,omitempty"`
|
|
// The policies for rewriting Set-Cookie header attributes. Note that
|
|
// rewritten cookie names must be unique in this list. Order rewrite
|
|
// policies are specified in does not matter.
|
|
// +optional
|
|
CookieRewritePolicies []CookieRewritePolicy `json:"cookieRewritePolicies,omitempty"`
|
|
// The policy for rate limiting on the route.
|
|
// +optional
|
|
RateLimitPolicy *RateLimitPolicy `json:"rateLimitPolicy,omitempty"`
|
|
|
|
// RequestRedirectPolicy defines an HTTP redirection.
|
|
// +optional
|
|
RequestRedirectPolicy *HTTPRequestRedirectPolicy `json:"requestRedirectPolicy,omitempty"`
|
|
}
|
|
|
|
// HTTPRequestRedirectPolicy defines configuration for redirecting a request.
|
|
type HTTPRequestRedirectPolicy struct {
|
|
// Scheme is the scheme to be used in the value of the `Location`
|
|
// header in the response.
|
|
// When empty, the scheme of the request is used.
|
|
// +optional
|
|
// +kubebuilder:validation:Enum=http;https
|
|
Scheme *string `json:"scheme,omitempty"`
|
|
|
|
// Hostname is the precise hostname to be used in the value of the `Location`
|
|
// header in the response.
|
|
// When empty, the hostname of the request is used.
|
|
// No wildcards are allowed.
|
|
// +optional
|
|
// +kubebuilder:validation:MinLength=1
|
|
// +kubebuilder:validation:MaxLength=253
|
|
// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
|
|
Hostname *string `json:"hostname,omitempty"`
|
|
|
|
// Port is the port to be used in the value of the `Location`
|
|
// header in the response.
|
|
// When empty, port (if specified) of the request is used.
|
|
// +optional
|
|
// +kubebuilder:validation:Minimum=1
|
|
// +kubebuilder:validation:Maximum=65535
|
|
Port *int32 `json:"port,omitempty"`
|
|
|
|
// StatusCode is the HTTP status code to be used in response.
|
|
// +optional
|
|
// +kubebuilder:default=302
|
|
// +kubebuilder:validation:Enum=301;302
|
|
StatusCode *int `json:"statusCode,omitempty"`
|
|
|
|
// Path allows for redirection to a different path from the
|
|
// original on the request. The path must start with a
|
|
// leading slash.
|
|
//
|
|
// Note: Only one of Path or Prefix can be defined.
|
|
//
|
|
// +optional
|
|
// +kubebuilder:validation:Pattern=`^\/.*$`
|
|
Path *string `json:"path,omitempty"`
|
|
|
|
// Prefix defines the value to swap the matched prefix or path with.
|
|
// The prefix must start with a leading slash.
|
|
//
|
|
// Note: Only one of Path or Prefix can be defined.
|
|
//
|
|
// +optional
|
|
// +kubebuilder:validation:Pattern=`^\/.*$`
|
|
Prefix *string `json:"prefix,omitempty"`
|
|
}
|
|
|
|
type CookieRewritePolicy struct {
|
|
// Name is the name of the cookie for which attributes will be rewritten.
|
|
// +kubebuilder:validation:MinLength=1
|
|
// +kubebuilder:validation:MaxLength=4096
|
|
// +kubebuilder:validation:Pattern=`^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$`
|
|
Name string `json:"name"`
|
|
|
|
// PathRewrite enables rewriting the Set-Cookie Path element.
|
|
// If not set, Path will not be rewritten.
|
|
// +optional
|
|
PathRewrite *CookiePathRewrite `json:"pathRewrite,omitempty"`
|
|
|
|
// DomainRewrite enables rewriting the Set-Cookie Domain element.
|
|
// If not set, Domain will not be rewritten.
|
|
// +optional
|
|
DomainRewrite *CookieDomainRewrite `json:"domainRewrite,omitempty"`
|
|
|
|
// Secure enables rewriting the Set-Cookie Secure element.
|
|
// If not set, Secure attribute will not be rewritten.
|
|
// +optional
|
|
Secure *bool `json:"secure,omitempty"`
|
|
|
|
// SameSite enables rewriting the Set-Cookie SameSite element.
|
|
// If not set, SameSite attribute will not be rewritten.
|
|
// +optional
|
|
// +kubebuilder:validation:Enum=Strict;Lax;None
|
|
SameSite *string `json:"sameSite,omitempty"`
|
|
}
|
|
|
|
type CookiePathRewrite struct {
|
|
// Value is the value to rewrite the Path attribute to.
|
|
// For now this is required.
|
|
// +required
|
|
// +kubebuilder:validation:MinLength=1
|
|
// +kubebuilder:validation:MaxLength=4096
|
|
// +kubebuilder:validation:Pattern=`^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$`
|
|
Value string `json:"value"`
|
|
}
|
|
|
|
type CookieDomainRewrite struct {
|
|
// Value is the value to rewrite the Domain attribute to.
|
|
// For now this is required.
|
|
// +required
|
|
// +kubebuilder:validation:MinLength=1
|
|
// +kubebuilder:validation:MaxLength=4096
|
|
// +kubebuilder:validation:Pattern="^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
|
|
Value string `json:"value"`
|
|
}
|
|
|
|
// RateLimitPolicy defines rate limiting parameters.
|
|
type RateLimitPolicy struct {
|
|
// Local defines local rate limiting parameters, i.e. parameters
|
|
// for rate limiting that occurs within each Envoy pod as requests
|
|
// are handled.
|
|
// +optional
|
|
Local *LocalRateLimitPolicy `json:"local,omitempty"`
|
|
|
|
// Global defines global rate limiting parameters, i.e. parameters
|
|
// defining descriptors that are sent to an external rate limit
|
|
// service (RLS) for a rate limit decision on each request.
|
|
// +optional
|
|
Global *GlobalRateLimitPolicy `json:"global,omitempty"`
|
|
}
|
|
|
|
// LocalRateLimitPolicy defines local rate limiting parameters.
|
|
type LocalRateLimitPolicy struct {
|
|
// Requests defines how many requests per unit of time should
|
|
// be allowed before rate limiting occurs.
|
|
// +required
|
|
// +kubebuilder:validation:Minimum=1
|
|
Requests uint32 `json:"requests"`
|
|
|
|
// Unit defines the period of time within which requests
|
|
// over the limit will be rate limited. Valid values are
|
|
// "second", "minute" and "hour".
|
|
// +kubebuilder:validation:Enum=second;minute;hour
|
|
// +required
|
|
Unit string `json:"unit"`
|
|
|
|
// Burst defines the number of requests above the requests per
|
|
// unit that should be allowed within a short period of time.
|
|
// +optional
|
|
Burst uint32 `json:"burst,omitempty"`
|
|
|
|
// ResponseStatusCode is the HTTP status code to use for responses
|
|
// to rate-limited requests. Codes must be in the 400-599 range
|
|
// (inclusive). If not specified, the Envoy default of 429 (Too
|
|
// Many Requests) is used.
|
|
// +optional
|
|
// +kubebuilder:validation:Minimum=400
|
|
// +kubebuilder:validation:Maximum=599
|
|
ResponseStatusCode uint32 `json:"responseStatusCode,omitempty"`
|
|
|
|
// ResponseHeadersToAdd is an optional list of response headers to
|
|
// set when a request is rate-limited.
|
|
// +optional
|
|
ResponseHeadersToAdd []HeaderValue `json:"responseHeadersToAdd,omitempty"`
|
|
}
|
|
|
|
// GlobalRateLimitPolicy defines global rate limiting parameters.
|
|
type GlobalRateLimitPolicy struct {
|
|
// Descriptors defines the list of descriptors that will
|
|
// be generated and sent to the rate limit service. Each
|
|
// descriptor contains 1+ key-value pair entries.
|
|
// +required
|
|
// +kubebuilder:validation:MinItems=1
|
|
Descriptors []RateLimitDescriptor `json:"descriptors,omitempty"`
|
|
}
|
|
|
|
// RateLimitDescriptor defines a list of key-value pair generators.
|
|
type RateLimitDescriptor struct {
|
|
// Entries is the list of key-value pair generators.
|
|
// +required
|
|
// +kubebuilder:validation:MinItems=1
|
|
Entries []RateLimitDescriptorEntry `json:"entries,omitempty"`
|
|
}
|
|
|
|
// RateLimitDescriptorEntry is a key-value pair generator. Exactly
|
|
// one field on this struct must be non-nil.
|
|
type RateLimitDescriptorEntry struct {
|
|
// GenericKey defines a descriptor entry with a static key and value.
|
|
// +optional
|
|
GenericKey *GenericKeyDescriptor `json:"genericKey,omitempty"`
|
|
|
|
// RequestHeader defines a descriptor entry that's populated only if
|
|
// a given header is present on the request. The descriptor key is static,
|
|
// and the descriptor value is equal to the value of the header.
|
|
// +optional
|
|
RequestHeader *RequestHeaderDescriptor `json:"requestHeader,omitempty"`
|
|
|
|
// RequestHeaderValueMatch defines a descriptor entry that's populated
|
|
// if the request's headers match a set of 1+ match criteria. The
|
|
// descriptor key is "header_match", and the descriptor value is static.
|
|
// +optional
|
|
RequestHeaderValueMatch *RequestHeaderValueMatchDescriptor `json:"requestHeaderValueMatch,omitempty"`
|
|
|
|
// RemoteAddress defines a descriptor entry with a key of "remote_address"
|
|
// and a value equal to the client's IP address (from x-forwarded-for).
|
|
// +optional
|
|
RemoteAddress *RemoteAddressDescriptor `json:"remoteAddress,omitempty"`
|
|
}
|
|
|
|
// GenericKeyDescriptor defines a descriptor entry with a static key and
|
|
// value.
|
|
type GenericKeyDescriptor struct {
|
|
// Key defines the key of the descriptor entry. If not set, the
|
|
// key is set to "generic_key".
|
|
// +optional
|
|
Key string `json:"key,omitempty"`
|
|
|
|
// Value defines the value of the descriptor entry.
|
|
// +required
|
|
// +kubebuilder:validation:MinLength=1
|
|
Value string `json:"value,omitempty"`
|
|
}
|
|
|
|
// RequestHeaderDescriptor defines a descriptor entry that's populated only
|
|
// if a given header is present on the request. The value of the descriptor
|
|
// entry is equal to the value of the header (if present).
|
|
type RequestHeaderDescriptor struct {
|
|
// HeaderName defines the name of the header to look for on the request.
|
|
// +required
|
|
// +kubebuilder:validation:MinLength=1
|
|
HeaderName string `json:"headerName,omitempty"`
|
|
|
|
// DescriptorKey defines the key to use on the descriptor entry.
|
|
// +required
|
|
// +kubebuilder:validation:MinLength=1
|
|
DescriptorKey string `json:"descriptorKey,omitempty"`
|
|
}
|
|
|
|
// RequestHeaderValueMatchDescriptor defines a descriptor entry that's populated
|
|
// if the request's headers match a set of 1+ match criteria. The descriptor key
|
|
// is "header_match", and the descriptor value is statically defined.
|
|
type RequestHeaderValueMatchDescriptor struct {
|
|
// Headers is a list of 1+ match criteria to apply against the request
|
|
// to determine whether to populate the descriptor entry or not.
|
|
// +kubebuilder:validation:MinItems=1
|
|
Headers []HeaderMatchCondition `json:"headers,omitempty"`
|
|
|
|
// ExpectMatch defines whether the request must positively match the match
|
|
// criteria in order to generate a descriptor entry (i.e. true), or not
|
|
// match the match criteria in order to generate a descriptor entry (i.e. false).
|
|
// The default is true.
|
|
// +kubebuilder:default=true
|
|
ExpectMatch bool `json:"expectMatch,omitempty"`
|
|
|
|
// Value defines the value of the descriptor entry.
|
|
// +required
|
|
// +kubebuilder:validation:MinLength=1
|
|
Value string `json:"value,omitempty"`
|
|
}
|
|
|
|
// RemoteAddressDescriptor defines a descriptor entry with a key of
|
|
// "remote_address" and a value equal to the client's IP address
|
|
// (from x-forwarded-for).
|
|
type RemoteAddressDescriptor struct{}
|
|
|
|
// TCPProxy contains the set of services to proxy TCP connections.
|
|
type TCPProxy struct {
|
|
// The load balancing policy for the backend services. Note that the
|
|
// `Cookie` and `RequestHash` load balancing strategies cannot be used
|
|
// here.
|
|
// +optional
|
|
LoadBalancerPolicy *LoadBalancerPolicy `json:"loadBalancerPolicy,omitempty"`
|
|
// Services are the services to proxy traffic
|
|
// +optional
|
|
Services []Service `json:"services"`
|
|
// Include specifies that this tcpproxy should be delegated to another HTTPProxy.
|
|
// +optional
|
|
Include *TCPProxyInclude `json:"include,omitempty"`
|
|
// IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace.
|
|
//
|
|
// Exists due to a mistake when developing HTTPProxy and the field was marked plural
|
|
// when it should have been singular. This field should stay to not break backwards compatibility to v1 users.
|
|
// +optional
|
|
IncludesDeprecated *TCPProxyInclude `json:"includes,omitempty"`
|
|
// The health check policy for this tcp proxy
|
|
// +optional
|
|
HealthCheckPolicy *TCPHealthCheckPolicy `json:"healthCheckPolicy,omitempty"`
|
|
}
|
|
|
|
// TCPProxyInclude describes a target HTTPProxy document which contains the TCPProxy details.
|
|
type TCPProxyInclude struct {
|
|
// Name of the child HTTPProxy
|
|
Name string `json:"name"`
|
|
// Namespace of the HTTPProxy to include. Defaults to the current namespace if not supplied.
|
|
// +optional
|
|
Namespace string `json:"namespace,omitempty"`
|
|
}
|
|
|
|
// Service defines an Kubernetes Service to proxy traffic.
|
|
type Service struct {
|
|
// Name is the name of Kubernetes service to proxy traffic.
|
|
// Names defined here will be used to look up corresponding endpoints which contain the ips to route.
|
|
Name string `json:"name"`
|
|
// Port (defined as Integer) to proxy traffic to since a service can have multiple defined.
|
|
//
|
|
// +required
|
|
// +kubebuilder:validation:Minimum=1
|
|
// +kubebuilder:validation:Maximum=65536
|
|
// +kubebuilder:validation:ExclusiveMinimum=false
|
|
// +kubebuilder:validation:ExclusiveMaximum=true
|
|
Port int `json:"port"`
|
|
// Protocol may be used to specify (or override) the protocol used to reach this Service.
|
|
// Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations.
|
|
// +kubebuilder:validation:Enum=h2;h2c;tls
|
|
// +optional
|
|
Protocol *string `json:"protocol,omitempty"`
|
|
// Weight defines percentage of traffic to balance traffic
|
|
// +optional
|
|
// +kubebuilder:validation:Minimum=0
|
|
Weight int64 `json:"weight,omitempty"`
|
|
// UpstreamValidation defines how to verify the backend service's certificate
|
|
// +optional
|
|
UpstreamValidation *UpstreamValidation `json:"validation,omitempty"`
|
|
// If Mirror is true the Service will receive a read only mirror of the traffic for this route.
|
|
Mirror bool `json:"mirror,omitempty"`
|
|
// The policy for managing request headers during proxying.
|
|
// Rewriting the 'Host' header is not supported.
|
|
// +optional
|
|
RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
|
|
// The policy for managing response headers during proxying.
|
|
// Rewriting the 'Host' header is not supported.
|
|
// +optional
|
|
ResponseHeadersPolicy *HeadersPolicy `json:"responseHeadersPolicy,omitempty"`
|
|
// The policies for rewriting Set-Cookie header attributes.
|
|
// +optional
|
|
CookieRewritePolicies []CookieRewritePolicy `json:"cookieRewritePolicies,omitempty"`
|
|
}
|
|
|
|
// HTTPHealthCheckPolicy defines health checks on the upstream service.
|
|
type HTTPHealthCheckPolicy struct {
|
|
// HTTP endpoint used to perform health checks on upstream service
|
|
Path string `json:"path"`
|
|
// The value of the host header in the HTTP health check request.
|
|
// If left empty (default value), the name "contour-envoy-healthcheck"
|
|
// will be used.
|
|
Host string `json:"host,omitempty"`
|
|
// The interval (seconds) between health checks
|
|
// +optional
|
|
IntervalSeconds int64 `json:"intervalSeconds"`
|
|
// The time to wait (seconds) for a health check response
|
|
// +optional
|
|
TimeoutSeconds int64 `json:"timeoutSeconds"`
|
|
// The number of unhealthy health checks required before a host is marked unhealthy
|
|
// +optional
|
|
// +kubebuilder:validation:Minimum=0
|
|
UnhealthyThresholdCount int64 `json:"unhealthyThresholdCount"`
|
|
// The number of healthy health checks required before a host is marked healthy
|
|
// +optional
|
|
// +kubebuilder:validation:Minimum=0
|
|
HealthyThresholdCount int64 `json:"healthyThresholdCount"`
|
|
}
|
|
|
|
// TCPHealthCheckPolicy defines health checks on the upstream service.
|
|
type TCPHealthCheckPolicy struct {
|
|
// The interval (seconds) between health checks
|
|
// +optional
|
|
IntervalSeconds int64 `json:"intervalSeconds"`
|
|
// The time to wait (seconds) for a health check response
|
|
// +optional
|
|
TimeoutSeconds int64 `json:"timeoutSeconds"`
|
|
// The number of unhealthy health checks required before a host is marked unhealthy
|
|
// +optional
|
|
UnhealthyThresholdCount uint32 `json:"unhealthyThresholdCount"`
|
|
// The number of healthy health checks required before a host is marked healthy
|
|
// +optional
|
|
HealthyThresholdCount uint32 `json:"healthyThresholdCount"`
|
|
}
|
|
|
|
// TimeoutPolicy configures timeouts that are used for handling network requests.
|
|
//
|
|
// TimeoutPolicy durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
|
|
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
|
// The string "infinity" is also a valid input and specifies no timeout.
|
|
// A value of "0s" will be treated as if the field were not set, i.e. by using Envoy's default behavior.
|
|
//
|
|
// Example input values: "300ms", "5s", "1m".
|
|
type TimeoutPolicy struct {
|
|
// Timeout for receiving a response from the server after processing a request from client.
|
|
// If not supplied, Envoy's default value of 15s applies.
|
|
// +optional
|
|
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
|
|
Response string `json:"response,omitempty"`
|
|
|
|
// Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
|
|
// Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests.
|
|
// If not specified, there is no per-route idle timeout, though a connection manager-wide
|
|
// stream_idle_timeout default of 5m still applies.
|
|
// +optional
|
|
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
|
|
Idle string `json:"idle,omitempty"`
|
|
|
|
// Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests.
|
|
// If not supplied, Envoy's default value of 1h applies.
|
|
// +optional
|
|
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
|
|
IdleConnection string `json:"idleConnection,omitempty"`
|
|
}
|
|
|
|
// RetryOn is a string type alias with validation to ensure that the value is valid.
|
|
// +kubebuilder:validation:Enum="5xx";gateway-error;reset;connect-failure;retriable-4xx;refused-stream;retriable-status-codes;retriable-headers;cancelled;deadline-exceeded;internal;resource-exhausted;unavailable
|
|
type RetryOn string
|
|
|
|
// RetryPolicy defines the attributes associated with retrying policy.
|
|
type RetryPolicy struct {
|
|
// NumRetries is maximum allowed number of retries.
|
|
// If set to -1, then retries are disabled.
|
|
// If set to 0 or not supplied, the value is set
|
|
// to the Envoy default of 1.
|
|
// +optional
|
|
// +kubebuilder:default=1
|
|
// +kubebuilder:validation:Minimum=-1
|
|
NumRetries int64 `json:"count"`
|
|
// PerTryTimeout specifies the timeout per retry attempt.
|
|
// Ignored if NumRetries is not supplied.
|
|
// +optional
|
|
// +kubebuilder:validation:Pattern=`^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$`
|
|
PerTryTimeout string `json:"perTryTimeout,omitempty"`
|
|
// RetryOn specifies the conditions on which to retry a request.
|
|
//
|
|
// Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on):
|
|
//
|
|
// - `5xx`
|
|
// - `gateway-error`
|
|
// - `reset`
|
|
// - `connect-failure`
|
|
// - `retriable-4xx`
|
|
// - `refused-stream`
|
|
// - `retriable-status-codes`
|
|
// - `retriable-headers`
|
|
//
|
|
// Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on):
|
|
//
|
|
// - `cancelled`
|
|
// - `deadline-exceeded`
|
|
// - `internal`
|
|
// - `resource-exhausted`
|
|
// - `unavailable`
|
|
// +optional
|
|
RetryOn []RetryOn `json:"retryOn,omitempty"`
|
|
// RetriableStatusCodes specifies the HTTP status codes that should be retried.
|
|
//
|
|
// This field is only respected when you include `retriable-status-codes` in the `RetryOn` field.
|
|
// +optional
|
|
RetriableStatusCodes []uint32 `json:"retriableStatusCodes,omitempty"`
|
|
}
|
|
|
|
// ReplacePrefix describes a path prefix replacement.
|
|
type ReplacePrefix struct {
|
|
// Prefix specifies the URL path prefix to be replaced.
|
|
//
|
|
// If Prefix is specified, it must exactly match the MatchCondition
|
|
// prefix that is rendered by the chain of including HTTPProxies
|
|
// and only that path prefix will be replaced by Replacement.
|
|
// This allows HTTPProxies that are included through multiple
|
|
// roots to only replace specific path prefixes, leaving others
|
|
// unmodified.
|
|
//
|
|
// If Prefix is not specified, all routing prefixes rendered
|
|
// by the include chain will be replaced.
|
|
//
|
|
// +optional
|
|
// +kubebuilder:validation:MinLength=1
|
|
Prefix string `json:"prefix,omitempty"`
|
|
|
|
// Replacement is the string that the routing path prefix
|
|
// will be replaced with. This must not be empty.
|
|
//
|
|
// +kubebuilder:validation:Required
|
|
// +kubebuilder:validation:MinLength=1
|
|
Replacement string `json:"replacement"`
|
|
}
|
|
|
|
// PathRewritePolicy specifies how a request URL path should be
|
|
// rewritten. This rewriting takes place after a request is routed
|
|
// and has no subsequent effects on the proxy's routing decision.
|
|
// No HTTP headers or body content is rewritten.
|
|
//
|
|
// Exactly one field in this struct may be specified.
|
|
type PathRewritePolicy struct {
|
|
// ReplacePrefix describes how the path prefix should be replaced.
|
|
// +optional
|
|
ReplacePrefix []ReplacePrefix `json:"replacePrefix,omitempty"`
|
|
}
|
|
|
|
// HeaderHashOptions contains options to configure a HTTP request header hash
|
|
// policy, used in request attribute hash based load balancing.
|
|
type HeaderHashOptions struct {
|
|
// HeaderName is the name of the HTTP request header that will be used to
|
|
// calculate the hash key. If the header specified is not present on a
|
|
// request, no hash will be produced.
|
|
// +kubebuilder:validation:Required
|
|
// +kubebuilder:validation:MinLength=1
|
|
HeaderName string `json:"headerName,omitempty"`
|
|
}
|
|
|
|
// RequestHashPolicy contains configuration for an individual hash policy
|
|
// on a request attribute.
|
|
type RequestHashPolicy struct {
|
|
// Terminal is a flag that allows for short-circuiting computing of a hash
|
|
// for a given request. If set to true, and the request attribute specified
|
|
// in the attribute hash options is present, no further hash policies will
|
|
// be used to calculate a hash for the request.
|
|
Terminal bool `json:"terminal,omitempty"`
|
|
|
|
// HeaderHashOptions should be set when request header hash based load
|
|
// balancing is desired. It must be the only hash option field set,
|
|
// otherwise this request hash policy object will be ignored.
|
|
// +optional
|
|
HeaderHashOptions *HeaderHashOptions `json:"headerHashOptions,omitempty"`
|
|
|
|
// HashSourceIP should be set to true when request source IP hash based
|
|
// load balancing is desired. It must be the only hash option field set,
|
|
// otherwise this request hash policy object will be ignored.
|
|
// +optional
|
|
HashSourceIP bool `json:"hashSourceIP,omitempty"`
|
|
}
|
|
|
|
// LoadBalancerPolicy defines the load balancing policy.
|
|
type LoadBalancerPolicy struct {
|
|
// Strategy specifies the policy used to balance requests
|
|
// across the pool of backend pods. Valid policy names are
|
|
// `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`,
|
|
// and `RequestHash`. If an unknown strategy name is specified
|
|
// or no policy is supplied, the default `RoundRobin` policy
|
|
// is used.
|
|
Strategy string `json:"strategy,omitempty"`
|
|
|
|
// RequestHashPolicies contains a list of hash policies to apply when the
|
|
// `RequestHash` load balancing strategy is chosen. If an element of the
|
|
// supplied list of hash policies is invalid, it will be ignored. If the
|
|
// list of hash policies is empty after validation, the load balancing
|
|
// strategy will fall back the the default `RoundRobin`.
|
|
RequestHashPolicies []RequestHashPolicy `json:"requestHashPolicies,omitempty"`
|
|
}
|
|
|
|
// HeadersPolicy defines how headers are managed during forwarding.
|
|
// The `Host` header is treated specially and if set in a HTTP response
|
|
// will be used as the SNI server name when forwarding over TLS. It is an
|
|
// error to attempt to set the `Host` header in a HTTP response.
|
|
type HeadersPolicy struct {
|
|
// Set specifies a list of HTTP header values that will be set in the HTTP header.
|
|
// If the header does not exist it will be added, otherwise it will be overwritten with the new value.
|
|
// +optional
|
|
Set []HeaderValue `json:"set,omitempty"`
|
|
// Remove specifies a list of HTTP header names to remove.
|
|
// +optional
|
|
Remove []string `json:"remove,omitempty"`
|
|
}
|
|
|
|
// HeaderValue represents a header name/value pair
|
|
type HeaderValue struct {
|
|
// Name represents a key of a header
|
|
// +kubebuilder:validation:Required
|
|
// +kubebuilder:validation:MinLength=1
|
|
Name string `json:"name"`
|
|
// Value represents the value of a header specified by a key
|
|
// +kubebuilder:validation:Required
|
|
// +kubebuilder:validation:MinLength=1
|
|
Value string `json:"value"`
|
|
}
|
|
|
|
// UpstreamValidation defines how to verify the backend service's certificate
|
|
type UpstreamValidation struct {
|
|
// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend
|
|
CACertificate string `json:"caSecret"`
|
|
// Key which is expected to be present in the 'subjectAltName' of the presented certificate
|
|
SubjectName string `json:"subjectName"`
|
|
}
|
|
|
|
// DownstreamValidation defines how to verify the client certificate.
|
|
type DownstreamValidation struct {
|
|
// Name of a Kubernetes secret that contains a CA certificate bundle.
|
|
// The client certificate must validate against the certificates in the bundle.
|
|
// If specified and SkipClientCertValidation is true, client certificates will
|
|
// be required on requests.
|
|
// +optional
|
|
// +kubebuilder:validation:MinLength=1
|
|
CACertificate string `json:"caSecret,omitempty"`
|
|
|
|
// SkipClientCertValidation disables downstream client certificate
|
|
// validation. Defaults to false. This field is intended to be used in
|
|
// conjunction with external authorization in order to enable the external
|
|
// authorization server to validate client certificates. When this field
|
|
// is set to true, client certificates are requested but not verified by
|
|
// Envoy. If CACertificate is specified, client certificates are required on
|
|
// requests, but not verified. If external authorization is in use, they are
|
|
// presented to the external authorization server.
|
|
// +optional
|
|
SkipClientCertValidation bool `json:"skipClientCertValidation"`
|
|
}
|
|
|
|
// HTTPProxyStatus reports the current state of the HTTPProxy.
|
|
type HTTPProxyStatus struct {
|
|
// +optional
|
|
CurrentStatus string `json:"currentStatus,omitempty"`
|
|
// +optional
|
|
Description string `json:"description,omitempty"`
|
|
// +optional
|
|
// LoadBalancer contains the current status of the load balancer.
|
|
LoadBalancer corev1.LoadBalancerStatus `json:"loadBalancer,omitempty"`
|
|
// +optional
|
|
// Conditions contains information about the current status of the HTTPProxy,
|
|
// in an upstream-friendly container.
|
|
//
|
|
// Contour will update a single condition, `Valid`, that is in normal-true polarity.
|
|
// That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`,
|
|
// and vice versa.
|
|
//
|
|
// Contour will leave untouched any other Conditions set in this block,
|
|
// in case some other controller wants to add a Condition.
|
|
//
|
|
// If you are another controller owner and wish to add a condition, you *should*
|
|
// namespace your condition with a label, like `controller.domain.com/ConditionName`.
|
|
// +patchMergeKey=type
|
|
// +patchStrategy=merge
|
|
// +listType=map
|
|
// +listMapKey=type
|
|
Conditions []DetailedCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
|
|
}
|
|
|
|
// +genclient
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// HTTPProxy is an Ingress CRD specification.
|
|
// +k8s:openapi-gen=true
|
|
// +kubebuilder:printcolumn:name="FQDN",type="string",JSONPath=".spec.virtualhost.fqdn",description="Fully qualified domain name"
|
|
// +kubebuilder:printcolumn:name="TLS Secret",type="string",JSONPath=".spec.virtualhost.tls.secretName",description="Secret with TLS credentials"
|
|
// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.currentStatus",description="The current status of the HTTPProxy"
|
|
// +kubebuilder:printcolumn:name="Status Description",type="string",JSONPath=".status.description",description="Description of the current status"
|
|
// +kubebuilder:resource:scope=Namespaced,path=httpproxies,shortName=proxy;proxies,singular=httpproxy
|
|
// +kubebuilder:subresource:status
|
|
type HTTPProxy struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
metav1.ObjectMeta `json:"metadata"`
|
|
|
|
Spec HTTPProxySpec `json:"spec"`
|
|
// Status is a container for computed information about the HTTPProxy.
|
|
// +optional
|
|
// +kubebuilder:default={currentStatus: "NotReconciled", description:"Waiting for controller"}
|
|
Status HTTPProxyStatus `json:"status,omitempty"`
|
|
}
|
|
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// HTTPProxyList is a list of HTTPProxies.
|
|
type HTTPProxyList struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
metav1.ListMeta `json:"metadata"`
|
|
Items []HTTPProxy `json:"items"`
|
|
}
|