3747 lines
144 KiB
YAML

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: contour-external
labels:
networking.knative.dev/ingress-provider: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: contour
subjects:
- kind: ServiceAccount
name: contour
namespace: contour-external
---
apiVersion: v1
kind: Namespace
metadata:
name: contour-external
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: envoy
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: v1
kind: ConfigMap
metadata:
name: contour
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
data:
contour.yaml: |
leaderelection:
configmap-name: contour
configmap-namespace: contour-external
# should contour expect to be running inside a k8s cluster
# incluster: true
#
# path to kubeconfig (if not running inside a k8s cluster)
# kubeconfig: /path/to/.kube/config
#
# Client request timeout to be passed to Envoy
# as the connection manager request_timeout.
# Defaults to 0, which Envoy interprets as disabled.
# Note that this is the timeout for the whole request,
# not an idle timeout.
# request-timeout: 0s
# disable ingressroute permitInsecure field
disablePermitInsecure: false
tls:
# minimum TLS version that Contour will negotiate
# minimum-protocol-version: "1.1"
# The following config shows the defaults for the leader election.
# leaderelection:
# configmap-name: leader-elect
# configmap-namespace: contour-external
### Logging options
# Default setting
accesslog-format: envoy
# To enable JSON logging in Envoy
# accesslog-format: json
# The default fields that will be logged are specified below.
# To customise this list, just add or remove entries.
# The canonical list is available at
# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
# json-fields:
# - "@timestamp"
# - "authority"
# - "bytes_received"
# - "bytes_sent"
# - "downstream_local_address"
# - "downstream_remote_address"
# - "duration"
# - "method"
# - "path"
# - "protocol"
# - "request_id"
# - "requested_server_name"
# - "response_code"
# - "response_flags"
# - "uber_trace_id"
# - "upstream_cluster"
# - "upstream_host"
# - "upstream_local_address"
# - "upstream_service_time"
# - "user_agent"
# - "x_forwarded_for"
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: ingressroutes.contour.heptio.com
labels:
networking.knative.dev/ingress-provider: contour
spec:
additionalPrinterColumns:
- JSONPath: .spec.virtualhost.fqdn
description: Fully qualified domain name
name: FQDN
type: string
- JSONPath: .spec.virtualhost.tls.secretName
description: Secret with TLS credentials
name: TLS Secret
type: string
- JSONPath: .spec.routes[0].match
description: First routes defined
name: First route
type: string
- JSONPath: .status.currentStatus
description: The current status of the HTTPProxy
name: Status
type: string
- JSONPath: .status.description
description: Description of the current status
name: Status Description
type: string
group: contour.heptio.com
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: IngressRoute is an Ingress CRD specificiation
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IngressRouteSpec defines the spec of the CRD
properties:
routes:
description: Routes are the ingress routes. If TCPProxy is present,
Routes is ignored.
items:
description: Route contains the set of routes for a virtual host
properties:
delegate:
description: Delegate specifies that this route should be delegated
to another IngressRoute
properties:
name:
description: Name of the IngressRoute
type: string
namespace:
description: Namespace of the IngressRoute. Defaults to the
current namespace if not supplied.
type: string
required:
- name
type: object
enableWebsockets:
description: Enables websocket support for the route
type: boolean
match:
description: Match defines the prefix match
type: string
permitInsecure:
description: Allow this path to respond to insecure requests over
HTTP which are normally not permitted when a `virtualhost.tls`
block is present.
type: boolean
prefixRewrite:
description: Indicates that during forwarding, the matched prefix
(or path) should be swapped with this value
type: string
retryPolicy:
description: The retry policy for this route
properties:
count:
description: NumRetries is maximum allowed number of retries.
If not supplied, the number of retries is one.
format: int64
minimum: 0
type: integer
perTryTimeout:
description: PerTryTimeout specifies the timeout per retry
attempt. Ignored if NumRetries is not supplied.
type: string
type: object
services:
description: Services are the services to proxy traffic
items:
description: Service defines an upstream to proxy traffic to
properties:
healthCheck:
description: HealthCheck defines optional healthchecks on
the upstream service
properties:
healthyThresholdCount:
description: The number of healthy health checks required
before a host is marked healthy
format: int64
minimum: 0
type: integer
host:
description: The value of the host header in the HTTP
health check request. If left empty (default value),
the name "contour-envoy-healthcheck" will be used.
type: string
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
path:
description: HTTP endpoint used to perform health checks
on upstream service
type: string
timeoutSeconds:
description: The time to wait (seconds) for a health
check response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int64
minimum: 0
type: integer
required:
- path
type: object
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic
to since a service can have multiple defined
type: integer
strategy:
description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing)
type: string
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
type: array
timeoutPolicy:
description: The timeout policy for this route
properties:
request:
description: Timeout for receiving a response from the server
after processing a request from client. If not supplied
the timeout duration is undefined.
type: string
type: object
required:
- match
type: object
type: array
tcpproxy:
description: TCPProxy holds TCP proxy information.
properties:
delegate:
description: Delegate specifies that this tcpproxy should be delegated
to another IngressRoute
properties:
name:
description: Name of the IngressRoute
type: string
namespace:
description: Namespace of the IngressRoute. Defaults to the
current namespace if not supplied.
type: string
required:
- name
type: object
services:
description: Services are the services to proxy traffic
items:
description: Service defines an upstream to proxy traffic to
properties:
healthCheck:
description: HealthCheck defines optional healthchecks on
the upstream service
properties:
healthyThresholdCount:
description: The number of healthy health checks required
before a host is marked healthy
format: int64
minimum: 0
type: integer
host:
description: The value of the host header in the HTTP
health check request. If left empty (default value),
the name "contour-envoy-healthcheck" will be used.
type: string
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
path:
description: HTTP endpoint used to perform health checks
on upstream service
type: string
timeoutSeconds:
description: The time to wait (seconds) for a health check
response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int64
minimum: 0
type: integer
required:
- path
type: object
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic to
since a service can have multiple defined
type: integer
strategy:
description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing)
type: string
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in the
'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
type: array
type: object
virtualhost:
description: Virtualhost appears at most once. If it is present, the
object is considered to be a "root".
properties:
fqdn:
description: The fully qualified domain name of the root of the
ingress tree all leaves of the DAG rooted at this object relate
to the fqdn
type: string
tls:
description: If present describes tls properties. The SNI names
that will be matched on are described in fqdn, the tls.secretName
secret must contain a matching certificate
properties:
clientValidation:
description: 'ClientValidation defines how to verify the client
certificate when an external client establishes a TLS connection
to Envoy. This setting: 1. Enables TLS client certificate
validation. 2. Requires clients to present a TLS certificate
(i.e. not optional validation). 3. Specifies how the client
certificate will be validated.'
properties:
caSecret:
description: Name of a Kubernetes secret that contains a
CA certificate bundle. The client certificate must validate
against the certificates in the bundle.
minLength: 1
type: string
required:
- caSecret
type: object
minimumProtocolVersion:
description: Minimum TLS version this vhost should negotiate
type: string
passthrough:
description: If Passthrough is set to true, the SecretName will
be ignored and the encrypted handshake will be passed through
to the backing cluster.
type: boolean
secretName:
description: required, the name of a secret in the current namespace
type: string
type: object
required:
- fqdn
type: object
type: object
status:
description: Status reports the current state of the HTTPProxy.
properties:
currentStatus:
type: string
description:
type: string
type: object
required:
- metadata
- spec
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: tlscertificatedelegations.contour.heptio.com
labels:
networking.knative.dev/ingress-provider: contour
spec:
group: contour.heptio.com
names:
kind: TLSCertificateDelegation
listKind: TLSCertificateDelegationList
plural: tlscertificatedelegations
singular: tlscertificatedelegation
scope: Namespaced
validation:
openAPIV3Schema:
description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation.
See design/tls-certificate-delegation.md for details.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TLSCertificateDelegationSpec defines the spec of the CRD
properties:
delegations:
items:
description: CertificateDelegation maps the authority to reference
a secret in the current namespace to a set of namespaces.
properties:
secretName:
description: required, the name of a secret in the current namespace.
type: string
targetNamespaces:
description: required, the namespaces the authority to reference
the the secret will be delegated to. If TargetNamespaces is
nil or empty, the CertificateDelegation' is ignored. If the
TargetNamespace list contains the character, "*" the secret
will be delegated to all namespaces.
items:
type: string
type: array
required:
- secretName
- targetNamespaces
type: object
type: array
required:
- delegations
type: object
required:
- metadata
- spec
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: httpproxies.projectcontour.io
labels:
networking.knative.dev/ingress-provider: contour
spec:
additionalPrinterColumns:
- JSONPath: .spec.virtualhost.fqdn
description: Fully qualified domain name
name: FQDN
type: string
- JSONPath: .spec.virtualhost.tls.secretName
description: Secret with TLS credentials
name: TLS Secret
type: string
- JSONPath: .status.currentStatus
description: The current status of the HTTPProxy
name: Status
type: string
- JSONPath: .status.description
description: Description of the current status
name: Status Description
type: string
group: projectcontour.io
names:
kind: HTTPProxy
listKind: HTTPProxyList
plural: httpproxies
shortNames:
- proxy
- proxies
singular: httpproxy
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: HTTPProxy is an Ingress CRD specification
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: HTTPProxySpec defines the spec of the CRD.
properties:
includes:
description: Includes allow for specific routing configuration to be
appended to another HTTPProxy in another namespace.
items:
description: Include describes a set of policies that can be applied
to an HTTPProxy in a namespace.
properties:
conditions:
description: Conditions are a set of routing properties that is
applied to an HTTPProxy in a namespace.
items:
description: Condition are policies that are applied on top
of HTTPProxies. One of Prefix or Header must be provided.
properties:
header:
description: Header specifies the header condition to match.
properties:
contains:
description: Contains specifies a substring that must
be present in the header value.
type: string
exact:
description: Exact specifies a string that the header
value must be equal to.
type: string
name:
description: Name is the name of the header to match
against. Name is required. Header names are case insensitive.
type: string
notcontains:
description: NotContains specifies a substring that
must not be present in the header value.
type: string
notexact:
description: NoExact specifies a string that the header
value must not be equal to. The condition is true
if the header has any other value.
type: string
present:
description: Present specifies that condition is true
when the named header is present, regardless of its
value. Note that setting Present to false does not
make the condition true if the named header is absent.
type: boolean
required:
- name
type: object
prefix:
description: Prefix defines a prefix match for a request.
type: string
type: object
type: array
name:
description: Name of the HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults to
the current namespace if not supplied.
type: string
required:
- name
type: object
type: array
routes:
description: Routes are the ingress routes. If TCPProxy is present,
Routes is ignored.
items:
description: Route contains the set of routes for a virtual host.
properties:
conditions:
description: Conditions are a set of routing properties that is
applied to an HTTPProxy in a namespace.
items:
description: Condition are policies that are applied on top
of HTTPProxies. One of Prefix or Header must be provided.
properties:
header:
description: Header specifies the header condition to match.
properties:
contains:
description: Contains specifies a substring that must
be present in the header value.
type: string
exact:
description: Exact specifies a string that the header
value must be equal to.
type: string
name:
description: Name is the name of the header to match
against. Name is required. Header names are case insensitive.
type: string
notcontains:
description: NotContains specifies a substring that
must not be present in the header value.
type: string
notexact:
description: NoExact specifies a string that the header
value must not be equal to. The condition is true
if the header has any other value.
type: string
present:
description: Present specifies that condition is true
when the named header is present, regardless of its
value. Note that setting Present to false does not
make the condition true if the named header is absent.
type: boolean
required:
- name
type: object
prefix:
description: Prefix defines a prefix match for a request.
type: string
type: object
type: array
enableWebsockets:
description: Enables websocket support for the route.
type: boolean
healthCheckPolicy:
description: The health check policy for this route.
properties:
healthyThresholdCount:
description: The number of healthy health checks required
before a host is marked healthy
format: int64
minimum: 0
type: integer
host:
description: The value of the host header in the HTTP health
check request. If left empty (default value), the name "contour-envoy-healthcheck"
will be used.
type: string
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
path:
description: HTTP endpoint used to perform health checks on
upstream service
type: string
timeoutSeconds:
description: The time to wait (seconds) for a health check
response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int64
minimum: 0
type: integer
required:
- path
type: object
loadBalancerPolicy:
description: The load balancing policy for this route.
properties:
strategy:
description: Strategy specifies the policy used to balance
requests across the pool of backend pods. Valid policy names
are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Random`
and `Cookie`. If an unknown strategy name is specified or
no policy is supplied, the default `RoundRobin` policy is
used.
type: string
type: object
pathRewritePolicy:
description: The policy for rewriting the path of the request
URL after the request has been routed to a Service.
properties:
replacePrefix:
description: ReplacePrefix describes how the path prefix should
be replaced.
items:
description: ReplacePrefix describes a path prefix replacement.
properties:
prefix:
description: "Prefix specifies the URL path prefix to
be replaced. \n If Prefix is specified, it must exactly
match the Condition prefix that is rendered by the
chain of including HTTPProxies and only that path
prefix will be replaced by Replacement. This allows
HTTPProxies that are included through multiple roots
to only replace specific path prefixes, leaving others
unmodified. \n If Prefix is not specified, all routing
prefixes rendered by the include chain will be replaced."
minLength: 1
type: string
replacement:
description: Replacement is the string that the routing
path prefix will be replaced with. This must not be
empty.
minLength: 1
type: string
required:
- replacement
type: object
type: array
type: object
permitInsecure:
description: Allow this path to respond to insecure requests over
HTTP which are normally not permitted when a `virtualhost.tls`
block is present.
type: boolean
requestHeadersPolicy:
description: The policy for managing request headers during proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values that
will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values that
will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
retryPolicy:
description: The retry policy for this route.
properties:
count:
description: NumRetries is maximum allowed number of retries.
If not supplied, the number of retries is one.
format: int64
minimum: 0
type: integer
perTryTimeout:
description: PerTryTimeout specifies the timeout per retry
attempt. Ignored if NumRetries is not supplied.
type: string
type: object
services:
description: Services are the services to proxy traffic.
items:
description: Service defines an Kubernetes Service to proxy
traffic.
properties:
mirror:
description: If Mirror is true the Service will receive
a read only mirror of the traffic for this route.
type: boolean
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic
to since a service can have multiple defined.
type: integer
protocol:
description: Protocol may be used to specify (or override)
the protocol used to reach this Service. Values may be
tls, h2, h2c. If omitted, protocol-selection falls back
on Service annotations.
enum:
- h2
- h2c
- tls
type: string
requestHeadersPolicy:
description: The policy for managing request headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header
names to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header
names to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
minItems: 1
type: array
timeoutPolicy:
description: The timeout policy for this route.
properties:
idle:
description: Timeout after which if there are no active requests
for this route, the connection between Envoy and the backend
will be closed. If not specified, there is no per-route
idle timeout.
type: string
response:
description: Timeout for receiving a response from the server
after processing a request from client. If not supplied
the timeout duration is undefined.
type: string
type: object
required:
- services
type: object
type: array
tcpproxy:
description: TCPProxy holds TCP proxy information.
properties:
healthCheckPolicy:
description: The health check policy for this tcp proxy
properties:
healthyThresholdCount:
description: The number of healthy health checks required before
a host is marked healthy
format: int32
type: integer
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
timeoutSeconds:
description: The time to wait (seconds) for a health check response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int32
type: integer
type: object
include:
description: Include specifies that this tcpproxy should be delegated
to another HTTPProxy.
properties:
name:
description: Name of the child HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults
to the current namespace if not supplied.
type: string
required:
- name
type: object
includes:
description: "IncludesDeprecated allow for specific routing configuration
to be appended to another HTTPProxy in another namespace. \n Exists
due to a mistake when developing HTTPProxy and the field was marked
plural when it should have been singular. This field should stay
to not break backwards compatibility to v1 users."
properties:
name:
description: Name of the child HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults
to the current namespace if not supplied.
type: string
required:
- name
type: object
loadBalancerPolicy:
description: The load balancing policy for the backend services.
properties:
strategy:
description: Strategy specifies the policy used to balance requests
across the pool of backend pods. Valid policy names are `Random`,
`RoundRobin`, `WeightedLeastRequest`, `Random` and `Cookie`.
If an unknown strategy name is specified or no policy is supplied,
the default `RoundRobin` policy is used.
type: string
type: object
services:
description: Services are the services to proxy traffic
items:
description: Service defines an Kubernetes Service to proxy traffic.
properties:
mirror:
description: If Mirror is true the Service will receive a
read only mirror of the traffic for this route.
type: boolean
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic to
since a service can have multiple defined.
type: integer
protocol:
description: Protocol may be used to specify (or override)
the protocol used to reach this Service. Values may be tls,
h2, h2c. If omitted, protocol-selection falls back on Service
annotations.
enum:
- h2
- h2c
- tls
type: string
requestHeadersPolicy:
description: The policy for managing request headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in the
'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
minItems: 1
type: array
required:
- services
type: object
virtualhost:
description: Virtualhost appears at most once. If it is present, the
object is considered to be a "root".
properties:
fqdn:
description: The fully qualified domain name of the root of the
ingress tree all leaves of the DAG rooted at this object relate
to the fqdn
type: string
tls:
description: If present describes tls properties. The SNI names
that will be matched on are described in fqdn, the tls.secretName
secret must contain a matching certificate
properties:
clientValidation:
description: 'ClientValidation defines how to verify the client
certificate when an external client establishes a TLS connection
to Envoy. This setting: 1. Enables TLS client certificate
validation. 2. Requires clients to present a TLS certificate
(i.e. not optional validation). 3. Specifies how the client
certificate will be validated.'
properties:
caSecret:
description: Name of a Kubernetes secret that contains a
CA certificate bundle. The client certificate must validate
against the certificates in the bundle.
minLength: 1
type: string
required:
- caSecret
type: object
minimumProtocolVersion:
description: Minimum TLS version this vhost should negotiate
type: string
passthrough:
description: If Passthrough is set to true, the SecretName will
be ignored and the encrypted handshake will be passed through
to the backing cluster.
type: boolean
secretName:
description: required, the name of a secret in the current namespace
type: string
type: object
required:
- fqdn
type: object
type: object
status:
description: Status reports the current state of the HTTPProxy.
properties:
currentStatus:
type: string
description:
type: string
type: object
required:
- metadata
- spec
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: tlscertificatedelegations.projectcontour.io
labels:
networking.knative.dev/ingress-provider: contour
spec:
group: projectcontour.io
names:
kind: TLSCertificateDelegation
listKind: TLSCertificateDelegationList
plural: tlscertificatedelegations
shortNames:
- tlscerts
singular: tlscertificatedelegation
scope: Namespaced
validation:
openAPIV3Schema:
description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation.
See design/tls-certificate-delegation.md for details.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TLSCertificateDelegationSpec defines the spec of the CRD
properties:
delegations:
items:
description: CertificateDelegation maps the authority to reference
a secret in the current namespace to a set of namespaces.
properties:
secretName:
description: required, the name of a secret in the current namespace.
type: string
targetNamespaces:
description: required, the namespaces the authority to reference
the the secret will be delegated to. If TargetNamespaces is
nil or empty, the CertificateDelegation' is ignored. If the
TargetNamespace list contains the character, "*" the secret
will be delegated to all namespaces.
items:
type: string
type: array
required:
- secretName
- targetNamespaces
type: object
type: array
required:
- delegations
type: object
required:
- metadata
- spec
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour-certgen
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: contour
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: contour-certgen
subjects:
- kind: ServiceAccount
name: contour-certgen
namespace: contour-external
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: contour-certgen
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- watch
- create
- get
- put
- post
- patch
---
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
spec:
ttlSecondsAfterFinished: 0
template:
metadata:
labels:
app: "contour-certgen"
spec:
containers:
- name: contour
# This version is set to latest because Job specs are immutable;
# if we change this on each version, you can no longer upgrade
# just by applying the deployment YAML.
# See #2423, #2395, #2150, and #2030 for earlier questions about this.
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
command:
- contour
- certgen
- --incluster
- --kube
- --namespace=$(CONTOUR_NAMESPACE)
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: Never
serviceAccountName: contour-certgen
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
parallelism: 1
completions: 1
backoffLimit: 1
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: contour
labels:
networking.knative.dev/ingress-provider: contour
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "networking.k8s.io"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- "networking.k8s.io"
resources:
- "ingresses/status"
verbs:
- get
- list
- watch
- patch
- post
- update
- apiGroups: ["contour.heptio.com"]
resources: ["ingressroutes", "tlscertificatedelegations"]
verbs:
- get
- list
- watch
- put
- post
- patch
- apiGroups: ["projectcontour.io"]
resources: ["httpproxies", "tlscertificatedelegations"]
verbs:
- get
- list
- watch
- put
- post
- patch
- apiGroups: ["networking.x.k8s.io"]
resources: ["gatewayclasses", "gateways", "httproutes", "tcproutes"]
verbs:
- get
- list
- watch
- put
- post
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: contour-leaderelection
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: contour-leaderelection
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: contour-leaderelection
subjects:
- kind: ServiceAccount
name: contour
namespace: contour-external
---
apiVersion: v1
kind: Service
metadata:
name: contour
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
spec:
ports:
- port: 8001
name: xds
protocol: TCP
targetPort: 8001
selector:
app: contour
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: envoy
namespace: contour-external
annotations:
# This annotation puts the AWS ELB into "TCP" mode so that it does not
# do HTTP negotiation for HTTPS connections at the ELB edge.
# The downside of this is the remote IP address of all connections will
# appear to be the internal address of the ELB. See docs/proxy-proto.md
# for information about enabling the PROXY protocol on the ELB to recover
# the original remote IP address.
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
labels:
networking.knative.dev/ingress-provider: contour
spec:
externalTrafficPolicy: Local
ports:
- port: 80
name: http
protocol: TCP
- port: 443
name: https
protocol: TCP
selector:
app: envoy
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: contour
networking.knative.dev/ingress-provider: contour
name: contour
namespace: contour-external
spec:
replicas: 2
strategy:
type: RollingUpdate
rollingUpdate:
# This value of maxSurge means that during a rolling update
# the new ReplicaSet will be created first.
maxSurge: 50%
selector:
matchLabels:
app: contour
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8000"
labels:
app: contour
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: contour
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- serve
- --ingress-class-name=contour-external
- --incluster
- --xds-address=0.0.0.0
- --xds-port=8001
- --envoy-service-http-port=80
- --envoy-service-https-port=443
- --contour-cafile=/ca/cacert.pem
- --contour-cert-file=/certs/tls.crt
- --contour-key-file=/certs/tls.key
- --config-path=/config/contour.yaml
command: ["contour"]
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
name: contour
ports:
- containerPort: 8001
name: xds
protocol: TCP
- containerPort: 8000
name: debug
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8000
readinessProbe:
tcpSocket:
port: 8001
initialDelaySeconds: 15
periodSeconds: 10
volumeMounts:
- name: contourcert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
- name: contour-config
mountPath: /config
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
dnsPolicy: ClusterFirst
serviceAccountName: contour
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
volumes:
- name: contourcert
secret:
secretName: contourcert
- name: cacert
secret:
secretName: cacert
- name: contour-config
configMap:
name: contour
defaultMode: 0644
items:
- key: contour.yaml
path: contour.yaml
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: envoy
networking.knative.dev/ingress-provider: contour
name: envoy
namespace: contour-external
spec:
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
app: envoy
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8002"
prometheus.io/path: "/stats/prometheus"
labels:
app: envoy
spec:
containers:
- command:
- contour
args:
- envoy
- shutdown-manager
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
lifecycle:
preStop:
httpGet:
path: /shutdown
port: 8090
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 8090
initialDelaySeconds: 3
periodSeconds: 10
name: shutdown-manager
- args:
- -c
- /config/envoy.json
- --service-cluster $(CONTOUR_NAMESPACE)
- --service-node $(ENVOY_POD_NAME)
- --log-level info
command:
- envoy
image: docker.io/envoyproxy/envoy:v1.14.1
imagePullPolicy: IfNotPresent
name: envoy
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ENVOY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
ports:
- containerPort: 80
# hostPort: 80
name: http
protocol: TCP
- containerPort: 443
# hostPort: 443
name: https
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8002
initialDelaySeconds: 3
periodSeconds: 4
volumeMounts:
- name: envoy-config
mountPath: /config
- name: envoycert
mountPath: /certs
- name: cacert
mountPath: /ca
lifecycle:
preStop:
httpGet:
path: /shutdown
port: 8090
scheme: HTTP
initContainers:
- args:
- bootstrap
- /config/envoy.json
- --xds-address=contour
- --xds-port=8001
- --envoy-cafile=/ca/cacert.pem
- --envoy-cert-file=/certs/tls.crt
- --envoy-key-file=/certs/tls.key
command:
- contour
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
name: envoy-initconfig
volumeMounts:
- name: envoy-config
mountPath: /config
- name: envoycert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
serviceAccountName: envoy
terminationGracePeriodSeconds: 300
volumes:
- name: envoy-config
emptyDir: {}
- name: envoycert
secret:
secretName: envoycert
- name: cacert
secret:
secretName: cacert
restartPolicy: Always
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: contour
subjects:
- kind: ServiceAccount
name: contour
namespace: contour-internal
---
apiVersion: v1
kind: Namespace
metadata:
name: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: envoy
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: v1
kind: ConfigMap
metadata:
name: contour
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
data:
contour.yaml: |
leaderelection:
configmap-name: contour
configmap-namespace: contour-internal
# should contour expect to be running inside a k8s cluster
# incluster: true
#
# path to kubeconfig (if not running inside a k8s cluster)
# kubeconfig: /path/to/.kube/config
#
# Client request timeout to be passed to Envoy
# as the connection manager request_timeout.
# Defaults to 0, which Envoy interprets as disabled.
# Note that this is the timeout for the whole request,
# not an idle timeout.
# request-timeout: 0s
# disable ingressroute permitInsecure field
disablePermitInsecure: false
tls:
# minimum TLS version that Contour will negotiate
# minimum-protocol-version: "1.1"
# The following config shows the defaults for the leader election.
# leaderelection:
# configmap-name: leader-elect
# configmap-namespace: contour-internal
### Logging options
# Default setting
accesslog-format: envoy
# To enable JSON logging in Envoy
# accesslog-format: json
# The default fields that will be logged are specified below.
# To customise this list, just add or remove entries.
# The canonical list is available at
# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
# json-fields:
# - "@timestamp"
# - "authority"
# - "bytes_received"
# - "bytes_sent"
# - "downstream_local_address"
# - "downstream_remote_address"
# - "duration"
# - "method"
# - "path"
# - "protocol"
# - "request_id"
# - "requested_server_name"
# - "response_code"
# - "response_flags"
# - "uber_trace_id"
# - "upstream_cluster"
# - "upstream_host"
# - "upstream_local_address"
# - "upstream_service_time"
# - "user_agent"
# - "x_forwarded_for"
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: ingressroutes.contour.heptio.com
labels:
networking.knative.dev/ingress-provider: contour
spec:
additionalPrinterColumns:
- JSONPath: .spec.virtualhost.fqdn
description: Fully qualified domain name
name: FQDN
type: string
- JSONPath: .spec.virtualhost.tls.secretName
description: Secret with TLS credentials
name: TLS Secret
type: string
- JSONPath: .spec.routes[0].match
description: First routes defined
name: First route
type: string
- JSONPath: .status.currentStatus
description: The current status of the HTTPProxy
name: Status
type: string
- JSONPath: .status.description
description: Description of the current status
name: Status Description
type: string
group: contour.heptio.com
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: IngressRoute is an Ingress CRD specificiation
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IngressRouteSpec defines the spec of the CRD
properties:
routes:
description: Routes are the ingress routes. If TCPProxy is present,
Routes is ignored.
items:
description: Route contains the set of routes for a virtual host
properties:
delegate:
description: Delegate specifies that this route should be delegated
to another IngressRoute
properties:
name:
description: Name of the IngressRoute
type: string
namespace:
description: Namespace of the IngressRoute. Defaults to the
current namespace if not supplied.
type: string
required:
- name
type: object
enableWebsockets:
description: Enables websocket support for the route
type: boolean
match:
description: Match defines the prefix match
type: string
permitInsecure:
description: Allow this path to respond to insecure requests over
HTTP which are normally not permitted when a `virtualhost.tls`
block is present.
type: boolean
prefixRewrite:
description: Indicates that during forwarding, the matched prefix
(or path) should be swapped with this value
type: string
retryPolicy:
description: The retry policy for this route
properties:
count:
description: NumRetries is maximum allowed number of retries.
If not supplied, the number of retries is one.
format: int64
minimum: 0
type: integer
perTryTimeout:
description: PerTryTimeout specifies the timeout per retry
attempt. Ignored if NumRetries is not supplied.
type: string
type: object
services:
description: Services are the services to proxy traffic
items:
description: Service defines an upstream to proxy traffic to
properties:
healthCheck:
description: HealthCheck defines optional healthchecks on
the upstream service
properties:
healthyThresholdCount:
description: The number of healthy health checks required
before a host is marked healthy
format: int64
minimum: 0
type: integer
host:
description: The value of the host header in the HTTP
health check request. If left empty (default value),
the name "contour-envoy-healthcheck" will be used.
type: string
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
path:
description: HTTP endpoint used to perform health checks
on upstream service
type: string
timeoutSeconds:
description: The time to wait (seconds) for a health
check response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int64
minimum: 0
type: integer
required:
- path
type: object
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic
to since a service can have multiple defined
type: integer
strategy:
description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing)
type: string
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
type: array
timeoutPolicy:
description: The timeout policy for this route
properties:
request:
description: Timeout for receiving a response from the server
after processing a request from client. If not supplied
the timeout duration is undefined.
type: string
type: object
required:
- match
type: object
type: array
tcpproxy:
description: TCPProxy holds TCP proxy information.
properties:
delegate:
description: Delegate specifies that this tcpproxy should be delegated
to another IngressRoute
properties:
name:
description: Name of the IngressRoute
type: string
namespace:
description: Namespace of the IngressRoute. Defaults to the
current namespace if not supplied.
type: string
required:
- name
type: object
services:
description: Services are the services to proxy traffic
items:
description: Service defines an upstream to proxy traffic to
properties:
healthCheck:
description: HealthCheck defines optional healthchecks on
the upstream service
properties:
healthyThresholdCount:
description: The number of healthy health checks required
before a host is marked healthy
format: int64
minimum: 0
type: integer
host:
description: The value of the host header in the HTTP
health check request. If left empty (default value),
the name "contour-envoy-healthcheck" will be used.
type: string
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
path:
description: HTTP endpoint used to perform health checks
on upstream service
type: string
timeoutSeconds:
description: The time to wait (seconds) for a health check
response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int64
minimum: 0
type: integer
required:
- path
type: object
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic to
since a service can have multiple defined
type: integer
strategy:
description: LB Algorithm to apply (see https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md#load-balancing)
type: string
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in the
'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
type: array
type: object
virtualhost:
description: Virtualhost appears at most once. If it is present, the
object is considered to be a "root".
properties:
fqdn:
description: The fully qualified domain name of the root of the
ingress tree all leaves of the DAG rooted at this object relate
to the fqdn
type: string
tls:
description: If present describes tls properties. The SNI names
that will be matched on are described in fqdn, the tls.secretName
secret must contain a matching certificate
properties:
clientValidation:
description: 'ClientValidation defines how to verify the client
certificate when an external client establishes a TLS connection
to Envoy. This setting: 1. Enables TLS client certificate
validation. 2. Requires clients to present a TLS certificate
(i.e. not optional validation). 3. Specifies how the client
certificate will be validated.'
properties:
caSecret:
description: Name of a Kubernetes secret that contains a
CA certificate bundle. The client certificate must validate
against the certificates in the bundle.
minLength: 1
type: string
required:
- caSecret
type: object
minimumProtocolVersion:
description: Minimum TLS version this vhost should negotiate
type: string
passthrough:
description: If Passthrough is set to true, the SecretName will
be ignored and the encrypted handshake will be passed through
to the backing cluster.
type: boolean
secretName:
description: required, the name of a secret in the current namespace
type: string
type: object
required:
- fqdn
type: object
type: object
status:
description: Status reports the current state of the HTTPProxy.
properties:
currentStatus:
type: string
description:
type: string
type: object
required:
- metadata
- spec
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: tlscertificatedelegations.contour.heptio.com
labels:
networking.knative.dev/ingress-provider: contour
spec:
group: contour.heptio.com
names:
kind: TLSCertificateDelegation
listKind: TLSCertificateDelegationList
plural: tlscertificatedelegations
singular: tlscertificatedelegation
scope: Namespaced
validation:
openAPIV3Schema:
description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation.
See design/tls-certificate-delegation.md for details.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TLSCertificateDelegationSpec defines the spec of the CRD
properties:
delegations:
items:
description: CertificateDelegation maps the authority to reference
a secret in the current namespace to a set of namespaces.
properties:
secretName:
description: required, the name of a secret in the current namespace.
type: string
targetNamespaces:
description: required, the namespaces the authority to reference
the the secret will be delegated to. If TargetNamespaces is
nil or empty, the CertificateDelegation' is ignored. If the
TargetNamespace list contains the character, "*" the secret
will be delegated to all namespaces.
items:
type: string
type: array
required:
- secretName
- targetNamespaces
type: object
type: array
required:
- delegations
type: object
required:
- metadata
- spec
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: httpproxies.projectcontour.io
labels:
networking.knative.dev/ingress-provider: contour
spec:
additionalPrinterColumns:
- JSONPath: .spec.virtualhost.fqdn
description: Fully qualified domain name
name: FQDN
type: string
- JSONPath: .spec.virtualhost.tls.secretName
description: Secret with TLS credentials
name: TLS Secret
type: string
- JSONPath: .status.currentStatus
description: The current status of the HTTPProxy
name: Status
type: string
- JSONPath: .status.description
description: Description of the current status
name: Status Description
type: string
group: projectcontour.io
names:
kind: HTTPProxy
listKind: HTTPProxyList
plural: httpproxies
shortNames:
- proxy
- proxies
singular: httpproxy
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: HTTPProxy is an Ingress CRD specification
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: HTTPProxySpec defines the spec of the CRD.
properties:
includes:
description: Includes allow for specific routing configuration to be
appended to another HTTPProxy in another namespace.
items:
description: Include describes a set of policies that can be applied
to an HTTPProxy in a namespace.
properties:
conditions:
description: Conditions are a set of routing properties that is
applied to an HTTPProxy in a namespace.
items:
description: Condition are policies that are applied on top
of HTTPProxies. One of Prefix or Header must be provided.
properties:
header:
description: Header specifies the header condition to match.
properties:
contains:
description: Contains specifies a substring that must
be present in the header value.
type: string
exact:
description: Exact specifies a string that the header
value must be equal to.
type: string
name:
description: Name is the name of the header to match
against. Name is required. Header names are case insensitive.
type: string
notcontains:
description: NotContains specifies a substring that
must not be present in the header value.
type: string
notexact:
description: NoExact specifies a string that the header
value must not be equal to. The condition is true
if the header has any other value.
type: string
present:
description: Present specifies that condition is true
when the named header is present, regardless of its
value. Note that setting Present to false does not
make the condition true if the named header is absent.
type: boolean
required:
- name
type: object
prefix:
description: Prefix defines a prefix match for a request.
type: string
type: object
type: array
name:
description: Name of the HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults to
the current namespace if not supplied.
type: string
required:
- name
type: object
type: array
routes:
description: Routes are the ingress routes. If TCPProxy is present,
Routes is ignored.
items:
description: Route contains the set of routes for a virtual host.
properties:
conditions:
description: Conditions are a set of routing properties that is
applied to an HTTPProxy in a namespace.
items:
description: Condition are policies that are applied on top
of HTTPProxies. One of Prefix or Header must be provided.
properties:
header:
description: Header specifies the header condition to match.
properties:
contains:
description: Contains specifies a substring that must
be present in the header value.
type: string
exact:
description: Exact specifies a string that the header
value must be equal to.
type: string
name:
description: Name is the name of the header to match
against. Name is required. Header names are case insensitive.
type: string
notcontains:
description: NotContains specifies a substring that
must not be present in the header value.
type: string
notexact:
description: NoExact specifies a string that the header
value must not be equal to. The condition is true
if the header has any other value.
type: string
present:
description: Present specifies that condition is true
when the named header is present, regardless of its
value. Note that setting Present to false does not
make the condition true if the named header is absent.
type: boolean
required:
- name
type: object
prefix:
description: Prefix defines a prefix match for a request.
type: string
type: object
type: array
enableWebsockets:
description: Enables websocket support for the route.
type: boolean
healthCheckPolicy:
description: The health check policy for this route.
properties:
healthyThresholdCount:
description: The number of healthy health checks required
before a host is marked healthy
format: int64
minimum: 0
type: integer
host:
description: The value of the host header in the HTTP health
check request. If left empty (default value), the name "contour-envoy-healthcheck"
will be used.
type: string
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
path:
description: HTTP endpoint used to perform health checks on
upstream service
type: string
timeoutSeconds:
description: The time to wait (seconds) for a health check
response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int64
minimum: 0
type: integer
required:
- path
type: object
loadBalancerPolicy:
description: The load balancing policy for this route.
properties:
strategy:
description: Strategy specifies the policy used to balance
requests across the pool of backend pods. Valid policy names
are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Random`
and `Cookie`. If an unknown strategy name is specified or
no policy is supplied, the default `RoundRobin` policy is
used.
type: string
type: object
pathRewritePolicy:
description: The policy for rewriting the path of the request
URL after the request has been routed to a Service.
properties:
replacePrefix:
description: ReplacePrefix describes how the path prefix should
be replaced.
items:
description: ReplacePrefix describes a path prefix replacement.
properties:
prefix:
description: "Prefix specifies the URL path prefix to
be replaced. \n If Prefix is specified, it must exactly
match the Condition prefix that is rendered by the
chain of including HTTPProxies and only that path
prefix will be replaced by Replacement. This allows
HTTPProxies that are included through multiple roots
to only replace specific path prefixes, leaving others
unmodified. \n If Prefix is not specified, all routing
prefixes rendered by the include chain will be replaced."
minLength: 1
type: string
replacement:
description: Replacement is the string that the routing
path prefix will be replaced with. This must not be
empty.
minLength: 1
type: string
required:
- replacement
type: object
type: array
type: object
permitInsecure:
description: Allow this path to respond to insecure requests over
HTTP which are normally not permitted when a `virtualhost.tls`
block is present.
type: boolean
requestHeadersPolicy:
description: The policy for managing request headers during proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values that
will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values that
will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
retryPolicy:
description: The retry policy for this route.
properties:
count:
description: NumRetries is maximum allowed number of retries.
If not supplied, the number of retries is one.
format: int64
minimum: 0
type: integer
perTryTimeout:
description: PerTryTimeout specifies the timeout per retry
attempt. Ignored if NumRetries is not supplied.
type: string
type: object
services:
description: Services are the services to proxy traffic.
items:
description: Service defines an Kubernetes Service to proxy
traffic.
properties:
mirror:
description: If Mirror is true the Service will receive
a read only mirror of the traffic for this route.
type: boolean
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic
to since a service can have multiple defined.
type: integer
protocol:
description: Protocol may be used to specify (or override)
the protocol used to reach this Service. Values may be
tls, h2, h2c. If omitted, protocol-selection falls back
on Service annotations.
enum:
- h2
- h2c
- tls
type: string
requestHeadersPolicy:
description: The policy for managing request headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header
names to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header
names to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
minItems: 1
type: array
timeoutPolicy:
description: The timeout policy for this route.
properties:
idle:
description: Timeout after which if there are no active requests
for this route, the connection between Envoy and the backend
will be closed. If not specified, there is no per-route
idle timeout.
type: string
response:
description: Timeout for receiving a response from the server
after processing a request from client. If not supplied
the timeout duration is undefined.
type: string
type: object
required:
- services
type: object
type: array
tcpproxy:
description: TCPProxy holds TCP proxy information.
properties:
healthCheckPolicy:
description: The health check policy for this tcp proxy
properties:
healthyThresholdCount:
description: The number of healthy health checks required before
a host is marked healthy
format: int32
type: integer
intervalSeconds:
description: The interval (seconds) between health checks
format: int64
type: integer
timeoutSeconds:
description: The time to wait (seconds) for a health check response
format: int64
type: integer
unhealthyThresholdCount:
description: The number of unhealthy health checks required
before a host is marked unhealthy
format: int32
type: integer
type: object
include:
description: Include specifies that this tcpproxy should be delegated
to another HTTPProxy.
properties:
name:
description: Name of the child HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults
to the current namespace if not supplied.
type: string
required:
- name
type: object
includes:
description: "IncludesDeprecated allow for specific routing configuration
to be appended to another HTTPProxy in another namespace. \n Exists
due to a mistake when developing HTTPProxy and the field was marked
plural when it should have been singular. This field should stay
to not break backwards compatibility to v1 users."
properties:
name:
description: Name of the child HTTPProxy
type: string
namespace:
description: Namespace of the HTTPProxy to include. Defaults
to the current namespace if not supplied.
type: string
required:
- name
type: object
loadBalancerPolicy:
description: The load balancing policy for the backend services.
properties:
strategy:
description: Strategy specifies the policy used to balance requests
across the pool of backend pods. Valid policy names are `Random`,
`RoundRobin`, `WeightedLeastRequest`, `Random` and `Cookie`.
If an unknown strategy name is specified or no policy is supplied,
the default `RoundRobin` policy is used.
type: string
type: object
services:
description: Services are the services to proxy traffic
items:
description: Service defines an Kubernetes Service to proxy traffic.
properties:
mirror:
description: If Mirror is true the Service will receive a
read only mirror of the traffic for this route.
type: boolean
name:
description: Name is the name of Kubernetes service to proxy
traffic. Names defined here will be used to look up corresponding
endpoints which contain the ips to route.
type: string
port:
description: Port (defined as Integer) to proxy traffic to
since a service can have multiple defined.
type: integer
protocol:
description: Protocol may be used to specify (or override)
the protocol used to reach this Service. Values may be tls,
h2, h2c. If omitted, protocol-selection falls back on Service
annotations.
enum:
- h2
- h2c
- tls
type: string
requestHeadersPolicy:
description: The policy for managing request headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
responseHeadersPolicy:
description: The policy for managing response headers during
proxying
properties:
remove:
description: Remove specifies a list of HTTP header names
to remove
items:
type: string
type: array
set:
description: Set specifies a list of HTTP header values
that will be set in the HTTP header
items:
description: HeaderValue represents a header name/value
pair
properties:
name:
description: Name represents a key of a header
minLength: 1
type: string
value:
description: Value represents the value of a header
specified by a key
minLength: 1
type: string
required:
- name
- value
type: object
type: array
type: object
validation:
description: UpstreamValidation defines how to verify the
backend service's certificate
properties:
caSecret:
description: Name of the Kubernetes secret be used to
validate the certificate presented by the backend
type: string
subjectName:
description: Key which is expected to be present in the
'subjectAltName' of the presented certificate
type: string
required:
- caSecret
- subjectName
type: object
weight:
description: Weight defines percentage of traffic to balance
traffic
format: int64
minimum: 0
type: integer
required:
- name
- port
type: object
minItems: 1
type: array
required:
- services
type: object
virtualhost:
description: Virtualhost appears at most once. If it is present, the
object is considered to be a "root".
properties:
fqdn:
description: The fully qualified domain name of the root of the
ingress tree all leaves of the DAG rooted at this object relate
to the fqdn
type: string
tls:
description: If present describes tls properties. The SNI names
that will be matched on are described in fqdn, the tls.secretName
secret must contain a matching certificate
properties:
clientValidation:
description: 'ClientValidation defines how to verify the client
certificate when an external client establishes a TLS connection
to Envoy. This setting: 1. Enables TLS client certificate
validation. 2. Requires clients to present a TLS certificate
(i.e. not optional validation). 3. Specifies how the client
certificate will be validated.'
properties:
caSecret:
description: Name of a Kubernetes secret that contains a
CA certificate bundle. The client certificate must validate
against the certificates in the bundle.
minLength: 1
type: string
required:
- caSecret
type: object
minimumProtocolVersion:
description: Minimum TLS version this vhost should negotiate
type: string
passthrough:
description: If Passthrough is set to true, the SecretName will
be ignored and the encrypted handshake will be passed through
to the backing cluster.
type: boolean
secretName:
description: required, the name of a secret in the current namespace
type: string
type: object
required:
- fqdn
type: object
type: object
status:
description: Status reports the current state of the HTTPProxy.
properties:
currentStatus:
type: string
description:
type: string
type: object
required:
- metadata
- spec
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: tlscertificatedelegations.projectcontour.io
labels:
networking.knative.dev/ingress-provider: contour
spec:
group: projectcontour.io
names:
kind: TLSCertificateDelegation
listKind: TLSCertificateDelegationList
plural: tlscertificatedelegations
shortNames:
- tlscerts
singular: tlscertificatedelegation
scope: Namespaced
validation:
openAPIV3Schema:
description: TLSCertificateDelegation is an TLS Certificate Delegation CRD specificiation.
See design/tls-certificate-delegation.md for details.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TLSCertificateDelegationSpec defines the spec of the CRD
properties:
delegations:
items:
description: CertificateDelegation maps the authority to reference
a secret in the current namespace to a set of namespaces.
properties:
secretName:
description: required, the name of a secret in the current namespace.
type: string
targetNamespaces:
description: required, the namespaces the authority to reference
the the secret will be delegated to. If TargetNamespaces is
nil or empty, the CertificateDelegation' is ignored. If the
TargetNamespace list contains the character, "*" the secret
will be delegated to all namespaces.
items:
type: string
type: array
required:
- secretName
- targetNamespaces
type: object
type: array
required:
- delegations
type: object
required:
- metadata
- spec
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour-certgen
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: contour
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: contour-certgen
subjects:
- kind: ServiceAccount
name: contour-certgen
namespace: contour-internal
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: contour-certgen
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- watch
- create
- get
- put
- post
- patch
---
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
spec:
ttlSecondsAfterFinished: 0
template:
metadata:
labels:
app: "contour-certgen"
spec:
containers:
- name: contour
# This version is set to latest because Job specs are immutable;
# if we change this on each version, you can no longer upgrade
# just by applying the deployment YAML.
# See #2423, #2395, #2150, and #2030 for earlier questions about this.
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
command:
- contour
- certgen
- --incluster
- --kube
- --namespace=$(CONTOUR_NAMESPACE)
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: Never
serviceAccountName: contour-certgen
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
parallelism: 1
completions: 1
backoffLimit: 1
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: contour
labels:
networking.knative.dev/ingress-provider: contour
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "networking.k8s.io"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- "networking.k8s.io"
resources:
- "ingresses/status"
verbs:
- get
- list
- watch
- patch
- post
- update
- apiGroups: ["contour.heptio.com"]
resources: ["ingressroutes", "tlscertificatedelegations"]
verbs:
- get
- list
- watch
- put
- post
- patch
- apiGroups: ["projectcontour.io"]
resources: ["httpproxies", "tlscertificatedelegations"]
verbs:
- get
- list
- watch
- put
- post
- patch
- apiGroups: ["networking.x.k8s.io"]
resources: ["gatewayclasses", "gateways", "httproutes", "tcproutes"]
verbs:
- get
- list
- watch
- put
- post
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: contour-leaderelection
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: contour-leaderelection
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: contour-leaderelection
subjects:
- kind: ServiceAccount
name: contour
namespace: contour-internal
---
apiVersion: v1
kind: Service
metadata:
name: contour
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
spec:
ports:
- port: 8001
name: xds
protocol: TCP
targetPort: 8001
selector:
app: contour
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: envoy
namespace: contour-internal
annotations:
# This annotation puts the AWS ELB into "TCP" mode so that it does not
# do HTTP negotiation for HTTPS connections at the ELB edge.
# The downside of this is the remote IP address of all connections will
# appear to be the internal address of the ELB. See docs/proxy-proto.md
# for information about enabling the PROXY protocol on the ELB to recover
# the original remote IP address.
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
labels:
networking.knative.dev/ingress-provider: contour
spec:
# externalTrafficPolicy: Local
ports:
- port: 80
name: http
protocol: TCP
- port: 443
name: https
protocol: TCP
selector:
app: envoy
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: contour
networking.knative.dev/ingress-provider: contour
name: contour
namespace: contour-internal
spec:
replicas: 2
strategy:
type: RollingUpdate
rollingUpdate:
# This value of maxSurge means that during a rolling update
# the new ReplicaSet will be created first.
maxSurge: 50%
selector:
matchLabels:
app: contour
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8000"
labels:
app: contour
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: contour
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- serve
- --ingress-class-name=contour-internal
- --incluster
- --xds-address=0.0.0.0
- --xds-port=8001
- --envoy-service-http-port=80
- --envoy-service-https-port=443
- --contour-cafile=/ca/cacert.pem
- --contour-cert-file=/certs/tls.crt
- --contour-key-file=/certs/tls.key
- --config-path=/config/contour.yaml
command: ["contour"]
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
name: contour
ports:
- containerPort: 8001
name: xds
protocol: TCP
- containerPort: 8000
name: debug
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8000
readinessProbe:
tcpSocket:
port: 8001
initialDelaySeconds: 15
periodSeconds: 10
volumeMounts:
- name: contourcert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
- name: contour-config
mountPath: /config
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
dnsPolicy: ClusterFirst
serviceAccountName: contour
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
volumes:
- name: contourcert
secret:
secretName: contourcert
- name: cacert
secret:
secretName: cacert
- name: contour-config
configMap:
name: contour
defaultMode: 0644
items:
- key: contour.yaml
path: contour.yaml
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: envoy
networking.knative.dev/ingress-provider: contour
name: envoy
namespace: contour-internal
spec:
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
app: envoy
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8002"
prometheus.io/path: "/stats/prometheus"
labels:
app: envoy
spec:
containers:
- command:
- contour
args:
- envoy
- shutdown-manager
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
lifecycle:
preStop:
httpGet:
path: /shutdown
port: 8090
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 8090
initialDelaySeconds: 3
periodSeconds: 10
name: shutdown-manager
- args:
- -c
- /config/envoy.json
- --service-cluster $(CONTOUR_NAMESPACE)
- --service-node $(ENVOY_POD_NAME)
- --log-level info
command:
- envoy
image: docker.io/envoyproxy/envoy:v1.14.1
imagePullPolicy: IfNotPresent
name: envoy
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ENVOY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
ports:
- containerPort: 80
# hostPort: 80
name: http
protocol: TCP
- containerPort: 443
# hostPort: 443
name: https
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8002
initialDelaySeconds: 3
periodSeconds: 4
volumeMounts:
- name: envoy-config
mountPath: /config
- name: envoycert
mountPath: /certs
- name: cacert
mountPath: /ca
lifecycle:
preStop:
httpGet:
path: /shutdown
port: 8090
scheme: HTTP
initContainers:
- args:
- bootstrap
- /config/envoy.json
- --xds-address=contour
- --xds-port=8001
- --envoy-cafile=/ca/cacert.pem
- --envoy-cert-file=/certs/tls.crt
- --envoy-key-file=/certs/tls.key
command:
- contour
image: gcr.io/knative-releases/github.com/projectcontour/contour/cmd/contour@sha256:07066f8733b8edb85c51ca81ecd0aa9b753d8f3257e858894a4f8d746b5bcb68
imagePullPolicy: Always
name: envoy-initconfig
volumeMounts:
- name: envoy-config
mountPath: /config
- name: envoycert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
serviceAccountName: envoy
terminationGracePeriodSeconds: 300
volumes:
- name: envoy-config
emptyDir: {}
- name: envoycert
secret:
secretName: envoycert
- name: cacert
secret:
secretName: cacert
restartPolicy: Always
---