From 16fa6715729b33d4724dff031d0801d06b036283 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Thu, 11 Jan 2024 12:20:35 -0500 Subject: [PATCH 01/19] Improve e2e helper updateAndWaitFor to avoid conflicts (#6069) Will retry updates on conflict rather than failing immediately To fix failures like: https://github.com/projectcontour/contour/actions/runs/7460847887/job/20299759302 Signed-off-by: Sunjay Bhatia --- test/e2e/fixtures.go | 32 ++++++++++++++------------------ test/e2e/framework.go | 18 +++++++++++------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/test/e2e/fixtures.go b/test/e2e/fixtures.go index e23cec58d5d..675d0f76a07 100644 --- a/test/e2e/fixtures.go +++ b/test/e2e/fixtures.go @@ -30,7 +30,6 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" @@ -185,26 +184,23 @@ func (e *Echo) DeployN(ns, name string, replicas int32) (func(), *appsv1.Deploym } func (e *Echo) ScaleAndWaitDeployment(name, ns string, replicas int32) { - deployment := &appsv1.Deployment{} - key := types.NamespacedName{ - Namespace: ns, - Name: name, + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: ns, + }, } - require.NoError(e.t, e.client.Get(context.TODO(), key, deployment)) - - deployment.Spec.Replicas = &replicas - - updateAndWaitFor(e.t, e.client, deployment, func(d *appsv1.Deployment) bool { - err := e.client.Get(context.Background(), key, deployment) - if err != nil { + updateAndWaitFor(e.t, e.client, deployment, + func(d *appsv1.Deployment) { + d.Spec.Replicas = ref.To(replicas) + }, + func(d *appsv1.Deployment) bool { + if d.Status.Replicas == replicas && d.Status.ReadyReplicas == replicas { + return true + } return false - } - if deployment.Status.Replicas == replicas && deployment.Status.ReadyReplicas == replicas { - return true - } - return false - }, time.Second, time.Second*10) + }, time.Second, time.Second*10) } func (e *Echo) ListPodIPs(ns, name string) ([]string, error) { diff --git a/test/e2e/framework.go b/test/e2e/framework.go index 999f439b848..2fd3252f591 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -43,6 +43,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" kubescheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/util/retry" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/config" "sigs.k8s.io/controller-runtime/pkg/log" @@ -334,16 +335,19 @@ func createAndWaitFor[T client.Object](t require.TestingT, client client.Client, return obj, true } -func updateAndWaitFor[T client.Object](t require.TestingT, client client.Client, obj T, condition func(T) bool, interval, timeout time.Duration) (T, bool) { - require.NoError(t, client.Update(context.Background(), obj)) +func updateAndWaitFor[T client.Object](t require.TestingT, cli client.Client, obj T, mutate func(T), condition func(T) bool, interval, timeout time.Duration) (T, bool) { + key := client.ObjectKeyFromObject(obj) - key := types.NamespacedName{ - Namespace: obj.GetNamespace(), - Name: obj.GetName(), - } + require.NoError(t, retry.RetryOnConflict(retry.DefaultBackoff, func() error { + if err := cli.Get(context.TODO(), key, obj); err != nil { + return err + } + mutate(obj) + return cli.Update(context.Background(), obj) + })) if err := wait.PollUntilContextTimeout(context.Background(), interval, timeout, true, func(ctx context.Context) (bool, error) { - if err := client.Get(ctx, key, obj); err != nil { + if err := cli.Get(ctx, key, obj); err != nil { // if there was an error, we want to keep // retrying, so just return false, not an // error. From 838bad487b19d71ad9ad2caddc890bd445165e13 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Thu, 11 Jan 2024 12:42:37 -0500 Subject: [PATCH 02/19] Bump go to 1.21.6 (#6070) See release notes: https://go.dev/doc/devel/release#go1.21.0 Uses sha for golang image to pin it to an exact version May help with test race issues that cropped up recently Signed-off-by: Sunjay Bhatia --- .github/workflows/build_daily.yaml | 2 +- .github/workflows/build_tag.yaml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/prbuild.yaml | 2 +- Makefile | 2 +- changelogs/unreleased/6053-sunjayBhatia-small.md | 1 - changelogs/unreleased/6070-sunjayBhatia-small.md | 1 + 7 files changed, 6 insertions(+), 6 deletions(-) delete mode 100644 changelogs/unreleased/6053-sunjayBhatia-small.md create mode 100644 changelogs/unreleased/6070-sunjayBhatia-small.md diff --git a/.github/workflows/build_daily.yaml b/.github/workflows/build_daily.yaml index 80f7b7bf976..ed21dabd5cf 100644 --- a/.github/workflows/build_daily.yaml +++ b/.github/workflows/build_daily.yaml @@ -10,7 +10,7 @@ on: env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - GO_VERSION: 1.21.5 + GO_VERSION: 1.21.6 jobs: e2e-envoy-xds: runs-on: ubuntu-latest diff --git a/.github/workflows/build_tag.yaml b/.github/workflows/build_tag.yaml index 2d2ed44e10a..42d4da9f097 100644 --- a/.github/workflows/build_tag.yaml +++ b/.github/workflows/build_tag.yaml @@ -15,7 +15,7 @@ on: env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - GO_VERSION: 1.21.5 + GO_VERSION: 1.21.6 jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f9103325ba7..7f63f0828ca 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -11,7 +11,7 @@ on: env: GOPROXY: https://proxy.golang.org/ - GO_VERSION: 1.21.5 + GO_VERSION: 1.21.6 jobs: CodeQL-Build: diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index 0016ab9fa37..3e653681476 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -11,7 +11,7 @@ on: env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - GO_VERSION: 1.21.5 + GO_VERSION: 1.21.6 jobs: lint: runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 81255feef62..faee470df42 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,7 @@ endif IMAGE_PLATFORMS ?= linux/amd64,linux/arm64 # Base build image to use. -BUILD_BASE_IMAGE ?= golang:1.21.5 +BUILD_BASE_IMAGE ?= golang:1.21.6@sha256:acab8ef05990e50fe0bc8446398d93d91fa89b3608661529dbd6744b77fcea90 # Enable build with CGO. BUILD_CGO_ENABLED ?= 0 diff --git a/changelogs/unreleased/6053-sunjayBhatia-small.md b/changelogs/unreleased/6053-sunjayBhatia-small.md deleted file mode 100644 index f7590e4ec01..00000000000 --- a/changelogs/unreleased/6053-sunjayBhatia-small.md +++ /dev/null @@ -1 +0,0 @@ -Updates to Go 1.21.5. See the [Go release notes](https://go.dev/doc/devel/release#go1.21.minor) for more information. diff --git a/changelogs/unreleased/6070-sunjayBhatia-small.md b/changelogs/unreleased/6070-sunjayBhatia-small.md new file mode 100644 index 00000000000..5ee1d76652f --- /dev/null +++ b/changelogs/unreleased/6070-sunjayBhatia-small.md @@ -0,0 +1 @@ +Updates to Go 1.21.6. See the [Go release notes](https://go.dev/doc/devel/release#go1.21.minor) for more information. From 6e81b6595e0b0f5e85e464dfe13dde53d1fe20a9 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Thu, 11 Jan 2024 13:29:15 -0500 Subject: [PATCH 03/19] Reduce permissions on workflows that run on PRs (#6068) Signed-off-by: Sunjay Bhatia --- .github/workflows/codeql-analysis.yml | 16 +- .github/workflows/label_check.yaml | 39 +- .github/workflows/prbuild.yaml | 554 +++++++++--------- .github/workflows/request-reviews.yaml | 11 +- .../workflows/welcome-new-contributors.yaml | 36 +- 5 files changed, 342 insertions(+), 314 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7f63f0828ca..e5f8044e170 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,18 +9,20 @@ on: schedule: - cron: '0 10 * * 1' +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ GO_VERSION: 1.21.6 + jobs: CodeQL-Build: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache @@ -31,21 +33,17 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: languages: go - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - name: Autobuild uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 diff --git a/.github/workflows/label_check.yaml b/.github/workflows/label_check.yaml index bcca6be23fc..0141df7f1af 100644 --- a/.github/workflows/label_check.yaml +++ b/.github/workflows/label_check.yaml @@ -6,9 +6,13 @@ on: types: [opened, labeled, unlabeled, synchronize] branches: [main] +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + jobs: # Ensures correct release-note labels are set: # - At least one label @@ -20,28 +24,29 @@ jobs: name: Check release-note label set runs-on: ubuntu-latest steps: - - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 - with: - mode: minimum - count: 1 - labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required" - - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 - with: - mode: maximum - count: 1 - labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required" - - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 - with: - mode: maximum - count: 1 - labels: "release-note/deprecation, release-note/none-required" + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 + with: + mode: minimum + count: 1 + labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required" + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 + with: + mode: maximum + count: 1 + labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required" + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 + with: + mode: maximum + count: 1 + labels: "release-note/deprecation, release-note/none-required" check-changelog: name: Check for changelog file - needs: - - check-label + needs: [check-label] runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index 3e653681476..ed0c0d1c80b 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -4,10 +4,13 @@ name: Build and Test Pull Request on: push: branches-ignore: - - "dependabot/**" + - "dependabot/**" pull_request: types: [opened, synchronize] +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -16,83 +19,91 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: golangci-lint - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 - with: - version: v1.55.2 - # TODO: re-enable linting tools package once https://github.com/projectcontour/contour/issues/5077 - # is resolved - args: --build-tags=e2e,conformance,gcp,oidc,none - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: golangci-lint + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + with: + version: v1.55.2 + # TODO: re-enable linting tools package once https://github.com/projectcontour/contour/issues/5077 + # is resolved + args: --build-tags=e2e,conformance,gcp,oidc,none + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} codespell: name: Codespell runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Codespell - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0 - with: - skip: .git,*.png,*.woff,*.woff2,*.eot,*.ttf,*.jpg,*.ico,*.svg,./site/themes/contour/static/fonts/README.md,./vendor,./site/public,./hack/actions/check-changefile-exists.go,go.mod,go.sum - ignore_words_file: './.codespell.ignorewords' - check_filenames: true - check_hidden: true - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Codespell + uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0 + with: + skip: .git,*.png,*.woff,*.woff2,*.eot,*.ttf,*.jpg,*.ico,*.svg,./site/themes/contour/static/fonts/README.md,./vendor,./site/public,./hack/actions/check-changefile-exists.go,go.mod,go.sum + ignore_words_file: './.codespell.ignorewords' + check_filenames: true + check_hidden: true + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} codegen: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: generate - run: | - make generate lint-yamllint lint-flags - ./hack/actions/check-uncommitted-codegen.sh - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: generate + run: | + make generate lint-yamllint lint-flags + ./hack/actions/check-uncommitted-codegen.sh + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} build-image: needs: - - lint - - codespell - - codegen + - lint + - codespell + - codegen runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: @@ -128,56 +139,58 @@ jobs: # include defines an additional variable (the specific node # image to use) for each kubernetes_version value. include: - - kubernetes_version: "kubernetes:latest" - node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" - - kubernetes_version: "kubernetes:n-1" - node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" - - kubernetes_version: "kubernetes:n-2" - node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" - - config_type: "ConfigmapConfiguration" - use_config_crd: "false" - - config_type: "ContourConfiguration" - use_config_crd: "true" + - kubernetes_version: "kubernetes:latest" + node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" + - kubernetes_version: "kubernetes:n-1" + node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" + - kubernetes_version: "kubernetes:n-2" + node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" + - config_type: "ConfigmapConfiguration" + use_config_crd: "false" + - config_type: "ContourConfiguration" + use_config_crd: "true" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 - with: - name: image - path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: e2e tests - env: - NODEIMAGE: ${{ matrix.node_image }} - LOAD_PREBUILT_IMAGE: "true" - USE_CONTOUR_CONFIGURATION_CRD: ${{ matrix.use_config_crd }} - run: | - export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" - make e2e - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Download image + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + with: + name: image + path: image + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: e2e tests + env: + NODEIMAGE: ${{ matrix.node_image }} + LOAD_PREBUILT_IMAGE: "true" + USE_CONTOUR_CONFIGURATION_CRD: ${{ matrix.use_config_crd }} + run: | + export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" + make e2e + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} upgrade: runs-on: ubuntu-latest needs: [build-image] @@ -191,170 +204,177 @@ jobs: # include defines an additional variable (the specific node # image to use) for each kubernetes_version value. include: - - kubernetes_version: "kubernetes:latest" - node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" - - kubernetes_version: "kubernetes:n-1" - node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" - - kubernetes_version: "kubernetes:n-2" - node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" + - kubernetes_version: "kubernetes:latest" + node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" + - kubernetes_version: "kubernetes:n-1" + node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" + - kubernetes_version: "kubernetes:n-2" + node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - # Fetch history for all tags and branches so we can figure out most - # recent release tag. - fetch-depth: 0 - - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 - with: - name: image - path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: upgrade tests - env: - NODEIMAGE: ${{ matrix.node_image }} - MULTINODE_CLUSTER: "true" - LOAD_PREBUILT_IMAGE: "true" - SKIP_GATEWAY_API_INSTALL: "true" - run: | - export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" - make upgrade - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + # Fetch history for all tags and branches so we can figure out most + # recent release tag. + fetch-depth: 0 + - name: Download image + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + with: + name: image + path: image + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: upgrade tests + env: + NODEIMAGE: ${{ matrix.node_image }} + MULTINODE_CLUSTER: "true" + LOAD_PREBUILT_IMAGE: "true" + SKIP_GATEWAY_API_INSTALL: "true" + run: | + export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" + make upgrade + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} test-linux: needs: - - lint - - codespell - - codegen + - lint + - codespell + - codegen runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: test - run: | - make install - make check-coverage - - name: codeCoverage - if: ${{ success() }} - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 - with: - files: coverage.out - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: test + run: | + make install + make check-coverage + - name: codeCoverage + if: ${{ success() }} + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 + with: + files: coverage.out + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} test-osx: needs: - - lint - - codespell - - codegen + - lint + - codespell + - codegen runs-on: macos-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Windows) - path: | - ~/go/pkg/mod - ~/Library/Caches/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: test - run: | - make install - make check-coverage - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Windows) + path: | + ~/go/pkg/mod + ~/Library/Caches/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: test + run: | + make install + make check-coverage + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} gateway-conformance: runs-on: ubuntu-latest needs: [build-image] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 - with: - name: image - path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: Gateway API conformance tests - env: - LOAD_PREBUILT_IMAGE: "true" - run: | - export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" - make gateway-conformance - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Download image + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + with: + name: image + path: image + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: Gateway API conformance tests + env: + LOAD_PREBUILT_IMAGE: "true" + run: | + export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" + make gateway-conformance + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/request-reviews.yaml b/.github/workflows/request-reviews.yaml index 5c1a70060d4..e1edc0c37ae 100644 --- a/.github/workflows/request-reviews.yaml +++ b/.github/workflows/request-reviews.yaml @@ -4,11 +4,14 @@ on: pull_request_target: types: [opened, ready_for_review, reopened] +permissions: + contents: read + jobs: request-reviews: runs-on: ubuntu-latest steps: - - uses: necojackarc/auto-request-review@6a51cebffe2c084705d9a7b394abd802e0119633 # v0.12.0 - with: - token: ${{ secrets.PAT_FOR_AUTO_REQUEST_REVIEW }} - config: .github/reviewers.yaml + - uses: necojackarc/auto-request-review@6a51cebffe2c084705d9a7b394abd802e0119633 # v0.12.0 + with: + token: ${{ secrets.PAT_FOR_AUTO_REQUEST_REVIEW }} + config: .github/reviewers.yaml diff --git a/.github/workflows/welcome-new-contributors.yaml b/.github/workflows/welcome-new-contributors.yaml index 9a5fa8c58d3..4e9fb0d5c5c 100644 --- a/.github/workflows/welcome-new-contributors.yaml +++ b/.github/workflows/welcome-new-contributors.yaml @@ -3,12 +3,14 @@ name: 'Welcome New Contributors' on: issues: types: [opened] + # Workloads with pull_request_target and the GitHub Token secret should never include executing untrusted code + # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + # And https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ pull_request_target: types: [opened] -# Workloads with pull_request_target and the GitHub Token secret should never include executing untrusted code -# See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target -# And https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +permissions: + contents: read jobs: welcome-new-contributor: @@ -17,17 +19,17 @@ jobs: issues: write pull-requests: write steps: - - name: 'Greet the contributor' - uses: garg3133/welcome-new-contributors@a38583ed8282e23d63d7bf919ca2d9fb95300ca6 # v1.2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - issue-message: > - Hey @contributor_name! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! - We are glad to have you here and to have your input on Contour. - You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) - in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community) - pr-message: > - Hi @contributor_name! Welcome to our community and thank you for opening your first Pull Request. - Someone will review it soon. Thank you for committing to making Contour better. - You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) - in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community) + - name: 'Greet the contributor' + uses: garg3133/welcome-new-contributors@a38583ed8282e23d63d7bf919ca2d9fb95300ca6 # v1.2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-message: > + Hey @contributor_name! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! + We are glad to have you here and to have your input on Contour. + You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) + in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community) + pr-message: > + Hi @contributor_name! Welcome to our community and thank you for opening your first Pull Request. + Someone will review it soon. Thank you for committing to making Contour better. + You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) + in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community) From cc85f4764896634c4e885199de7136025af71b11 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Thu, 11 Jan 2024 14:49:28 -0500 Subject: [PATCH 04/19] Update permissions on remaining workflows (#6072) Fixes codeql workflow to add write permissions Signed-off-by: Sunjay Bhatia --- .github/workflows/build_daily.yaml | 334 ++++++++++++----------- .github/workflows/build_main.yaml | 10 +- .github/workflows/build_tag.yaml | 101 ++++--- .github/workflows/codeql-analysis.yml | 2 + .github/workflows/openssf-scorecard.yaml | 8 +- .github/workflows/stale.yaml | 6 + .github/workflows/trivy-scan.yaml | 8 +- 7 files changed, 256 insertions(+), 213 deletions(-) diff --git a/.github/workflows/build_daily.yaml b/.github/workflows/build_daily.yaml index ed21dabd5cf..6782d255ca0 100644 --- a/.github/workflows/build_daily.yaml +++ b/.github/workflows/build_daily.yaml @@ -3,186 +3,200 @@ name: Daily build on: # Run every day schedule: - - cron: '0 12 * * *' + - cron: '0 12 * * *' # Allow manual runs workflow_dispatch: +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} GO_VERSION: 1.21.6 + jobs: e2e-envoy-xds: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: e2e tests - env: - CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main - CONTOUR_E2E_XDS_SERVER_TYPE: envoy - run: | - make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: e2e tests + env: + CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main + CONTOUR_E2E_XDS_SERVER_TYPE: envoy + run: | + make setup-kind-cluster run-e2e cleanup-kind + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} e2e-envoy-deployment: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: e2e tests - env: - CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main - CONTOUR_E2E_ENVOY_DEPLOYMENT_MODE: deployment - run: | - make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: e2e tests + env: + CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main + CONTOUR_E2E_ENVOY_DEPLOYMENT_MODE: deployment + run: | + make setup-kind-cluster run-e2e cleanup-kind + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} e2e-gateway-reconcile-controller: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: e2e tests - env: - CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main - CONTOUR_E2E_PACKAGE_FOCUS: ./test/e2e/gateway - CONTOUR_E2E_GATEWAY_RECONCILE_MODE: controller - run: | - make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: e2e tests + env: + CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main + CONTOUR_E2E_PACKAGE_FOCUS: ./test/e2e/gateway + CONTOUR_E2E_GATEWAY_RECONCILE_MODE: controller + run: | + make setup-kind-cluster run-e2e cleanup-kind + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} e2e-ipv6: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: e2e tests - env: - CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main - IPV6_CLUSTER: "true" - run: | - # Set up cluster to ensure we have a docker bridge network to find a non-local ip from. - make setup-kind-cluster - export CONTOUR_E2E_LOCAL_HOST=$(ifconfig | grep inet6 | grep global | head -n1 | awk '{print $2}') - make run-e2e cleanup-kind - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: e2e tests + env: + CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main + IPV6_CLUSTER: "true" + run: | + # Set up cluster to ensure we have a docker bridge network to find a non-local ip from. + make setup-kind-cluster + export CONTOUR_E2E_LOCAL_HOST=$(ifconfig | grep inet6 | grep global | head -n1 | awk '{print $2}') + make run-e2e cleanup-kind + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} e2e-endpoint-slices: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: e2e tests - env: - CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main - CONTOUR_E2E_USE_ENDPOINT_SLICES: true - run: | - make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: e2e tests + env: + CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main + CONTOUR_E2E_USE_ENDPOINT_SLICES: true + run: | + make setup-kind-cluster run-e2e cleanup-kind + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/build_main.yaml b/.github/workflows/build_main.yaml index 33200cf2e21..afcfe6dbea9 100644 --- a/.github/workflows/build_main.yaml +++ b/.github/workflows/build_main.yaml @@ -3,15 +3,23 @@ name: Build and push :main image on: push: branches: - - main + - main + +permissions: + contents: read env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + jobs: build: runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: diff --git a/.github/workflows/build_tag.yaml b/.github/workflows/build_tag.yaml index 42d4da9f097..5cc5786ac31 100644 --- a/.github/workflows/build_tag.yaml +++ b/.github/workflows/build_tag.yaml @@ -3,24 +3,33 @@ name: Build and push a release on: push: tags: - # Although these *look* like regex matches, they're not! - # They are Go path.Match() expressions. - # See https://golang.org/pkg/path/#Match for details. - - 'v[0-9]*.[0-9]*.[0-9]' - - 'v[0-9]*.[0-9]*.[0-9][0-9]' - - 'v[0-9]*.[0-9]*.[0-9][0-9][0-9]' - - 'v[0-9]*.[0-9]*.[0-9]*beta*' - - 'v[0-9]*.[0-9]*.[0-9]*alpha*' - - 'v[0-9]*.[0-9]*.[0-9]*rc*' + # Although these *look* like regex matches, they're not! + # They are Go path.Match() expressions. + # See https://golang.org/pkg/path/#Match for details. + - 'v[0-9]*.[0-9]*.[0-9]' + - 'v[0-9]*.[0-9]*.[0-9][0-9]' + - 'v[0-9]*.[0-9]*.[0-9][0-9][0-9]' + - 'v[0-9]*.[0-9]*.[0-9]*beta*' + - 'v[0-9]*.[0-9]*.[0-9]*alpha*' + - 'v[0-9]*.[0-9]*.[0-9]*rc*' + +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} GO_VERSION: 1.21.6 + jobs: build: runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: @@ -47,39 +56,41 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: Gateway API conformance tests - env: - GENERATE_GATEWAY_CONFORMANCE_REPORT: "true" - run: | - export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(git describe --tags)" - make setup-kind-cluster run-gateway-conformance cleanup-kind - - name: Upload gateway conformance report - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 - with: - name: gateway-conformance-report - path: gateway-conformance-report/projectcontour-contour-*.yaml - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: Gateway API conformance tests + env: + GENERATE_GATEWAY_CONFORMANCE_REPORT: "true" + run: | + export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(git describe --tags)" + make setup-kind-cluster run-gateway-conformance cleanup-kind + - name: Upload gateway conformance report + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: gateway-conformance-report + path: gateway-conformance-report/projectcontour-contour-*.yaml + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e5f8044e170..fcb69da0827 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,6 +19,8 @@ env: jobs: CodeQL-Build: runs-on: ubuntu-latest + permissions: + security-events: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/openssf-scorecard.yaml b/.github/workflows/openssf-scorecard.yaml index c2b1ce0965f..293be4d751d 100644 --- a/.github/workflows/openssf-scorecard.yaml +++ b/.github/workflows/openssf-scorecard.yaml @@ -1,4 +1,5 @@ name: OpenSSF Scorecard + on: branch_protection_rule: # Run weekly @@ -20,26 +21,21 @@ jobs: permissions: security-events: write id-token: write - steps: - - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - name: "Run analysis" uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif publish_results: true - - name: "Upload artifact" uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: SARIF file path: results.sarif - - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 4a1b43d1980..4ac20ef2668 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -7,9 +7,15 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml index 71dfdd6eae2..cb883475180 100644 --- a/.github/workflows/trivy-scan.yaml +++ b/.github/workflows/trivy-scan.yaml @@ -3,10 +3,13 @@ name: Trivy Scan on: # Run weekly schedule: - - cron: '0 12 * * 1' + - cron: '0 12 * * 1' # Allow manual runs workflow_dispatch: +permissions: + contents: read + jobs: trivy-scan: strategy: @@ -17,9 +20,12 @@ jobs: - release-1.26 - release-1.25 runs-on: ubuntu-latest + permissions: + security-events: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: ${{ matrix.branch }} - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 with: From 9070cfa21040dcc72054aa5a7d781cdd14400743 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Fri, 12 Jan 2024 16:03:42 -0500 Subject: [PATCH 05/19] Add OpenSSF scorecard to README (#6074) also move badges to multiple lines Signed-off-by: Sunjay Bhatia --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d8b2919e899..ac72100c733 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,8 @@ -# Contour ![Build and Test Pull Request](https://github.com/projectcontour/contour/workflows/Build%20and%20Test%20Pull%20Request/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/projectcontour/contour)](https://goreportcard.com/report/github.com/projectcontour/contour) ![GitHub release](https://img.shields.io/github/release/projectcontour/contour.svg) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Slack](https://img.shields.io/badge/slack-join%20chat-e01563.svg?logo=slack)](https://kubernetes.slack.com/messages/contour) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4141/badge)](https://bestpractices.coreinfrastructure.org/projects/4141) +# Contour + +![GitHub release](https://img.shields.io/github/release/projectcontour/contour.svg) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Slack](https://img.shields.io/badge/slack-join%20chat-e01563.svg?logo=slack)](https://kubernetes.slack.com/messages/contour) + +![Build and Test Pull Request](https://github.com/projectcontour/contour/workflows/Build%20and%20Test%20Pull%20Request/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/projectcontour/contour)](https://goreportcard.com/report/github.com/projectcontour/contour) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/projectcontour/contour/badge)](https://securityscorecards.dev/viewer/?uri=github.com/projectcontour/contour) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4141/badge)](https://bestpractices.coreinfrastructure.org/projects/4141) ![Contour is fun at parties!](contour.png) From 08d6eaf063c2f742167e910e6da7d08798cac2e4 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Tue, 16 Jan 2024 09:35:59 -0500 Subject: [PATCH 06/19] Roll back grpc-go to v1.59.0 (#6075) Temporarily to get CI green See: https://github.com/projectcontour/contour/issues/6055 Signed-off-by: Sunjay Bhatia --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9d87f0bd8aa..03115bcdb71 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( golang.org/x/oauth2 v0.15.0 gonum.org/v1/plot v0.14.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 - google.golang.org/grpc v1.60.1 + google.golang.org/grpc v1.59.0 google.golang.org/protobuf v1.32.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.29.0 diff --git a/go.sum b/go.sum index 5d0a32114e9..e04b7b8df0f 100644 --- a/go.sum +++ b/go.sum @@ -743,8 +743,8 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= -google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= +google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From a804ad85bdaaa1b0d36cd5780d8d12902abedc93 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 09:37:31 -0500 Subject: [PATCH 07/19] build(deps): bump the k8s-dependencies group with 1 update (#6080) Bumps the k8s-dependencies group with 1 update: [k8s.io/klog/v2](https://github.com/kubernetes/klog). Updates `k8s.io/klog/v2` from 2.110.1 to 2.120.0 - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes/klog/compare/v2.110.1...v2.120.0) --- updated-dependencies: - dependency-name: k8s.io/klog/v2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 03115bcdb71..99a2b673f68 100644 --- a/go.mod +++ b/go.mod @@ -39,7 +39,7 @@ require ( k8s.io/apiextensions-apiserver v0.29.0 k8s.io/apimachinery v0.29.0 k8s.io/client-go v0.29.0 - k8s.io/klog/v2 v2.110.1 + k8s.io/klog/v2 v2.120.0 sigs.k8s.io/controller-runtime v0.16.3 sigs.k8s.io/controller-tools v0.13.0 sigs.k8s.io/gateway-api v1.0.0 diff --git a/go.sum b/go.sum index e04b7b8df0f..85da1098e21 100644 --- a/go.sum +++ b/go.sum @@ -133,7 +133,6 @@ github.com/go-latex/latex v0.0.0-20230307184459-12ec69307ad9/go.mod h1:gWuR/CrFD github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= @@ -804,8 +803,8 @@ k8s.io/klog v0.2.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= -k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8= +k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= From ef95b9af06482cc239d2def2de9f59eeceee7f0b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 09:40:12 -0500 Subject: [PATCH 08/19] build(deps): bump github.com/onsi/ginkgo/v2 from 2.13.2 to 2.14.0 (#6082) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.2 to 2.14.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.13.2...v2.14.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 99a2b673f68..1fc966fb699 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/google/uuid v1.5.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 - github.com/onsi/ginkgo/v2 v2.13.2 + github.com/onsi/ginkgo/v2 v2.14.0 github.com/onsi/gomega v1.30.0 github.com/projectcontour/yages v0.1.0 github.com/prometheus/client_golang v1.18.0 @@ -123,13 +123,13 @@ require ( golang.org/x/crypto v0.17.0 // indirect golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect golang.org/x/image v0.11.0 // indirect - golang.org/x/mod v0.13.0 // indirect + golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.19.0 // indirect golang.org/x/sys v0.15.0 // indirect golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.14.0 // indirect + golang.org/x/tools v0.16.1 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect diff --git a/go.sum b/go.sum index 85da1098e21..2383d48b796 100644 --- a/go.sum +++ b/go.sum @@ -309,8 +309,8 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs= -github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= +github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= +github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -461,8 +461,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= -golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -521,8 +521,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= -golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -643,8 +643,8 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= -golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 79db809b6aa2b02707e9858282e5b276a8ae2b19 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 09:41:58 -0500 Subject: [PATCH 09/19] build(deps): bump the artifact-actions group with 2 updates (#6085) Bumps the artifact-actions group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/upload-artifact` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/c7d193f32edcb7bfad88892161225aeda64e9392...1eb3cb2b3e0f29609092a73eb033bb759a334595) Updates `actions/download-artifact` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110...6b208ae046db98c579e8a3aa621ab581ff575935) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: artifact-actions - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: artifact-actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_tag.yaml | 2 +- .github/workflows/openssf-scorecard.yaml | 2 +- .github/workflows/prbuild.yaml | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build_tag.yaml b/.github/workflows/build_tag.yaml index 5cc5786ac31..0ee740b16f0 100644 --- a/.github/workflows/build_tag.yaml +++ b/.github/workflows/build_tag.yaml @@ -84,7 +84,7 @@ jobs: export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(git describe --tags)" make setup-kind-cluster run-gateway-conformance cleanup-kind - name: Upload gateway conformance report - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 with: name: gateway-conformance-report path: gateway-conformance-report/projectcontour-contour-*.yaml diff --git a/.github/workflows/openssf-scorecard.yaml b/.github/workflows/openssf-scorecard.yaml index 293be4d751d..4b54c858de5 100644 --- a/.github/workflows/openssf-scorecard.yaml +++ b/.github/workflows/openssf-scorecard.yaml @@ -32,7 +32,7 @@ jobs: results_format: sarif publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index ed0c0d1c80b..0b15ca01bde 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -114,7 +114,7 @@ jobs: run: | make multiarch-build - name: Upload image - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 with: name: image path: image/contour-*.tar @@ -155,7 +155,7 @@ jobs: with: persist-credentials: false - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: image path: image @@ -218,7 +218,7 @@ jobs: # recent release tag. fetch-depth: 0 - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: image path: image @@ -344,7 +344,7 @@ jobs: with: persist-credentials: false - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: image path: image From c633fc34bb3b0e6b28a732d65e2351e441183de4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 09:45:52 -0500 Subject: [PATCH 10/19] build(deps): bump github/codeql-action from 3.22.12 to 3.23.0 (#6087) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.22.12 to 3.23.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/012739e5082ff0c22ca6d6ab32e07c36df03c4a4...e5f05b81d5b6ff8cfa111c80c22c5fd02a384118) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/openssf-scorecard.yaml | 2 +- .github/workflows/trivy-scan.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fcb69da0827..91e7725c2cc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,11 +41,11 @@ jobs: cache: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: languages: go # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - name: Autobuild - uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 diff --git a/.github/workflows/openssf-scorecard.yaml b/.github/workflows/openssf-scorecard.yaml index 4b54c858de5..d760921a64e 100644 --- a/.github/workflows/openssf-scorecard.yaml +++ b/.github/workflows/openssf-scorecard.yaml @@ -37,6 +37,6 @@ jobs: name: SARIF file path: results.sarif - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: sarif_file: results.sarif diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml index cb883475180..72e81a20b5c 100644 --- a/.github/workflows/trivy-scan.yaml +++ b/.github/workflows/trivy-scan.yaml @@ -35,6 +35,6 @@ jobs: output: 'trivy-results.sarif' ignore-unfixed: true severity: 'HIGH,CRITICAL' - - uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + - uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: sarif_file: 'trivy-results.sarif' From 0c5fb70d47f8a1c097d853ba619ab56c29055073 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:12:28 -0700 Subject: [PATCH 11/19] build(deps): bump actions/cache from 3.3.2 to 3.3.3 (#6086) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.2 to 3.3.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/704facf57e6136b1bc63b828d79edcd491f0ee84...e12d46a63a90f2fae62d114769bbf2a179198b5c) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_daily.yaml | 10 +++++----- .github/workflows/build_tag.yaml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/label_check.yaml | 2 +- .github/workflows/prbuild.yaml | 12 ++++++------ 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build_daily.yaml b/.github/workflows/build_daily.yaml index 6782d255ca0..da52384a81e 100644 --- a/.github/workflows/build_daily.yaml +++ b/.github/workflows/build_daily.yaml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -58,7 +58,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -94,7 +94,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -131,7 +131,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -170,7 +170,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) diff --git a/.github/workflows/build_tag.yaml b/.github/workflows/build_tag.yaml index 0ee740b16f0..cc3a7246f0d 100644 --- a/.github/workflows/build_tag.yaml +++ b/.github/workflows/build_tag.yaml @@ -59,7 +59,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 91e7725c2cc..836cf2157e5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,7 +25,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) diff --git a/.github/workflows/label_check.yaml b/.github/workflows/label_check.yaml index 0141df7f1af..464d542ebcd 100644 --- a/.github/workflows/label_check.yaml +++ b/.github/workflows/label_check.yaml @@ -47,7 +47,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index 0b15ca01bde..171be9ed48c 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -66,7 +66,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -159,7 +159,7 @@ jobs: with: name: image path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -222,7 +222,7 @@ jobs: with: name: image path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -265,7 +265,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) @@ -308,7 +308,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Windows) @@ -348,7 +348,7 @@ jobs: with: name: image path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 with: # * Module download cache # * Build cache (Linux) From 3dd50e9a503394a6effc12cdd6471bc28597a48e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 15:15:16 +0000 Subject: [PATCH 12/19] build(deps): bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 (#6083) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.15.0 to 0.16.0. - [Commits](https://github.com/golang/oauth2/compare/v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 1fc966fb699..92ab1cde222 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/tsaarni/certyaml v0.9.2 github.com/vektra/mockery/v2 v2.39.1 go.uber.org/automaxprocs v1.5.3 - golang.org/x/oauth2 v0.15.0 + golang.org/x/oauth2 v0.16.0 gonum.org/v1/plot v0.14.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 google.golang.org/grpc v1.59.0 @@ -120,13 +120,13 @@ require ( github.com/tsaarni/x500dn v1.0.0 // indirect github.com/xhit/go-str2duration/v2 v2.1.0 // indirect go.uber.org/goleak v1.3.0 // indirect - golang.org/x/crypto v0.17.0 // indirect + golang.org/x/crypto v0.18.0 // indirect golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect golang.org/x/image v0.11.0 // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.19.0 // indirect - golang.org/x/sys v0.15.0 // indirect - golang.org/x/term v0.15.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.16.1 // indirect diff --git a/go.sum b/go.sum index 2383d48b796..aec52a914be 100644 --- a/go.sum +++ b/go.sum @@ -420,8 +420,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -496,8 +496,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= -golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -507,8 +507,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= -golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= +golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= +golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -566,13 +566,13 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From 3e1ba541c3341e71d63e6c9deea282729924922c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 15:51:53 +0000 Subject: [PATCH 13/19] build(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 (#6081) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.45.0 to 0.46.0. - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 3 +-- go.sum | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 92ab1cde222..4066a4aaf90 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/projectcontour/yages v0.1.0 github.com/prometheus/client_golang v1.18.0 github.com/prometheus/client_model v0.5.0 - github.com/prometheus/common v0.45.0 + github.com/prometheus/common v0.46.0 github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/tsaarni/certyaml v0.9.2 @@ -94,7 +94,6 @@ require ( github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.17 // indirect - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/spdystream v0.2.0 // indirect diff --git a/go.sum b/go.sum index aec52a914be..226224d7a16 100644 --- a/go.sum +++ b/go.sum @@ -288,8 +288,6 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -334,8 +332,8 @@ github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlk github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= +github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= From 7980bbf4216f5a07c2972bd2d8a5e2c0478f318b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 15:52:03 +0000 Subject: [PATCH 14/19] build(deps): bump github.com/vektra/mockery/v2 from 2.39.1 to 2.40.1 (#6090) Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.39.1 to 2.40.1. - [Release notes](https://github.com/vektra/mockery/releases) - [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md) - [Commits](https://github.com/vektra/mockery/compare/v2.39.1...v2.40.1) --- updated-dependencies: - dependency-name: github.com/vektra/mockery/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4066a4aaf90..4ee38222a0a 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/tsaarni/certyaml v0.9.2 - github.com/vektra/mockery/v2 v2.39.1 + github.com/vektra/mockery/v2 v2.40.1 go.uber.org/automaxprocs v1.5.3 golang.org/x/oauth2 v0.16.0 gonum.org/v1/plot v0.14.0 diff --git a/go.sum b/go.sum index 226224d7a16..2ad78efbd8d 100644 --- a/go.sum +++ b/go.sum @@ -383,8 +383,8 @@ github.com/tsaarni/certyaml v0.9.2 h1:LoRTuajwjJ1CHAJiMv5cpOtwQ05207Oqe6cT9D7WDa github.com/tsaarni/certyaml v0.9.2/go.mod h1:s+ErAC1wZ32r1ihSULvR7HXedKKN5HZasdb8Cj8gT9E= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= github.com/tsaarni/x500dn v1.0.0/go.mod h1:QaHa3EcUKC4dfCAZmj8+ZRGLKukWgpGv9H3oOCsAbcE= -github.com/vektra/mockery/v2 v2.39.1 h1:zgnW69s+351ZF/L+O5pO64MpVP96aDtw8jwOGvGXzwU= -github.com/vektra/mockery/v2 v2.39.1/go.mod h1:dPzGtjT0/Uu4hqpF6QNHwz+GLago7lq1bxdj9wHbGKo= +github.com/vektra/mockery/v2 v2.40.1 h1:8D01rBqloDLDHKZGXkyUD9Yj5Z+oDXBqDZ+tRXYM/oA= +github.com/vektra/mockery/v2 v2.40.1/go.mod h1:dPzGtjT0/Uu4hqpF6QNHwz+GLago7lq1bxdj9wHbGKo= github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= From c62ddf26961fd4451220d5e1556c9f608589991e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 16:48:26 +0000 Subject: [PATCH 15/19] build(deps): bump sigs.k8s.io/controller-runtime from 0.16.3 to 0.17.0 (#6089) * build(deps): bump sigs.k8s.io/controller-runtime from 0.16.3 to 0.17.0 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.16.3 to 0.17.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.16.3...v0.17.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * regenerate mocks Signed-off-by: Sunjay Bhatia --------- Signed-off-by: dependabot[bot] Signed-off-by: Sunjay Bhatia Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sunjay Bhatia --- go.mod | 5 ++--- go.sum | 12 ++++++------ internal/k8s/mocks/cache.go | 18 ++++++++++++++++++ 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 4ee38222a0a..308a1106a77 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( k8s.io/apimachinery v0.29.0 k8s.io/client-go v0.29.0 k8s.io/klog/v2 v2.120.0 - sigs.k8s.io/controller-runtime v0.16.3 + sigs.k8s.io/controller-runtime v0.17.0 sigs.k8s.io/controller-tools v0.13.0 sigs.k8s.io/gateway-api v1.0.0 sigs.k8s.io/kustomize/kyaml v0.16.0 @@ -60,7 +60,7 @@ require ( github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.7.0 // indirect + github.com/evanphx/json-patch/v5 v5.8.0 // indirect github.com/fatih/color v1.15.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect @@ -118,7 +118,6 @@ require ( github.com/subosito/gotenv v1.4.2 // indirect github.com/tsaarni/x500dn v1.0.0 // indirect github.com/xhit/go-str2duration/v2 v2.1.0 // indirect - go.uber.org/goleak v1.3.0 // indirect golang.org/x/crypto v0.18.0 // indirect golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect golang.org/x/image v0.11.0 // indirect diff --git a/go.sum b/go.sum index 2ad78efbd8d..6b1928650b9 100644 --- a/go.sum +++ b/go.sum @@ -106,8 +106,8 @@ github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBF github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc= -github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= @@ -135,8 +135,8 @@ github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ= github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA= @@ -812,8 +812,8 @@ rsc.io/pdf v0.1.1 h1:k1MczvYDUvJBe93bYd7wrZLLUEcLZAuF824/I4e5Xr4= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= -sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= +sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= +sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI= sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA= sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs= diff --git a/internal/k8s/mocks/cache.go b/internal/k8s/mocks/cache.go index 992c31568d8..910e5882d9a 100644 --- a/internal/k8s/mocks/cache.go +++ b/internal/k8s/mocks/cache.go @@ -162,6 +162,24 @@ func (_m *Cache) List(ctx context.Context, list client.ObjectList, opts ...clien return r0 } +// RemoveInformer provides a mock function with given fields: ctx, obj +func (_m *Cache) RemoveInformer(ctx context.Context, obj client.Object) error { + ret := _m.Called(ctx, obj) + + if len(ret) == 0 { + panic("no return value specified for RemoveInformer") + } + + var r0 error + if rf, ok := ret.Get(0).(func(context.Context, client.Object) error); ok { + r0 = rf(ctx, obj) + } else { + r0 = ret.Error(0) + } + + return r0 +} + // Start provides a mock function with given fields: ctx func (_m *Cache) Start(ctx context.Context) error { ret := _m.Called(ctx) From 02faa3a04bd0b39e6afc282c52ef425f18325eb2 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Tue, 16 Jan 2024 12:43:00 -0500 Subject: [PATCH 16/19] Enable testifylint and ginkgo linters (#6091) Signed-off-by: Sunjay Bhatia --- .golangci.yml | 6 + .../projectcontour/v1alpha1/accesslog_test.go | 30 ++--- cmd/contour/certgen_test.go | 32 ++--- internal/annotation/annotations_test.go | 4 +- .../contourconfiguration_test.go | 2 +- internal/dag/accessors_test.go | 13 +- internal/dag/cache_test.go | 8 +- internal/dag/conditions_test.go | 9 +- internal/dag/dag_test.go | 17 +-- internal/dag/policy_test.go | 11 +- internal/envoy/cluster_test.go | 10 +- internal/envoy/v3/bootstrap_test.go | 2 +- internal/envoy/v3/cluster_test.go | 6 +- internal/envoy/v3/listener_test.go | 28 ++-- internal/envoy/v3/socket_options_test.go | 8 +- internal/gatewayapi/listeners_test.go | 4 +- internal/httpsvc/http_test.go | 6 +- internal/k8s/helpers_test.go | 23 ++-- internal/k8s/log_test.go | 2 +- internal/k8s/statusaddress_test.go | 6 +- .../controller/gatewayclass_test.go | 4 +- .../contourconfig/contourconfig_test.go | 4 +- internal/provisioner/objects/object_test.go | 4 +- internal/status/cache_test.go | 10 +- internal/timeout/timeout_test.go | 16 +-- internal/timeout/validation_test.go | 5 +- internal/xds/v3/callbacks_test.go | 7 +- internal/xds/v3/contour_test.go | 3 +- pkg/certs/certgen_test.go | 7 +- pkg/config/parameters_test.go | 126 +++++++++--------- .../gateway/response_header_modifier_test.go | 14 +- test/e2e/httpproxy/cookie_rewrite_test.go | 8 +- test/e2e/httpproxy/fqdn_test.go | 2 +- test/e2e/httpproxy/grpc_test.go | 2 +- test/e2e/httpproxy/internal_redirect_test.go | 4 +- test/e2e/httpproxy/namespaces_test.go | 6 +- test/e2e/httpproxy/request_redirect_test.go | 2 +- test/e2e/upgrade/upgrade_test.go | 2 +- 38 files changed, 229 insertions(+), 224 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 57fd4e00b0d..1b750174c13 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -14,6 +14,8 @@ linters: - goheader - gocritic - forbidigo + - testifylint + - ginkgolinter linters-settings: misspell: @@ -56,6 +58,10 @@ linters-settings: - name: use-any - name: var-declaration - name: var-naming + testifylint: + enable-all: true + ginkgolinter: + forbid-focus-container: true issues: exclude-rules: diff --git a/apis/projectcontour/v1alpha1/accesslog_test.go b/apis/projectcontour/v1alpha1/accesslog_test.go index 26b40c661ab..6f02627e655 100644 --- a/apis/projectcontour/v1alpha1/accesslog_test.go +++ b/apis/projectcontour/v1alpha1/accesslog_test.go @@ -17,25 +17,25 @@ import ( "testing" "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestValidateAccessLogType(t *testing.T) { - assert.Error(t, v1alpha1.AccessLogType("").Validate()) - assert.Error(t, v1alpha1.AccessLogType("foo").Validate()) + require.Error(t, v1alpha1.AccessLogType("").Validate()) + require.Error(t, v1alpha1.AccessLogType("foo").Validate()) - assert.NoError(t, v1alpha1.EnvoyAccessLog.Validate()) - assert.NoError(t, v1alpha1.JSONAccessLog.Validate()) + require.NoError(t, v1alpha1.EnvoyAccessLog.Validate()) + require.NoError(t, v1alpha1.JSONAccessLog.Validate()) } func TestValidateAccessLogLevel(t *testing.T) { - assert.Error(t, v1alpha1.AccessLogLevel("").Validate()) - assert.Error(t, v1alpha1.AccessLogLevel("foo").Validate()) + require.Error(t, v1alpha1.AccessLogLevel("").Validate()) + require.Error(t, v1alpha1.AccessLogLevel("foo").Validate()) - assert.NoError(t, v1alpha1.LogLevelInfo.Validate()) - assert.NoError(t, v1alpha1.LogLevelError.Validate()) - assert.NoError(t, v1alpha1.LogLevelCritical.Validate()) - assert.NoError(t, v1alpha1.LogLevelDisabled.Validate()) + require.NoError(t, v1alpha1.LogLevelInfo.Validate()) + require.NoError(t, v1alpha1.LogLevelError.Validate()) + require.NoError(t, v1alpha1.LogLevelCritical.Validate()) + require.NoError(t, v1alpha1.LogLevelDisabled.Validate()) } func TestValidateAccessLogJSONFields(t *testing.T) { @@ -59,7 +59,7 @@ func TestValidateAccessLogJSONFields(t *testing.T) { } for _, c := range errorCases { - assert.Error(t, v1alpha1.AccessLogJSONFields(c).Validate(), c) + require.Error(t, v1alpha1.AccessLogJSONFields(c).Validate(), c) } successCases := [][]string{ @@ -82,7 +82,7 @@ func TestValidateAccessLogJSONFields(t *testing.T) { } for _, c := range successCases { - assert.NoError(t, v1alpha1.AccessLogJSONFields(c).Validate(), c) + require.NoError(t, v1alpha1.AccessLogJSONFields(c).Validate(), c) } } @@ -103,7 +103,7 @@ func TestAccessLogFormatString(t *testing.T) { } for _, c := range errorCases { - assert.Error(t, v1alpha1.AccessLogFormatString(c).Validate(), c) + require.Error(t, v1alpha1.AccessLogFormatString(c).Validate(), c) } successCases := []string{ @@ -135,6 +135,6 @@ func TestAccessLogFormatString(t *testing.T) { } for _, c := range successCases { - assert.NoError(t, v1alpha1.AccessLogFormatString(c).Validate(), c) + require.NoError(t, v1alpha1.AccessLogFormatString(c).Validate(), c) } } diff --git a/cmd/contour/certgen_test.go b/cmd/contour/certgen_test.go index 87b6a0a52fe..b8d335631ba 100644 --- a/cmd/contour/certgen_test.go +++ b/cmd/contour/certgen_test.go @@ -27,6 +27,7 @@ import ( "github.com/projectcontour/contour/pkg/certs" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" ) @@ -48,9 +49,7 @@ func TestGeneratedSecretsValid(t *testing.T) { Lifetime: conf.Lifetime, Namespace: conf.Namespace, }) - if err != nil { - t.Fatalf("failed to generate certificates: %s", err) - } + require.NoError(t, err, "failed to generate certificates") secrets, errs := certgen.AsSecrets(conf.Namespace, "", certificates) if len(errs) > 0 { @@ -93,7 +92,7 @@ func TestGeneratedSecretsValid(t *testing.T) { } pemBlock, _ := pem.Decode(s.Data[corev1.TLSCertKey]) - assert.Equal(t, pemBlock.Type, "CERTIFICATE") + assert.Equal(t, "CERTIFICATE", pemBlock.Type) cert, err := x509.ParseCertificate(pemBlock.Bytes) if err != nil { @@ -127,9 +126,7 @@ func TestSecretNamePrefix(t *testing.T) { Lifetime: conf.Lifetime, Namespace: conf.Namespace, }) - if err != nil { - t.Fatalf("failed to generate certificates: %s", err) - } + require.NoError(t, err, "failed to generate certificates") secrets, errs := certgen.AsSecrets(conf.Namespace, conf.NameSuffix, certificates) if len(errs) > 0 { @@ -172,18 +169,15 @@ func TestSecretNamePrefix(t *testing.T) { } pemBlock, _ := pem.Decode(s.Data[corev1.TLSCertKey]) - assert.Equal(t, pemBlock.Type, "CERTIFICATE") + assert.Equal(t, "CERTIFICATE", pemBlock.Type) cert, err := x509.ParseCertificate(pemBlock.Bytes) - if err != nil { - t.Errorf("failed to parse X509 certificate: %s", err) - } + require.NoError(t, err, "failed to parse X509 certificate") // Check that each certificate contains SAN entries for the right DNS names. sort.Strings(cert.DNSNames) sort.Strings(wantedNames[s.Name]) assert.Equal(t, cert.DNSNames, wantedNames[s.Name]) - } } @@ -206,9 +200,7 @@ func TestInvalidNamespaceAndName(t *testing.T) { Lifetime: conf.Lifetime, Namespace: conf.Namespace, }) - if err != nil { - t.Fatalf("failed to generate certificates: %s", err) - } + require.NoError(t, err, "failed to generate certificates") secrets, errs := certgen.AsSecrets(conf.Namespace, conf.NameSuffix, certificates) if len(errs) != 2 { @@ -263,14 +255,14 @@ func TestOutputFileMode(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { outputDir, err := os.MkdirTemp("", "") - assert.NoError(t, err) + require.NoError(t, err) defer os.RemoveAll(outputDir) tc.cc.OutputDir = outputDir // Write a file with insecure mode to ensure overwrite works as expected. if tc.cc.Overwrite { _, err = os.Create(filepath.Join(outputDir, tc.insecureFile)) - assert.NoError(t, err) + require.NoError(t, err) } generatedCerts, err := certs.GenerateCerts( @@ -278,9 +270,9 @@ func TestOutputFileMode(t *testing.T) { Lifetime: tc.cc.Lifetime, Namespace: tc.cc.Namespace, }) - assert.NoError(t, err) + require.NoError(t, err) - assert.NoError(t, OutputCerts(tc.cc, nil, generatedCerts)) + require.NoError(t, OutputCerts(tc.cc, nil, generatedCerts)) err = filepath.Walk(outputDir, func(path string, info os.FileInfo, err error) error { if !info.IsDir() { @@ -288,7 +280,7 @@ func TestOutputFileMode(t *testing.T) { } return nil }) - assert.NoError(t, err) + require.NoError(t, err) }) } } diff --git a/internal/annotation/annotations_test.go b/internal/annotation/annotations_test.go index 89fca235c11..8689f802d3b 100644 --- a/internal/annotation/annotations_test.go +++ b/internal/annotation/annotations_test.go @@ -483,8 +483,8 @@ func TestAnnotationKindValidation(t *testing.T) { for key := range annotationsByKind[kind] { t.Run(fmt.Sprintf("%s is known and valid for %s", key, kind), func(t *testing.T) { - assert.Equal(t, true, IsKnown(key)) - assert.Equal(t, true, ValidForKind(kind, key)) + assert.True(t, IsKnown(key)) + assert.True(t, ValidForKind(kind, key)) }) } } diff --git a/internal/contourconfig/contourconfiguration_test.go b/internal/contourconfig/contourconfiguration_test.go index ccc19d98915..38124d2752d 100644 --- a/internal/contourconfig/contourconfiguration_test.go +++ b/internal/contourconfig/contourconfiguration_test.go @@ -333,7 +333,7 @@ func TestParseTimeoutPolicy(t *testing.T) { require.Error(t, err, "expected error to be returned") require.Contains(t, err.Error(), tc.errorMsg) } else { - require.Nil(t, err) + require.NoError(t, err) require.Equal(t, tc.expected, parsed) } }) diff --git a/internal/dag/accessors_test.go b/internal/dag/accessors_test.go index b3a0af8d57c..ca9be59d39d 100644 --- a/internal/dag/accessors_test.go +++ b/internal/dag/accessors_test.go @@ -21,6 +21,7 @@ import ( "github.com/projectcontour/contour/internal/ref" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -254,11 +255,11 @@ func TestGetSingleListener(t *testing.T) { got, gotErr := d.GetSingleListener("http") assert.Equal(t, d.Listeners["http"], got) - assert.NoError(t, gotErr) + require.NoError(t, gotErr) got, gotErr = d.GetSingleListener("https") assert.Equal(t, d.Listeners["https"], got) - assert.NoError(t, gotErr) + require.NoError(t, gotErr) }) t.Run("one HTTP listener, no HTTPS listener", func(t *testing.T) { @@ -273,11 +274,11 @@ func TestGetSingleListener(t *testing.T) { got, gotErr := d.GetSingleListener("http") assert.Equal(t, d.Listeners["http"], got) - assert.NoError(t, gotErr) + require.NoError(t, gotErr) got, gotErr = d.GetSingleListener("https") assert.Nil(t, got) - assert.EqualError(t, gotErr, "no HTTPS listener configured") + require.EqualError(t, gotErr, "no HTTPS listener configured") }) t.Run("many HTTP listeners, one HTTPS listener", func(t *testing.T) { @@ -304,11 +305,11 @@ func TestGetSingleListener(t *testing.T) { got, gotErr := d.GetSingleListener("http") assert.Nil(t, got) - assert.EqualError(t, gotErr, "more than one HTTP listener configured") + require.EqualError(t, gotErr, "more than one HTTP listener configured") got, gotErr = d.GetSingleListener("https") assert.Equal(t, d.Listeners["https-1"], got) - assert.NoError(t, gotErr) + require.NoError(t, gotErr) }) } diff --git a/internal/dag/cache_test.go b/internal/dag/cache_test.go index f01fa4c680b..b29ac815756 100644 --- a/internal/dag/cache_test.go +++ b/internal/dag/cache_test.go @@ -1835,9 +1835,9 @@ func TestLookupService(t *testing.T) { switch { case tc.wantErr != nil: require.Error(t, gotErr) - assert.EqualError(t, tc.wantErr, gotErr.Error()) + require.EqualError(t, tc.wantErr, gotErr.Error()) default: - assert.Nil(t, gotErr) + require.NoError(t, gotErr) assert.Equal(t, tc.wantSvc, gotSvc) assert.Equal(t, tc.wantPort, gotPort) } @@ -2732,9 +2732,9 @@ func TestLookupUpstreamValidation(t *testing.T) { switch { case tc.wantErr != nil: require.Error(t, gotErr) - assert.EqualError(t, tc.wantErr, gotErr.Error()) + require.EqualError(t, tc.wantErr, gotErr.Error()) default: - assert.Nil(t, gotErr) + require.NoError(t, gotErr) assert.Equal(t, tc.wantPvc, gotPvc) } }) diff --git a/internal/dag/conditions_test.go b/internal/dag/conditions_test.go index 466331100cb..cc4a586349b 100644 --- a/internal/dag/conditions_test.go +++ b/internal/dag/conditions_test.go @@ -18,6 +18,7 @@ import ( contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestPathMatchCondition(t *testing.T) { @@ -741,11 +742,11 @@ func TestValidateHeaderMatchConditions(t *testing.T) { gotErr := headerMatchConditionsValid(tc.matchconditions) if !tc.wantErr { - assert.NoError(t, gotErr) + require.NoError(t, gotErr) } if tc.wantErr { - assert.Error(t, gotErr) + require.Error(t, gotErr) } }) } @@ -871,11 +872,11 @@ func TestValidateQueryParameterMatchConditions(t *testing.T) { gotErr := queryParameterMatchConditionsValid(tc.matchconditions) if !tc.wantErr { - assert.NoError(t, gotErr) + require.NoError(t, gotErr) } if tc.wantErr { - assert.Error(t, gotErr) + require.Error(t, gotErr) } }) } diff --git a/internal/dag/dag_test.go b/internal/dag/dag_test.go index bb7e1ed5015..55f00e01773 100644 --- a/internal/dag/dag_test.go +++ b/internal/dag/dag_test.go @@ -17,6 +17,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" ) @@ -89,12 +90,12 @@ func TestPeerValidationContext(t *testing.T) { pvc2 := PeerValidationContext{} var pvc3 *PeerValidationContext - assert.Equal(t, pvc1.GetSubjectNames()[0], "subject") - assert.Equal(t, pvc1.GetCACertificate(), []byte("cacert")) - assert.Equal(t, pvc2.GetSubjectNames(), []string(nil)) - assert.Equal(t, pvc2.GetCACertificate(), []byte(nil)) - assert.Equal(t, pvc3.GetSubjectNames(), []string(nil)) - assert.Equal(t, pvc3.GetCACertificate(), []byte(nil)) + assert.Equal(t, "subject", pvc1.GetSubjectNames()[0]) + assert.Equal(t, []byte("cacert"), pvc1.GetCACertificate()) + assert.Equal(t, []string(nil), pvc2.GetSubjectNames()) + assert.Equal(t, []byte(nil), pvc2.GetCACertificate()) + assert.Equal(t, []string(nil), pvc3.GetSubjectNames()) + assert.Equal(t, []byte(nil), pvc3.GetCACertificate()) } func TestObserverFunc(t *testing.T) { @@ -104,7 +105,7 @@ func TestObserverFunc(t *testing.T) { // Ensure the given function gets called. result := false ObserverFunc(func(*DAG) { result = true }).OnChange(nil) - assert.Equal(t, true, result) + require.True(t, result) } func TestServiceClusterValid(t *testing.T) { @@ -117,7 +118,7 @@ func TestServiceClusterValid(t *testing.T) { } for _, c := range invalid { - assert.Errorf(t, c.Validate(), "invalid cluster %#v", c) + require.Errorf(t, c.Validate(), "invalid cluster %#v", c) } } diff --git a/internal/dag/policy_test.go b/internal/dag/policy_test.go index 018b386d8b2..f1c5992e097 100644 --- a/internal/dag/policy_test.go +++ b/internal/dag/policy_test.go @@ -25,6 +25,7 @@ import ( "github.com/projectcontour/contour/internal/timeout" "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" networking_v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -275,11 +276,11 @@ func TestTimeoutPolicy(t *testing.T) { t.Run(name, func(t *testing.T) { gotRouteTimeoutPolicy, gotClusterTimeoutPolicy, gotErr := timeoutPolicy(tc.tp, tc.clusterConnectTimeout) if tc.wantErr { - assert.Error(t, gotErr) + require.Error(t, gotErr) } else { assert.Equal(t, tc.wantRouteTimeoutPolicy, gotRouteTimeoutPolicy) assert.Equal(t, tc.wantClusterTimeoutPolicy, gotClusterTimeoutPolicy) - assert.NoError(t, gotErr) + require.NoError(t, gotErr) } }) @@ -648,10 +649,10 @@ func TestHeadersPolicy(t *testing.T) { tc := tc got, gotErr := headersPolicyService(&tc.dhp, tc.hp, true, dynamicHeaders) if tc.wantErr { - assert.Error(t, gotErr) + require.Error(t, gotErr) } else { assert.Equal(t, tc.want, *got) - assert.NoError(t, gotErr) + require.NoError(t, gotErr) } }) } @@ -1000,7 +1001,7 @@ func TestRateLimitPolicy(t *testing.T) { rlp, err := rateLimitPolicy(tc.in) if tc.wantErr != "" { - assert.EqualError(t, err, tc.wantErr) + require.EqualError(t, err, tc.wantErr) } else { assert.Equal(t, tc.want, rlp) } diff --git a/internal/envoy/cluster_test.go b/internal/envoy/cluster_test.go index 33bfc89e5c5..e0adca8f9ab 100644 --- a/internal/envoy/cluster_test.go +++ b/internal/envoy/cluster_test.go @@ -46,11 +46,11 @@ func TestTruncate(t *testing.T) { } func TestAnyPositive(t *testing.T) { - assert.Equal(t, false, AnyPositive(0)) - assert.Equal(t, true, AnyPositive(1)) - assert.Equal(t, false, AnyPositive(0, 0)) - assert.Equal(t, true, AnyPositive(1, 0)) - assert.Equal(t, true, AnyPositive(0, 1)) + assert.False(t, AnyPositive(0)) + assert.True(t, AnyPositive(1)) + assert.False(t, AnyPositive(0, 0)) + assert.True(t, AnyPositive(1, 0)) + assert.True(t, AnyPositive(0, 1)) } func TestHashname(t *testing.T) { diff --git a/internal/envoy/v3/bootstrap_test.go b/internal/envoy/v3/bootstrap_test.go index d9dedc1ba55..1c5083df515 100644 --- a/internal/envoy/v3/bootstrap_test.go +++ b/internal/envoy/v3/bootstrap_test.go @@ -1988,7 +1988,7 @@ func TestBootstrap(t *testing.T) { t.Run(name, func(t *testing.T) { tc := tc steps, gotError := bootstrap(&tc.config) - assert.Equal(t, gotError != nil, tc.wantedError) + assert.Equal(t, tc.wantedError, gotError != nil) gotConfigs := map[string]proto.Message{} for _, step := range steps { diff --git a/internal/envoy/v3/cluster_test.go b/internal/envoy/v3/cluster_test.go index e8bb7eef649..d5986704fda 100644 --- a/internal/envoy/v3/cluster_test.go +++ b/internal/envoy/v3/cluster_test.go @@ -992,9 +992,9 @@ func TestDNSNameCluster(t *testing.T) { } func TestClusterLoadAssignmentName(t *testing.T) { - assert.Equal(t, xds.ClusterLoadAssignmentName(types.NamespacedName{Namespace: "ns", Name: "svc"}, "port"), "ns/svc/port") - assert.Equal(t, xds.ClusterLoadAssignmentName(types.NamespacedName{Namespace: "ns", Name: "svc"}, ""), "ns/svc") - assert.Equal(t, xds.ClusterLoadAssignmentName(types.NamespacedName{}, ""), "/") + assert.Equal(t, "ns/svc/port", xds.ClusterLoadAssignmentName(types.NamespacedName{Namespace: "ns", Name: "svc"}, "port")) + assert.Equal(t, "ns/svc", xds.ClusterLoadAssignmentName(types.NamespacedName{Namespace: "ns", Name: "svc"}, "")) + assert.Equal(t, "/", xds.ClusterLoadAssignmentName(types.NamespacedName{}, "")) } func TestClustername(t *testing.T) { diff --git a/internal/envoy/v3/listener_test.go b/internal/envoy/v3/listener_test.go index c8bfa83e28f..e6d97a5d01a 100644 --- a/internal/envoy/v3/listener_test.go +++ b/internal/envoy/v3/listener_test.go @@ -62,19 +62,19 @@ var compressorContentTypes = []string{ } func TestCodecForVersions(t *testing.T) { - assert.Equal(t, CodecForVersions(HTTPVersionAuto), HTTPVersionAuto) - assert.Equal(t, CodecForVersions(HTTPVersion1, HTTPVersion2), HTTPVersionAuto) - assert.Equal(t, CodecForVersions(HTTPVersion1), HTTPVersion1) - assert.Equal(t, CodecForVersions(HTTPVersion2), HTTPVersion2) + assert.Equal(t, HTTPVersionAuto, CodecForVersions(HTTPVersionAuto)) + assert.Equal(t, HTTPVersionAuto, CodecForVersions(HTTPVersion1, HTTPVersion2)) + assert.Equal(t, HTTPVersion1, CodecForVersions(HTTPVersion1)) + assert.Equal(t, HTTPVersion2, CodecForVersions(HTTPVersion2)) } func TestProtoNamesForVersions(t *testing.T) { - assert.Equal(t, ProtoNamesForVersions(), []string{"h2", "http/1.1"}) - assert.Equal(t, ProtoNamesForVersions(HTTPVersionAuto), []string{"h2", "http/1.1"}) - assert.Equal(t, ProtoNamesForVersions(HTTPVersion1), []string{"http/1.1"}) - assert.Equal(t, ProtoNamesForVersions(HTTPVersion2), []string{"h2"}) - assert.Equal(t, ProtoNamesForVersions(HTTPVersion3), []string(nil)) - assert.Equal(t, ProtoNamesForVersions(HTTPVersion1, HTTPVersion2), []string{"h2", "http/1.1"}) + assert.Equal(t, []string{"h2", "http/1.1"}, ProtoNamesForVersions()) + assert.Equal(t, []string{"h2", "http/1.1"}, ProtoNamesForVersions(HTTPVersionAuto)) + assert.Equal(t, []string{"http/1.1"}, ProtoNamesForVersions(HTTPVersion1)) + assert.Equal(t, []string{"h2"}, ProtoNamesForVersions(HTTPVersion2)) + assert.Equal(t, []string(nil), ProtoNamesForVersions(HTTPVersion3)) + assert.Equal(t, []string{"h2", "http/1.1"}, ProtoNamesForVersions(HTTPVersion1, HTTPVersion2)) } func TestListener(t *testing.T) { @@ -1710,10 +1710,10 @@ func TestFilterChainTLS_Match(t *testing.T) { // DefaultFilters adds the required HTTP connection manager filters. func TestBuilderValidation(t *testing.T) { - assert.Error(t, HTTPConnectionManagerBuilder().Validate(), + require.Error(t, HTTPConnectionManagerBuilder().Validate(), "ConnectionManager with no filters should not pass validation") - assert.Error(t, HTTPConnectionManagerBuilder().AddFilter(&http.HttpFilter{ + require.Error(t, HTTPConnectionManagerBuilder().AddFilter(&http.HttpFilter{ Name: "foo", ConfigType: &http.HttpFilter_TypedConfig{ TypedConfig: &anypb.Any{ @@ -1723,7 +1723,7 @@ func TestBuilderValidation(t *testing.T) { }).Validate(), "ConnectionManager with only non-router filter should not pass validation") - assert.NoError(t, HTTPConnectionManagerBuilder().DefaultFilters().Validate(), + require.NoError(t, HTTPConnectionManagerBuilder().DefaultFilters().Validate(), "ConnectionManager with default filters failed validation") badBuilder := HTTPConnectionManagerBuilder().DefaultFilters() @@ -1735,7 +1735,7 @@ func TestBuilderValidation(t *testing.T) { }, }, }) - assert.Errorf(t, badBuilder.Validate(), "Adding a filter after the Router filter should fail") + require.Errorf(t, badBuilder.Validate(), "Adding a filter after the Router filter should fail") } func TestAddFilter(t *testing.T) { diff --git a/internal/envoy/v3/socket_options_test.go b/internal/envoy/v3/socket_options_test.go index 689fe2af015..fc7a688b9c0 100644 --- a/internal/envoy/v3/socket_options_test.go +++ b/internal/envoy/v3/socket_options_test.go @@ -24,10 +24,10 @@ import ( func TestSocketOptions(t *testing.T) { // No options shall be set when value 0 is set. so := NewSocketOptions().TOS(0).TrafficClass(0) - assert.Equal(t, len(so.options), 0) + assert.Empty(t, so.options) so.TOS(64) - assert.Equal(t, so.Build(), + assert.Equal(t, []*envoy_core_v3.SocketOption{ { Description: "Set IPv4 TOS field", @@ -37,10 +37,11 @@ func TestSocketOptions(t *testing.T) { State: envoy_core_v3.SocketOption_STATE_LISTENING, }, }, + so.Build(), ) so.TrafficClass(64) - assert.Equal(t, so.Build(), + assert.Equal(t, []*envoy_core_v3.SocketOption{ { Description: "Set IPv4 TOS field", @@ -57,5 +58,6 @@ func TestSocketOptions(t *testing.T) { State: envoy_core_v3.SocketOption_STATE_LISTENING, }, }, + so.Build(), ) } diff --git a/internal/gatewayapi/listeners_test.go b/internal/gatewayapi/listeners_test.go index 365edaa5d9b..405248aed94 100644 --- a/internal/gatewayapi/listeners_test.go +++ b/internal/gatewayapi/listeners_test.go @@ -369,7 +369,7 @@ func TestValidateListeners(t *testing.T) { } res := ValidateListeners(listeners) - assert.Len(t, res.InvalidListenerConditions, 0) + assert.Empty(t, res.InvalidListenerConditions) assert.Len(t, res.Ports, 1) assert.Len(t, res.ListenerNames, 3) }) @@ -521,7 +521,7 @@ func TestValidateListeners(t *testing.T) { }, } res := ValidateListeners(listeners) - assert.Len(t, res.InvalidListenerConditions, 0) + assert.Empty(t, res.InvalidListenerConditions) assert.Len(t, res.Ports, 3) assert.Len(t, res.ListenerNames, 3) }) diff --git a/internal/httpsvc/http_test.go b/internal/httpsvc/http_test.go index ed42e56c271..c5b2c02795b 100644 --- a/internal/httpsvc/http_test.go +++ b/internal/httpsvc/http_test.go @@ -146,7 +146,7 @@ func TestHTTPSService(t *testing.T) { resp.Body.Close() expectedCert, _ := contourCertBeforeRotation.X509Certificate() assert.Equal(t, &expectedCert, resp.TLS.PeerCertificates[0]) - assert.True(t, uint16(tls.VersionTLS13) >= resp.TLS.Version) + assert.GreaterOrEqual(t, uint16(tls.VersionTLS13), resp.TLS.Version) assert.Equal(t, http.StatusOK, resp.StatusCode) return true }, 1*time.Second, 100*time.Millisecond) @@ -156,7 +156,7 @@ func TestHTTPSService(t *testing.T) { checkFatalErr(t, err) resp, err := tryGet("https://localhost:8001/test", trustedTLSClientCert, caCertPool) - assert.Nil(t, err) + require.NoError(t, err) resp.Body.Close() expectedCert, _ := contourCertAfterRotation.X509Certificate() assert.Equal(t, &expectedCert, resp.TLS.PeerCertificates[0]) @@ -164,7 +164,7 @@ func TestHTTPSService(t *testing.T) { // Connection should fail when trying to connect with untrusted client cert. untrustedTLSClientCert, _ := untrustedClientCert.TLSCertificate() _, err = tryGet("https://localhost:8001/test", untrustedTLSClientCert, caCertPool) // nolint // false positive: response body must be closed - assert.NotNil(t, err) + require.Error(t, err) // Gracefully shut down. cancel() diff --git a/internal/k8s/helpers_test.go b/internal/k8s/helpers_test.go index 362cfb097fd..420aaf43a40 100644 --- a/internal/k8s/helpers_test.go +++ b/internal/k8s/helpers_test.go @@ -21,6 +21,7 @@ import ( contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" v1 "k8s.io/api/core/v1" networking_v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -89,20 +90,20 @@ func TestIsObjectEqual(t *testing.T) { for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { buf, err := os.ReadFile(tc.filename) - assert.NoError(t, err) + require.NoError(t, err) // Each file contains two YAML records, which should be compared with each other. objects := strings.Split(string(buf), "---") - assert.Equal(t, 2, len(objects), "expected 2 objects in file") + assert.Len(t, objects, 2, "expected 2 objects in file") // Decode the objects. oldObj, _, err := deserializer.Decode([]byte(objects[0]), nil, nil) - assert.NoError(t, err) + require.NoError(t, err) newObj, _, err := deserializer.Decode([]byte(objects[1]), nil, nil) - assert.NoError(t, err) + require.NoError(t, err) got, err := IsObjectEqual(oldObj.(client.Object), newObj.(client.Object)) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, tc.equals, got) }) } @@ -124,13 +125,13 @@ func TestIsEqualForResourceVersion(t *testing.T) { // Objects with equal ResourceVersion should evaluate to true. got, err := IsObjectEqual(oldS, newS) - assert.NoError(t, err) + require.NoError(t, err) assert.True(t, got) // Differences in data should be ignored. newS.Data["foo"] = []byte("baz") got, err = IsObjectEqual(oldS, newS) - assert.NoError(t, err) + require.NoError(t, err) assert.True(t, got) } @@ -151,13 +152,13 @@ func TestIsEqualFallback(t *testing.T) { // Any object (even unsupported types) with equal ResourceVersion should evaluate to true. got, err := IsObjectEqual(oldObj, newObj) - assert.NoError(t, err) + require.NoError(t, err) assert.True(t, got) // Unsupported types with unequal ResourceVersion should return an error. newObj.ResourceVersion = "456" got, err = IsObjectEqual(oldObj, newObj) - assert.Error(t, err) + require.Error(t, err) assert.False(t, got) } @@ -172,13 +173,13 @@ func TestIsEqualForGeneration(t *testing.T) { // Objects with equal Generation should evaluate to true. got, err := IsObjectEqual(oldObj, newObj) - assert.NoError(t, err) + require.NoError(t, err) assert.True(t, got) // Objects with unequal Generation should evaluate to false. newObj.SetGeneration(oldObj.GetGeneration() + 1) got, err = IsObjectEqual(oldObj, newObj) - assert.NoError(t, err) + require.NoError(t, err) assert.False(t, got) } diff --git a/internal/k8s/log_test.go b/internal/k8s/log_test.go index f86db16f0d5..1267f37b7b0 100644 --- a/internal/k8s/log_test.go +++ b/internal/k8s/log_test.go @@ -134,7 +134,7 @@ func TestControllerRuntimeLoggerLogsToLogrus(t *testing.T) { controller_runtime_log.Log.Info("some message") require.Eventually(t, func() bool { return len(logHook.AllEntries()) == 1 }, klogFlushWaitTime, klogFlushWaitInterval) - assert.Equal(t, logHook.AllEntries()[0].Message, "some message") + assert.Equal(t, "some message", logHook.AllEntries()[0].Message) } // Last LogWriterOption passed in should be used. diff --git a/internal/k8s/statusaddress_test.go b/internal/k8s/statusaddress_test.go index 7dbdf200cde..838bbbc5553 100644 --- a/internal/k8s/statusaddress_test.go +++ b/internal/k8s/statusaddress_test.go @@ -77,7 +77,7 @@ func TestServiceStatusLoadBalancerWatcherOnAdd(t *testing.T) { want := v1.LoadBalancerStatus{ Ingress: []v1.LoadBalancerIngress{{Hostname: "projectcontour.io"}}, } - assert.Equal(t, got, want) + assert.Equal(t, want, got) } func TestServiceStatusLoadBalancerWatcherOnUpdate(t *testing.T) { @@ -127,7 +127,7 @@ func TestServiceStatusLoadBalancerWatcherOnUpdate(t *testing.T) { want := v1.LoadBalancerStatus{ Ingress: []v1.LoadBalancerIngress{{Hostname: "projectcontour.io"}}, } - assert.Equal(t, got, want) + assert.Equal(t, want, got) } func TestServiceStatusLoadBalancerWatcherOnDelete(t *testing.T) { @@ -175,7 +175,7 @@ func TestServiceStatusLoadBalancerWatcherOnDelete(t *testing.T) { want := v1.LoadBalancerStatus{ Ingress: nil, } - assert.Equal(t, got, want) + assert.Equal(t, want, got) } func TestStatusAddressUpdater(t *testing.T) { diff --git a/internal/provisioner/controller/gatewayclass_test.go b/internal/provisioner/controller/gatewayclass_test.go index 9d53efe0b5a..ac302f1971c 100644 --- a/internal/provisioner/controller/gatewayclass_test.go +++ b/internal/provisioner/controller/gatewayclass_test.go @@ -47,7 +47,7 @@ func TestGatewayClassReconcile(t *testing.T) { NamespacedName: types.NamespacedName{Name: "nonexistent"}, }, assertions: func(t *testing.T, r *gatewayClassReconciler, gc *gatewayv1beta1.GatewayClass, reconcileErr error) { - assert.NoError(t, reconcileErr) + require.NoError(t, reconcileErr) gatewayClasses := &gatewayv1beta1.GatewayClassList{} require.NoError(t, r.client.List(context.Background(), gatewayClasses)) @@ -64,7 +64,7 @@ func TestGatewayClassReconcile(t *testing.T) { }, }, assertions: func(t *testing.T, r *gatewayClassReconciler, gc *gatewayv1beta1.GatewayClass, reconcileErr error) { - assert.NoError(t, reconcileErr) + require.NoError(t, reconcileErr) res := &gatewayv1beta1.GatewayClass{} require.NoError(t, r.client.Get(context.Background(), keyFor(gc), res)) diff --git a/internal/provisioner/objects/contourconfig/contourconfig_test.go b/internal/provisioner/objects/contourconfig/contourconfig_test.go index d02f41940f4..428d55323c9 100644 --- a/internal/provisioner/objects/contourconfig/contourconfig_test.go +++ b/internal/provisioner/objects/contourconfig/contourconfig_test.go @@ -332,9 +332,9 @@ func TestEnsureContourConfigDeleted(t *testing.T) { } err := client.Get(context.Background(), key, remaining) if tc.wantDelete { - assert.True(t, errors.IsNotFound(err)) + require.True(t, errors.IsNotFound(err)) } else { - assert.NoError(t, err) + require.NoError(t, err) } }) diff --git a/internal/provisioner/objects/object_test.go b/internal/provisioner/objects/object_test.go index eb7c1aa7db7..a2af22ca69c 100644 --- a/internal/provisioner/objects/object_test.go +++ b/internal/provisioner/objects/object_test.go @@ -46,7 +46,7 @@ func TestEnsureObject_ErrorGettingObject(t *testing.T) { }, } - assert.ErrorContains(t, EnsureObject(context.Background(), client, want, nil, &corev1.Service{}), "failed to get resource obj-ns/obj-name") + require.ErrorContains(t, EnsureObject(context.Background(), client, want, nil, &corev1.Service{}), "failed to get resource obj-ns/obj-name") } func TestEnsureObject_NonExistentObjectIsCreated(t *testing.T) { @@ -161,7 +161,7 @@ func TestEnsureObject_ErrorUpdatingObject(t *testing.T) { return errors.New("update error") } - assert.ErrorContains(t, EnsureObject(context.Background(), client, desired, updater, &corev1.Service{}), "update error") + require.ErrorContains(t, EnsureObject(context.Background(), client, desired, updater, &corev1.Service{}), "update error") } func TestEnsureObjectDeleted_ObjectNotFound(t *testing.T) { diff --git a/internal/status/cache_test.go b/internal/status/cache_test.go index 70715007953..0105f469468 100644 --- a/internal/status/cache_test.go +++ b/internal/status/cache_test.go @@ -72,11 +72,11 @@ func TestCacheAcquisition(t *testing.T) { assert.Equal(t, &newEntry, cachedEntry) updates := cache.GetStatusUpdates() - assert.Equal(t, 3, len(updates)) + assert.Len(t, updates, 3) assert.Equal(t, newEntry.ID, updates[0].NamespacedName.Name) - assert.Equal(t, 3, len(cache.entries)) - assert.Equal(t, 1, len(cache.entries["HTTPProxy"])) - assert.Equal(t, 1, len(cache.entries["ExtensionService"])) - assert.Equal(t, 1, len(cache.entries["HTTPRoute"])) + assert.Len(t, cache.entries, 3) + assert.Len(t, cache.entries["HTTPProxy"], 1) + assert.Len(t, cache.entries["ExtensionService"], 1) + assert.Len(t, cache.entries["HTTPRoute"], 1) } diff --git a/internal/timeout/timeout_test.go b/internal/timeout/timeout_test.go index c077ca44133..e78ec8a2113 100644 --- a/internal/timeout/timeout_test.go +++ b/internal/timeout/timeout_test.go @@ -17,7 +17,7 @@ import ( "testing" "time" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestParse(t *testing.T) { @@ -60,11 +60,11 @@ func TestParse(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { got, gotErr := Parse(tc.duration) - assert.Equal(t, tc.want, got) + require.Equal(t, tc.want, got) if tc.wantErr { - assert.Error(t, gotErr) + require.Error(t, gotErr) } else { - assert.NoError(t, gotErr) + require.NoError(t, gotErr) } }) } @@ -102,16 +102,16 @@ func TestParseMaxAge(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { got, gotErr := ParseMaxAge(tc.duration) - assert.Equal(t, tc.want, got) + require.Equal(t, tc.want, got) if tc.wantErr { - assert.Error(t, gotErr) + require.Error(t, gotErr) } else { - assert.NoError(t, gotErr) + require.NoError(t, gotErr) } }) } } func TestDurationSetting(t *testing.T) { - assert.Equal(t, 10*time.Second, DurationSetting(10*time.Second).Duration()) + require.Equal(t, 10*time.Second, DurationSetting(10*time.Second).Duration()) } diff --git a/internal/timeout/validation_test.go b/internal/timeout/validation_test.go index 2aa5c6b7f80..6ff4bad96f4 100644 --- a/internal/timeout/validation_test.go +++ b/internal/timeout/validation_test.go @@ -18,6 +18,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) // TestKubebuilderValidation verifies that the regex used as a kubebuilder validation @@ -75,10 +76,10 @@ func TestKubebuilderValidation(t *testing.T) { if valid { assert.True(t, regexMatches, "input string %q: regex should match but does not", tc) - assert.NoError(t, parseErr, "input string %q: timeout.Parse should succeed but does not", tc) + require.NoError(t, parseErr, "input string %q", tc) } else { assert.False(t, regexMatches, "input string %q: regex should not match but does", tc) - assert.NotNil(t, parseErr, "input string %q: timeout.Parse should return an error but does not", tc) + require.Error(t, parseErr, "input string %q", tc) } } } diff --git a/internal/xds/v3/callbacks_test.go b/internal/xds/v3/callbacks_test.go index cfc0ccbf1a4..a3e66d36c3c 100644 --- a/internal/xds/v3/callbacks_test.go +++ b/internal/xds/v3/callbacks_test.go @@ -24,6 +24,7 @@ import ( "github.com/sirupsen/logrus" "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "google.golang.org/genproto/googleapis/rpc/code" "google.golang.org/genproto/googleapis/rpc/status" ) @@ -168,7 +169,7 @@ func TestLogDiscoveryRequestDetails(t *testing.T) { } } assert.NotNil(t, logEntry, fmt.Sprintf("no log line with expected message %q", tc.expectedLogMsg)) - assert.Equal(t, logEntry.Data, tc.expectedLogData) + assert.Equal(t, tc.expectedLogData, logEntry.Data) logHook.Reset() }) } @@ -181,7 +182,7 @@ func TestOnStreamRequestCallbackLogs(t *testing.T) { callbacks := NewRequestLoggingCallbacks(log) err := callbacks.OnStreamOpen(context.TODO(), 999, "a-type") - assert.NoError(t, err) + require.NoError(t, err) assert.NotEmpty(t, logHook.AllEntries()) logHook.Reset() @@ -195,7 +196,7 @@ func TestOnStreamRequestCallbackLogs(t *testing.T) { ResourceNames: []string{"some", "resources"}, TypeUrl: "some-type-url", }) - assert.NoError(t, err) + require.NoError(t, err) assert.NotEmpty(t, logHook.AllEntries()) logHook.Reset() } diff --git a/internal/xds/v3/contour_test.go b/internal/xds/v3/contour_test.go index 99b07c93567..d7cd389761e 100644 --- a/internal/xds/v3/contour_test.go +++ b/internal/xds/v3/contour_test.go @@ -27,6 +27,7 @@ import ( "github.com/sirupsen/logrus" "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/proto" @@ -198,7 +199,7 @@ func TestStreamLoggingConnectionClose(t *testing.T) { assert.Equal(t, tc.closeErr, err) assert.Equal(t, tc.closeErr, entry.Data["error"]) } else { - assert.Nil(t, err) + require.NoError(t, err) } logHook.Reset() diff --git a/pkg/certs/certgen_test.go b/pkg/certs/certgen_test.go index c2e244b0762..969e5410e30 100644 --- a/pkg/certs/certgen_test.go +++ b/pkg/certs/certgen_test.go @@ -20,7 +20,6 @@ import ( "testing" "time" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -59,10 +58,10 @@ func TestGenerateCerts(t *testing.T) { require.Truef(t, ok, "Failed to set up CA cert for testing, maybe it's an invalid PEM") err = verifyCert(got.ContourCertificate, roots, tc.wantContourDNSName, currentTime) - assert.NoErrorf(t, err, "Validating %s failed", name) + require.NoErrorf(t, err, "Validating %s failed", name) err = verifyCert(got.EnvoyCertificate, roots, tc.wantEnvoyDNSName, currentTime) - assert.NoErrorf(t, err, "Validating %s failed", name) + require.NoErrorf(t, err, "Validating %s failed", name) }) } @@ -149,7 +148,7 @@ func TestGeneratedCertsValid(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { err := verifyCert(tc.cert, roots, tc.dnsname, now) - assert.NoErrorf(t, err, "Validating %s failed", name) + require.NoErrorf(t, err, "Validating %s failed", name) }) } diff --git a/pkg/config/parameters_test.go b/pkg/config/parameters_test.go index aee9291ef8d..1984091f568 100644 --- a/pkg/config/parameters_test.go +++ b/pkg/config/parameters_test.go @@ -122,48 +122,48 @@ policy: } func TestValidateClusterDNSFamilyType(t *testing.T) { - assert.Error(t, ClusterDNSFamilyType("").Validate()) - assert.Error(t, ClusterDNSFamilyType("foo").Validate()) + require.Error(t, ClusterDNSFamilyType("").Validate()) + require.Error(t, ClusterDNSFamilyType("foo").Validate()) - assert.NoError(t, AutoClusterDNSFamily.Validate()) - assert.NoError(t, IPv4ClusterDNSFamily.Validate()) - assert.NoError(t, IPv6ClusterDNSFamily.Validate()) - assert.NoError(t, AllClusterDNSFamily.Validate()) + require.NoError(t, AutoClusterDNSFamily.Validate()) + require.NoError(t, IPv4ClusterDNSFamily.Validate()) + require.NoError(t, IPv6ClusterDNSFamily.Validate()) + require.NoError(t, AllClusterDNSFamily.Validate()) } func TestValidateServerHeaderTranformationType(t *testing.T) { - assert.Error(t, ServerHeaderTransformationType("").Validate()) - assert.Error(t, ServerHeaderTransformationType("foo").Validate()) + require.Error(t, ServerHeaderTransformationType("").Validate()) + require.Error(t, ServerHeaderTransformationType("foo").Validate()) - assert.NoError(t, OverwriteServerHeader.Validate()) - assert.NoError(t, AppendIfAbsentServerHeader.Validate()) - assert.NoError(t, PassThroughServerHeader.Validate()) + require.NoError(t, OverwriteServerHeader.Validate()) + require.NoError(t, AppendIfAbsentServerHeader.Validate()) + require.NoError(t, PassThroughServerHeader.Validate()) } func TestValidateHeadersPolicy(t *testing.T) { - assert.Error(t, HeadersPolicy{ + require.Error(t, HeadersPolicy{ Set: map[string]string{ "inv@lid-header": "ook", }, }.Validate()) - assert.Error(t, HeadersPolicy{ + require.Error(t, HeadersPolicy{ Remove: []string{"inv@lid-header"}, }.Validate()) - assert.NoError(t, HeadersPolicy{ + require.NoError(t, HeadersPolicy{ Set: map[string]string{}, Remove: []string{}, }.Validate()) - assert.NoError(t, HeadersPolicy{ + require.NoError(t, HeadersPolicy{ Set: map[string]string{"X-Envoy-Host": "envoy-a12345"}, }.Validate()) - assert.NoError(t, HeadersPolicy{ + require.NoError(t, HeadersPolicy{ Set: map[string]string{ "X-Envoy-Host": "envoy-s12345", "l5d-dst-override": "kuard.default.svc.cluster.local:80", }, Remove: []string{"Sensitive-Header"}, }.Validate()) - assert.NoError(t, HeadersPolicy{ + require.NoError(t, HeadersPolicy{ Set: map[string]string{ "X-Envoy-Host": "%HOSTNAME%", "l5d-dst-override": "%CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT%", @@ -172,44 +172,44 @@ func TestValidateHeadersPolicy(t *testing.T) { } func TestValidateNamespacedName(t *testing.T) { - assert.NoErrorf(t, NamespacedName{}.Validate(), "empty name should be OK") - assert.NoError(t, NamespacedName{Name: "name", Namespace: "ns"}.Validate()) + require.NoErrorf(t, NamespacedName{}.Validate(), "empty name should be OK") + require.NoError(t, NamespacedName{Name: "name", Namespace: "ns"}.Validate()) - assert.Error(t, NamespacedName{Name: "name"}.Validate()) - assert.Error(t, NamespacedName{Namespace: "ns"}.Validate()) + require.Error(t, NamespacedName{Name: "name"}.Validate()) + require.Error(t, NamespacedName{Namespace: "ns"}.Validate()) } func TestValidateServerType(t *testing.T) { - assert.Error(t, ServerType("").Validate()) - assert.Error(t, ServerType("foo").Validate()) + require.Error(t, ServerType("").Validate()) + require.Error(t, ServerType("foo").Validate()) - assert.NoError(t, EnvoyServerType.Validate()) - assert.NoError(t, ContourServerType.Validate()) + require.NoError(t, EnvoyServerType.Validate()) + require.NoError(t, ContourServerType.Validate()) } func TestValidateGatewayParameters(t *testing.T) { // Not required if nothing is passed. var gw *GatewayParameters - assert.Equal(t, nil, gw.Validate()) + require.NoError(t, gw.Validate()) // ControllerName is required. gw = &GatewayParameters{ControllerName: "controller"} - assert.Equal(t, nil, gw.Validate()) + require.NoError(t, gw.Validate()) } func TestValidateHTTPVersionType(t *testing.T) { - assert.Error(t, HTTPVersionType("").Validate()) - assert.Error(t, HTTPVersionType("foo").Validate()) - assert.Error(t, HTTPVersionType("HTTP/1.1").Validate()) - assert.Error(t, HTTPVersionType("HTTP/2").Validate()) + require.Error(t, HTTPVersionType("").Validate()) + require.Error(t, HTTPVersionType("foo").Validate()) + require.Error(t, HTTPVersionType("HTTP/1.1").Validate()) + require.Error(t, HTTPVersionType("HTTP/2").Validate()) - assert.NoError(t, HTTPVersion1.Validate()) - assert.NoError(t, HTTPVersion2.Validate()) + require.NoError(t, HTTPVersion1.Validate()) + require.NoError(t, HTTPVersion2.Validate()) } func TestValidateTimeoutParams(t *testing.T) { - assert.NoError(t, TimeoutParameters{}.Validate()) - assert.NoError(t, TimeoutParameters{ + require.NoError(t, TimeoutParameters{}.Validate()) + require.NoError(t, TimeoutParameters{ RequestTimeout: "infinite", ConnectionIdleTimeout: "infinite", StreamIdleTimeout: "infinite", @@ -218,7 +218,7 @@ func TestValidateTimeoutParams(t *testing.T) { ConnectionShutdownGracePeriod: "infinite", ConnectTimeout: "2s", }.Validate()) - assert.NoError(t, TimeoutParameters{ + require.NoError(t, TimeoutParameters{ RequestTimeout: "infinity", ConnectionIdleTimeout: "infinity", StreamIdleTimeout: "infinity", @@ -228,25 +228,25 @@ func TestValidateTimeoutParams(t *testing.T) { ConnectTimeout: "2s", }.Validate()) - assert.Error(t, TimeoutParameters{RequestTimeout: "foo"}.Validate()) - assert.Error(t, TimeoutParameters{ConnectionIdleTimeout: "bar"}.Validate()) - assert.Error(t, TimeoutParameters{StreamIdleTimeout: "baz"}.Validate()) - assert.Error(t, TimeoutParameters{MaxConnectionDuration: "boop"}.Validate()) - assert.Error(t, TimeoutParameters{DelayedCloseTimeout: "bebop"}.Validate()) - assert.Error(t, TimeoutParameters{ConnectionShutdownGracePeriod: "bong"}.Validate()) - assert.Error(t, TimeoutParameters{ConnectTimeout: "infinite"}.Validate()) + require.Error(t, TimeoutParameters{RequestTimeout: "foo"}.Validate()) + require.Error(t, TimeoutParameters{ConnectionIdleTimeout: "bar"}.Validate()) + require.Error(t, TimeoutParameters{StreamIdleTimeout: "baz"}.Validate()) + require.Error(t, TimeoutParameters{MaxConnectionDuration: "boop"}.Validate()) + require.Error(t, TimeoutParameters{DelayedCloseTimeout: "bebop"}.Validate()) + require.Error(t, TimeoutParameters{ConnectionShutdownGracePeriod: "bong"}.Validate()) + require.Error(t, TimeoutParameters{ConnectTimeout: "infinite"}.Validate()) } func TestTLSParametersValidation(t *testing.T) { // Fallback certificate validation - assert.NoError(t, TLSParameters{ + require.NoError(t, TLSParameters{ FallbackCertificate: NamespacedName{ Name: " ", Namespace: " ", }, }.Validate()) - assert.Error(t, TLSParameters{ + require.Error(t, TLSParameters{ FallbackCertificate: NamespacedName{ Name: "somename", Namespace: " ", @@ -254,13 +254,13 @@ func TestTLSParametersValidation(t *testing.T) { }.Validate()) // Client certificate validation - assert.NoError(t, TLSParameters{ + require.NoError(t, TLSParameters{ ClientCertificate: NamespacedName{ Name: " ", Namespace: " ", }, }.Validate()) - assert.Error(t, TLSParameters{ + require.Error(t, TLSParameters{ ClientCertificate: NamespacedName{ Name: "", Namespace: "somenamespace ", @@ -268,51 +268,51 @@ func TestTLSParametersValidation(t *testing.T) { }.Validate()) // Cipher suites validation - assert.NoError(t, ProtocolParameters{ + require.NoError(t, ProtocolParameters{ CipherSuites: []string{}, }.Validate()) - assert.NoError(t, ProtocolParameters{ + require.NoError(t, ProtocolParameters{ CipherSuites: []string{ "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]", "ECDHE-ECDSA-AES128-GCM-SHA256", }, }.Validate()) - assert.Error(t, ProtocolParameters{ + require.Error(t, ProtocolParameters{ CipherSuites: []string{ "NOTAVALIDCIPHER", }, }.Validate()) // TLS protocol version validation - assert.NoError(t, ProtocolParameters{ + require.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.2", }.Validate()) - assert.Error(t, ProtocolParameters{ + require.Error(t, ProtocolParameters{ MinimumProtocolVersion: "1.1", }.Validate()) - assert.NoError(t, ProtocolParameters{ + require.NoError(t, ProtocolParameters{ MaximumProtocolVersion: "1.3", }.Validate()) - assert.Error(t, ProtocolParameters{ + require.Error(t, ProtocolParameters{ MaximumProtocolVersion: "invalid", }.Validate()) - assert.NoError(t, ProtocolParameters{ + require.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.2", MaximumProtocolVersion: "1.3", }.Validate()) - assert.Error(t, ProtocolParameters{ + require.Error(t, ProtocolParameters{ MinimumProtocolVersion: "1.3", MaximumProtocolVersion: "1.2", }.Validate()) - assert.NoError(t, ProtocolParameters{ + require.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.2", MaximumProtocolVersion: "1.2", }.Validate()) - assert.NoError(t, ProtocolParameters{ + require.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.3", MaximumProtocolVersion: "1.3", }.Validate()) - assert.Error(t, ProtocolParameters{ + require.Error(t, ProtocolParameters{ MinimumProtocolVersion: "1.1", MaximumProtocolVersion: "1.3", }.Validate()) @@ -522,7 +522,7 @@ func TestMetricsParametersValidation(t *testing.T) { Port: 1234, }, } - assert.NoError(t, valid.Validate()) + require.NoError(t, valid.Validate()) tlsValid := MetricsParameters{ Contour: MetricsServerParameters{ @@ -536,7 +536,7 @@ func TestMetricsParametersValidation(t *testing.T) { Port: 1234, }, } - assert.NoError(t, valid.Validate()) + require.NoError(t, valid.Validate()) assert.True(t, tlsValid.Contour.HasTLS()) assert.False(t, tlsValid.Envoy.HasTLS()) @@ -551,7 +551,7 @@ func TestMetricsParametersValidation(t *testing.T) { Port: 1234, }, } - assert.Error(t, tlsKeyMissing.Validate()) + require.Error(t, tlsKeyMissing.Validate()) tlsCAWithoutServerCert := MetricsParameters{ Contour: MetricsServerParameters{ @@ -564,7 +564,7 @@ func TestMetricsParametersValidation(t *testing.T) { CABundle: "ca.pem", }, } - assert.Error(t, tlsCAWithoutServerCert.Validate()) + require.Error(t, tlsCAWithoutServerCert.Validate()) } diff --git a/test/e2e/gateway/response_header_modifier_test.go b/test/e2e/gateway/response_header_modifier_test.go index 9e025a90daf..d59501eec6c 100644 --- a/test/e2e/gateway/response_header_modifier_test.go +++ b/test/e2e/gateway/response_header_modifier_test.go @@ -113,22 +113,20 @@ func testResponseHeaderModifierBackendRef(namespace string, gateway types.Namesp switch body.Service { case "echo-header-filter": assert.Len(t, res.Headers["My-Header"], 1) - assert.Equal(t, res.Headers.Get("My-Header"), "Foo") + assert.Equal(t, "Foo", res.Headers.Get("My-Header")) assert.Len(t, res.Headers["Replace-Header"], 1) - assert.Equal(t, res.Headers.Get("Replace-Header"), "Bar") + assert.Equal(t, "Bar", res.Headers.Get("Replace-Header")) - assert.Len(t, res.Headers["Other-Header"], 0) - assert.Equal(t, res.Headers.Get("Other-Header"), "") + assert.Empty(t, res.Headers["Other-Header"]) case "echo-header-nofilter": - assert.Len(t, res.Headers["My-Header"], 0) - assert.Equal(t, res.Headers.Get("My-Header"), "") + assert.Empty(t, res.Headers["My-Header"]) assert.Len(t, res.Headers["Replace-Header"], 1) - assert.Equal(t, res.Headers.Get("Replace-Header"), "Tobe-Replaced") + assert.Equal(t, "Tobe-Replaced", res.Headers.Get("Replace-Header")) assert.Len(t, res.Headers["Other-Header"], 1) - assert.Equal(t, res.Headers.Get("Other-Header"), "Remove") + assert.Equal(t, "Remove", res.Headers.Get("Other-Header")) } } assert.Contains(t, seenBackends, "echo-header-filter") diff --git a/test/e2e/httpproxy/cookie_rewrite_test.go b/test/e2e/httpproxy/cookie_rewrite_test.go index 304f2e7bd59..d5cd40605ff 100644 --- a/test/e2e/httpproxy/cookie_rewrite_test.go +++ b/test/e2e/httpproxy/cookie_rewrite_test.go @@ -75,7 +75,7 @@ func testInvalidCookieRewriteFields(namespace string) { }, }, } - assert.Error(f.T(), f.Client.Create(context.TODO(), p), "expected char %d to be invalid in cookie name", c) + require.Error(f.T(), f.Client.Create(context.TODO(), p), "expected char %d to be invalid in cookie name", c) } // ;, DEL, and control chars. @@ -108,7 +108,7 @@ func testInvalidCookieRewriteFields(namespace string) { }, }, } - assert.Error(f.T(), f.Client.Create(context.TODO(), p), "expected char %d to be invalid in path rewrite", c) + require.Error(f.T(), f.Client.Create(context.TODO(), p), "expected char %d to be invalid in path rewrite", c) } invalidDomains := []string{ @@ -144,7 +144,7 @@ func testInvalidCookieRewriteFields(namespace string) { }, }, } - assert.Error(f.T(), f.Client.Create(context.TODO(), p), "expected domain rewrite %q to be invalid", d) + require.Error(f.T(), f.Client.Create(context.TODO(), p), "expected domain rewrite %q to be invalid", d) } p := &contourv1.HTTPProxy{ @@ -174,7 +174,7 @@ func testInvalidCookieRewriteFields(namespace string) { }, }, } - assert.Error(f.T(), f.Client.Create(context.TODO(), p), "expected invalid SameSite to be rejected") + require.Error(f.T(), f.Client.Create(context.TODO(), p), "expected invalid SameSite to be rejected") }) } diff --git a/test/e2e/httpproxy/fqdn_test.go b/test/e2e/httpproxy/fqdn_test.go index 7d732c41454..cb7b2a1fbed 100644 --- a/test/e2e/httpproxy/fqdn_test.go +++ b/test/e2e/httpproxy/fqdn_test.go @@ -52,7 +52,7 @@ func testWildcardFQDN(namespace string) { // Creation should fail the kubebuilder CRD validations. err := f.CreateHTTPProxy(p) - require.NotNil(t, err, "Expected invalid wildcard to be rejected.") + require.Error(t, err, "Expected invalid wildcard to be rejected.") }) } diff --git a/test/e2e/httpproxy/grpc_test.go b/test/e2e/httpproxy/grpc_test.go index 4e5f68acaeb..962e163f003 100644 --- a/test/e2e/httpproxy/grpc_test.go +++ b/test/e2e/httpproxy/grpc_test.go @@ -244,7 +244,7 @@ func parseGRPCWebResponse(body []byte) grpcWebResponse { currentPos += 4 if trailersLen > 0 { - require.Equal(t, len(body), currentPos+trailersLen) + require.Len(t, body, currentPos+trailersLen) trailersKV := strings.Split(strings.TrimSpace(string(body[currentPos:])), "\r\n") for _, kv := range trailersKV { diff --git a/test/e2e/httpproxy/internal_redirect_test.go b/test/e2e/httpproxy/internal_redirect_test.go index df5ec742141..32e5068ea79 100644 --- a/test/e2e/httpproxy/internal_redirect_test.go +++ b/test/e2e/httpproxy/internal_redirect_test.go @@ -57,7 +57,7 @@ func testInternalRedirectValidation(namespace string) { // Creation should fail the kubebuilder CRD validations. err := f.CreateHTTPProxy(p) - require.NotNil(t, err, "Expected invalid AllowCrossSchemeRedirect to be rejected.") + require.Error(t, err, "Expected invalid AllowCrossSchemeRedirect to be rejected.") }) Specify("invalid redirect code", func() { @@ -86,7 +86,7 @@ func testInternalRedirectValidation(namespace string) { // Creation should fail the kubebuilder CRD validations. err := f.CreateHTTPProxy(p) - require.NotNil(t, err, "Expected invalid RedirectResponseCodes to be rejected.") + require.Error(t, err, "Expected invalid RedirectResponseCodes to be rejected.") }) } diff --git a/test/e2e/httpproxy/namespaces_test.go b/test/e2e/httpproxy/namespaces_test.go index 721470fb45a..fed4d96669a 100644 --- a/test/e2e/httpproxy/namespaces_test.go +++ b/test/e2e/httpproxy/namespaces_test.go @@ -48,7 +48,7 @@ func testWatchNamespaces(namespaces []string) e2e.NamespacedTestBody { deployEchoServer(f.T(), f.Client, nonWatchedNS, "echo") p := newEchoProxy("proxy", nonWatchedNS) err := f.CreateHTTPProxy(p) - require.Nil(f.T(), err, "could not create httpproxy") + require.NoError(f.T(), err, "could not create httpproxy") require.Never(f.T(), func() bool { res := &contourv1.HTTPProxy{} if err := f.Client.Get(context.TODO(), client.ObjectKeyFromObject(p), res); err != nil { @@ -121,7 +121,7 @@ func testWatchAndRootNamespaces(rootNamespaces []string, nonRootNamespace string }, } err := f.CreateHTTPProxy(lp) - require.Nil(f.T(), err, "could not create leaf httpproxy") + require.NoError(f.T(), err, "could not create leaf httpproxy") f.CreateHTTPProxyAndWaitFor(p, e2e.HTTPProxyValid) res, ok := f.HTTP.RequestUntil(&e2e.HTTPRequestOpts{ Host: p.Spec.VirtualHost.Fqdn, @@ -134,7 +134,7 @@ func testWatchAndRootNamespaces(rootNamespaces []string, nonRootNamespace string deployEchoServer(f.T(), f.Client, nonWatchedNS, "echo") p = newEchoProxy("root-proxy", nonWatchedNS) err = f.CreateHTTPProxy(p) - require.Nil(f.T(), err, "could not create httpproxy") + require.NoError(f.T(), err, "could not create httpproxy") require.Never(f.T(), func() bool { res := &contourv1.HTTPProxy{} if err := f.Client.Get(context.TODO(), client.ObjectKeyFromObject(p), res); err != nil { diff --git a/test/e2e/httpproxy/request_redirect_test.go b/test/e2e/httpproxy/request_redirect_test.go index 5b530a85fd9..a90f63fbdfe 100644 --- a/test/e2e/httpproxy/request_redirect_test.go +++ b/test/e2e/httpproxy/request_redirect_test.go @@ -35,7 +35,7 @@ func testRequestRedirectRuleNoService(namespace string) { proxy := getRedirectHTTPProxy(namespace, true) for _, route := range proxy.Spec.Routes { - require.Equal(t, 0, len(route.Services)) + require.Empty(t, route.Services) } doRedirectTest(namespace, proxy, t) diff --git a/test/e2e/upgrade/upgrade_test.go b/test/e2e/upgrade/upgrade_test.go index ed519899930..49f794ac3c8 100644 --- a/test/e2e/upgrade/upgrade_test.go +++ b/test/e2e/upgrade/upgrade_test.go @@ -68,7 +68,7 @@ var _ = Describe("When upgrading", func() { // We should be running in a multi-node cluster with a proper load // balancer, so fetch load balancer ip to make requests to. require.NoError(f.T(), f.Client.Get(context.TODO(), client.ObjectKeyFromObject(f.Deployment.EnvoyService), f.Deployment.EnvoyService)) - require.Greater(f.T(), len(f.Deployment.EnvoyService.Status.LoadBalancer.Ingress), 0) + require.NotEmpty(f.T(), f.Deployment.EnvoyService.Status.LoadBalancer.Ingress) require.NotEmpty(f.T(), f.Deployment.EnvoyService.Status.LoadBalancer.Ingress[0].IP) f.HTTP.HTTPURLBase = "http://" + f.Deployment.EnvoyService.Status.LoadBalancer.Ingress[0].IP f.HTTP.HTTPSURLBase = "https://" + f.Deployment.EnvoyService.Status.LoadBalancer.Ingress[0].IP From 51b72d9a5911b470868242e046b33dc568cea297 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 18:30:03 +0000 Subject: [PATCH 17/19] build(deps): bump sigs.k8s.io/controller-tools from 0.13.0 to 0.14.0 (#6084) Bumps [sigs.k8s.io/controller-tools](https://github.com/kubernetes-sigs/controller-tools) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/kubernetes-sigs/controller-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-tools/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-tools/compare/v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: Sunjay Bhatia Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sunjay Bhatia --- examples/contour/01-crds.yaml | 7200 +++++++++-------- examples/render/contour-deployment.yaml | 7200 +++++++++-------- .../render/contour-gateway-provisioner.yaml | 7200 +++++++++-------- examples/render/contour-gateway.yaml | 7200 +++++++++-------- examples/render/contour.yaml | 7200 +++++++++-------- go.mod | 8 +- go.sum | 19 +- 7 files changed, 18124 insertions(+), 17903 deletions(-) diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 0f332781055..9787514aa67 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourconfigurations.projectcontour.io spec: preserveUnknownFields: false @@ -23,47 +23,59 @@ spec: description: ContourConfiguration is the schema for a Contour instance. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourConfigurationSpec represents a configuration of a - Contour controller. It contains most of all the options that can be - customized, the other remaining options being command line flags. + description: |- + ContourConfigurationSpec represents a configuration of a Contour controller. + It contains most of all the options that can be customized, the + other remaining options being command line flags. properties: debug: - description: Debug contains parameters to enable debug logging and - debug interfaces inside Contour. + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. \n - Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how to - optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name of the - Kubernetes secret containing the client certificate and private - key to be used when establishing TLS connection to upstream + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream cluster. properties: name: @@ -75,13 +87,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that a @@ -109,34 +122,36 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names are - looked up When configured as V4, the DNS resolver will only - perform a lookup for addresses in the IPv4 family. If V6 - is configured, the DNS resolver will only perform a lookup - for addresses in the IPv6 family. If AUTO is configured, - the DNS resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If ALL is specified, the DNS resolver - will perform a lookup for both IPv4 and IPv6 families, and - return all resolved addresses. When this is used, Happy - Eyeballs will be enabled for upstream connections. Refer - to Happy Eyeballs Support for more information. Note: This - only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 @@ -146,59 +161,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set of HTTPS - versions the proxy should accept. HTTP versions are strings - of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" - and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). - \n Other values will produce an error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -209,9 +238,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -226,9 +255,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -247,106 +276,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, the - listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use the - default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. - \n Other values will produce an error." + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header if - \"Transfer-Encoding: chunked\" is also set. This is an emergency - off-switch to revert back to Envoy's default behavior in - case of failures. Please file an issue if failures are encountered. + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips duplicate - slashes from request URL paths. \n Contour's default is - false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 connections - and the limit for concurrent streams allowed for a peer - on a single HTTP/2 connection. It is recommended to not - set this lower than 100 but this field can be used to bound - resource usage by HTTP/2 connections and mitigate attacks - like CVE-2023-44487. The default value when this is not - set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The default - value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in a single - I/O cycle. Requests over this limit are processed in subsequent - I/O cycles. Can be used as a mitigation for CVE-2023-44487 - when abusive traffic is detected. Configures the http.max_requests_per_io_cycle - Envoy runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the Server - header on the response path. When configured as overwrite, - overwrites any Server header with \"envoy\". When configured - as append_if_absent, if a Server header is present, pass - it through, otherwise set it to \"envoy\". When configured - as pass_through, pass through the value of the Server header, - and do not append a header if none is present. \n Values: - `overwrite` (default), `append_if_absent`, `pass_through` - \n Other values will produce an error. Contour's default - is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket options - for the listeners. Single set of options are applied to - all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field (including - 6 bit DSCP field) for IP packets originating from Envoy - listeners. Single value is applied to all listeners. - If listeners are bound to IPv6-only addresses, setting - this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets originating - from the Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv4-only addresses, - setting this option will cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -357,79 +383,93 @@ spec: values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n Contour's - default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log format. - \n Values: `envoy` (default), `json`. \n Other values will - produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log format - when format is set to `envoy`. When empty, Envoy's default - format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that JSON - logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level of the - access log. \n Values: `info` (default, all requests are - logged), `error` (all non-success requests, i.e. 300+ response - code, are logged), `critical` (all 5xx requests are logged) - and `disabled`. \n Other values will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -440,9 +480,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -460,23 +500,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the admin - interface is disabled. \n Contour's default is 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of additional - ingress proxy hops from the right side of the x-forwarded-for - HTTP header to trust when determining the origin client’s - IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -487,93 +530,101 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts that - can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy should - wait when establishing connection to upstream service. If - not set, a default value of 2 seconds will be used. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the proxy - should wait while there are no active requests (for HTTP/1.1) - or streams (for HTTP/2) before terminating an HTTP connection. - Set to \"infinity\" to disable the timeout entirely. \n + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how long - the proxy will wait between sending an initial GOAWAY frame - and a second, final GOAWAY frame when terminating an HTTP/2 - connection. During this grace period, the proxy will continue - to respond to new streams. After the final GOAWAY frame - has been sent, the proxy will refuse new streams. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy will - wait, once connection close processing has been initiated, - for the downstream peer to close the connection before Envoy - closes the socket associated with the connection. \n Setting - this timeout to 'infinity' will disable it, equivalent to - setting it to '0' in Envoy. Leaving it unset will result - in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum period - of time after an HTTP connection has been established from - the client to the proxy before it is closed by the proxy, - regardless of whether there has been activity or not. Omit - or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for the - entire request, not an idle timeout. Omit or set to \"infinity\" - to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for HTTP/1.1) - or stream activity (for HTTP/2) before terminating the HTTP - request or stream. Set to \"infinity\" to disable the timeout - entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour features. - Available toggles are: useEndpointSlices - configures contour to - fetch endpoint data from k8s endpoint slices. defaults to false - and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form of - "projectcontour.io//contour". If unset, the gatewayclass - controller will not be started. Exactly one of ControllerName - or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this Contour - instance corresponds to. If set, Contour will reconcile only - this gateway, and will not reconcile any gateway classes. Exactly - one of ControllerName or GatewayRef must be set. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. properties: name: type: string @@ -585,26 +636,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external authorization - filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy for - client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -612,36 +666,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field is - not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field is - not specifies, the namespace of the resource that targets - the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server fails - to respond. This field should not be set in most cases. It is - intended for use only while migrating applications from internal - authorization to Contour external authorization. + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait for - a check response from the authorization server. Timeout durations - are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no - timeout. + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -666,9 +722,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve health - checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 - }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -682,13 +738,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the permitInsecure - field in HTTPProxy. \n Contour's default is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name of - the Kubernetes secret to use as fallback when a non-SNI request - is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -718,8 +776,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve metrics. - \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -730,9 +789,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and health - endpoints cannot have same port number when metrics is served - over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -750,8 +809,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will apply - to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -781,17 +841,19 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the Rate - Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a default - global rate limit policy for every HTTPProxy. HTTPProxy can - overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors that - will be generated and sent to the rate limit service. Each + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value @@ -800,17 +862,18 @@ spec: entries: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the descriptor - entry. If not set, the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of the @@ -819,16 +882,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and a value - equal to the client's IP address (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor key - is static, and the descriptor value is equal - to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the key @@ -842,41 +904,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines a - descriptor entry that's populated if the request's - headers match a set of 1+ match criteria. The - descriptor key is "header_match", and the descriptor - value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether the - request must positively match the match - criteria in order to generate a descriptor - entry (i.e. true), or not match the match - criteria in order to generate a descriptor - entry (i.e. false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request to - determine whether to populate the descriptor - entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against HTTP - headers. The Name field is required, only - one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching rules - only (e.g. NotContains or NotExact) you - can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies a substring - that must be present in the header - value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -884,57 +941,49 @@ spec: to. type: string ignoreCase: - description: IgnoreCase specifies that - string matching should be case insensitive. - Note that this has no effect on the - Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the - header to match against. Name is required. + description: |- + Name is the name of the header to match against. Name is required. Header names are case insensitive. type: string notcontains: - description: NotContains specifies a - substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a string - that the header value must not be - equal to. The condition is true if - the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that - condition is true when the named header - is not present. Note that setting - NotPresent to false does not make - the condition true if the named header - is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named header - is present, regardless of its value. - Note that setting Present to false - does not make the condition true if - the named header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies - if the header match rule specified - header does not exist, this header - value will be treated as empty. Defaults - to false. Unlike the underlying Envoy - implementation this is **only** supported - for negative matches (e.g. NotContains, - NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -954,25 +1003,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not use - the default global rate limit policy defined by the Contour - configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating error - code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's - translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit Service - is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -987,9 +1037,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to proceed - when the Rate Limit Service fails to respond with a valid rate - limit decision within the timeout defined on the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -1002,17 +1053,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag name + description: |- + CustomTag defines custom tags with unique tag name to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request header - the label value is obtained from. Precisely one of Literal, - RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom tag. @@ -1034,25 +1088,28 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span of the - trace. the default is true. Note: The Envoy pods MUST have the - HOSTNAME and CONTOUR_NAMESPACE environment variables set for - this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the request - path to extract and include in the HttpUrl tag. contour's default - is 256. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of trace - data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. contour's - default is contour. + description: |- + ServiceName defines the name for the service. + contour's default is contour. type: string required: - extensionService @@ -1061,18 +1118,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour will - serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour will - serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -1088,9 +1147,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values will - produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -1099,71 +1159,62 @@ spec: a ContourConfiguration resource. properties: conditions: - description: "Conditions contains the current status of the Contour - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the Contour resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1177,10 +1228,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1192,32 +1243,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1231,43 +1281,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1281,10 +1330,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1319,7 +1368,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourdeployments.projectcontour.io spec: preserveUnknownFields: false @@ -1339,26 +1388,33 @@ spec: description: ContourDeployment is the schema for a Contour Deployment. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourDeploymentSpec specifies options for how a Contour + description: |- + ContourDeploymentSpec specifies options for how a Contour instance should be provisioned. properties: contour: - description: Contour specifies deployment-time settings for the Contour - part of the installation, i.e. the xDS server/control plane and - associated resources, including things like replica count for the - Deployment, and node placement constraints for the pods. + description: |- + Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods. properties: deployment: description: Deployment describes the settings for running contour @@ -1374,47 +1430,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1424,14 +1478,16 @@ spec: type: object type: object kubernetesLogLevel: - description: KubernetesLogLevel Enable Kubernetes client debug - logging with log level. If unset, defaults to 0. + description: |- + KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0. maximum: 9 minimum: 0 type: integer logLevel: - description: LogLevel sets the log level for Contour Allowed values - are "info", "debug". + description: |- + LogLevel sets the log level for Contour + Allowed values are "info", "debug". type: string nodePlacement: description: NodePlacement describes node scheduling configuration @@ -1440,57 +1496,56 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1498,36 +1553,40 @@ spec: podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Contour pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Contour replicas. If if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Contour replicas. If if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by contour container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -1543,8 +1602,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1553,95 +1613,91 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object envoy: - description: Envoy specifies deployment-time settings for the Envoy - part of the installation, i.e. the xDS client/data plane and associated - resources, including things like the workload type to use (DaemonSet - or Deployment), node placement constraints for the pods, and various - options for the Envoy service. + description: |- + Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service. properties: baseID: - description: The base ID to use when allocating shared memory - regions. if Envoy needs to be run multiple times on the same - machine, each running Envoy will need a unique base ID so that - the shared memory regions do not conflict. defaults to 0. + description: |- + The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + so that the shared memory regions do not conflict. + defaults to 0. format: int32 minimum: 0 type: integer daemonSet: - description: DaemonSet describes the settings for running envoy - as a `DaemonSet`. if `WorkloadType` is `Deployment`,it's must - be nil + description: |- + DaemonSet describes the settings for running envoy as a `DaemonSet`. + if `WorkloadType` is `Deployment`,it's must be nil properties: updateStrategy: description: Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if type = "RollingUpdate". --- TODO: Update this to - follow our convention for oneOf, whatever we decide - it to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345' + description: |- + Rolling update config params. Present only if type = "RollingUpdate". + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345 properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of nodes with an - existing available DaemonSet pod that can have an - updated DaemonSet pod during during an update. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up to a minimum of 1. - Default value is 0. Example: when this is set to - 30%, at most 30% of the total number of nodes that - should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old - pod is marked as deleted. The update starts by launching - new pods on 30% of nodes. Once an updated pod is - available (Ready for at least minReadySeconds) the - old DaemonSet pod on that node is marked deleted. - If the old pod becomes unavailable for any reason - (Ready transitions to false, is evicted, or is drained) - an updated pod is immediatedly created on that node - without considering surge limits. Allowing surge - implies the possibility that the resources consumed - by the daemonset on any given node can double if - the readiness check fails, and so resource intensive - daemonsets should take into account that they may - cause evictions during disruption.' + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediatedly created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of DaemonSet pods - that can be unavailable during the update. Value - can be an absolute number (ex: 5) or a percentage - of total number of DaemonSet pods at the start of - the update (ex: 10%). Absolute number is calculated - from percentage by rounding up. This cannot be 0 - if MaxSurge is 0 Default value is 1. Example: when - this is set to 30%, at most 30% of the total number - of nodes that should be running the daemon pod (i.e. - status.desiredNumberScheduled) can have their pods - stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet - pods and then brings up new DaemonSet pods in their - place. Once the new pods are available, it then - proceeds onto other DaemonSet pods, thus ensuring - that at least 70% of original number of DaemonSet - pods are available at all times during the update.' + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. x-kubernetes-int-or-string: true type: object type: @@ -1651,9 +1707,9 @@ spec: type: object type: object deployment: - description: Deployment describes the settings for running envoy - as a `Deployment`. if `WorkloadType` is `DaemonSet`,it's must - be nil + description: |- + Deployment describes the settings for running envoy as a `Deployment`. + if `WorkloadType` is `DaemonSet`,it's must be nil properties: replicas: description: Replicas is the desired number of replicas. @@ -1665,47 +1721,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1722,33 +1776,36 @@ spec: a container. properties: mountPath: - description: Path within the container at which the volume - should be mounted. Must not contain ':'. + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are - propagated from the host to container and the other way - around. When not set, MountPropagationNone is used. This - field is beta in 1.10. + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. type: boolean subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which - the container's volume should be mounted. Behaves similarly - to SubPath but environment variable references $(VAR_NAME) - are expanded using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath are mutually - exclusive. + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. type: string required: - mountPath @@ -1762,36 +1819,36 @@ spec: may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'awsElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty).' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). format: int32 type: integer readOnly: - description: 'readOnly value true will force the readOnly - setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: boolean volumeID: - description: 'volumeID is unique ID of the persistent - disk resource in AWS (Amazon EBS volume). More info: - https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: string required: - volumeID @@ -1813,10 +1870,10 @@ spec: blob storage type: string fsType: - description: fsType is Filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: description: 'kind expected values are Shared: multiple @@ -1826,8 +1883,9 @@ spec: to shared' type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean required: - diskName @@ -1838,8 +1896,9 @@ spec: mount on the host and bind mount to the pod. properties: readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretName: description: secretName is the name of secret that @@ -1857,8 +1916,9 @@ spec: that shares a pod's lifetime properties: monitors: - description: 'monitors is Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it items: type: string type: array @@ -1867,63 +1927,72 @@ spec: root, rather than the full Ceph tree, default is /' type: string readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: boolean secretFile: - description: 'secretFile is Optional: SecretFile is - the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string secretRef: - description: 'secretRef is Optional: SecretRef is reference - to the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is optional: User is the rados user - name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string required: - monitors type: object cinder: - description: 'cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string readOnly: - description: 'readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: boolean secretRef: - description: 'secretRef is optional: points to a secret - object containing parameters used to connect to OpenStack.' + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeID: - description: 'volumeID used to identify the volume in - cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string required: - volumeID @@ -1933,29 +2002,25 @@ spec: populate this volume properties: defaultMode: - description: 'defaultMode is optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items if unspecified, each key-value pair - in the Data field of the referenced ConfigMap will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. If a - key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -1964,22 +2029,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -1988,8 +2051,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the ConfigMap @@ -2003,42 +2068,43 @@ spec: CSI drivers (Beta feature). properties: driver: - description: driver is the name of the CSI driver that - handles this volume. Consult with your admin for the - correct name as registered in the cluster. + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the - associated CSI driver which will determine the default - filesystem to apply. + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. type: string nodePublishSecretRef: - description: nodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all secret - references are passed. + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic readOnly: - description: readOnly specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: volumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. type: object required: - driver @@ -2048,17 +2114,15 @@ spec: pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: @@ -2086,16 +2150,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used to set - permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -2106,10 +2167,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required for @@ -2136,116 +2196,111 @@ spec: type: array type: object emptyDir: - description: 'emptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir properties: medium: - description: 'medium represents what type of storage - medium should back this directory. The default is - "" which means to use the node''s default medium. - Must be an empty string (default) or Memory. More - info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir type: string sizeLimit: anyOf: - type: integer - type: string - description: 'sizeLimit is the total amount of local - storage required for this EmptyDir volume. The size - limit is also applicable for memory medium. The maximum - usage on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and the - sum of memory limits of all containers in a pod. The - default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is - tied to the pod that defines it - it will be created before - the pod starts, and deleted when the pod is removed. \n - Use this if: a) the volume is only needed while the pod - runs, b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the storage - driver is specified through a storage class, and d) the - storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for - more information on the connection between this volume - type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n - Use CSI for light-weight local ephemeral volumes if the - CSI driver is meant to be used that way - see the documentation - of the driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes at the - same time." + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC - to provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the - PVC will be deleted together with the pod. The name - of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` - array entry. Pod validation will reject the pod if - the concatenated name is not valid for a PVC (for - example, too long). \n An existing PVC with that name - that is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the unrelated - PVC is removed. If such a pre-created PVC is meant - to be used by the pod, the PVC has to updated with - an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may - be useful when manually reconstructing a broken cluster. - \n This field is read-only and no changes will be - made by Kubernetes to the PVC after it has been created. - \n Required, must not be nil." + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + Required, must not be nil. properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected - during validation. + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the - PVC that gets created from this template. The - same fields as in a PersistentVolumeClaim are - also valid here. + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. properties: accessModes: - description: 'accessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 items: type: string type: array dataSource: - description: 'dataSource field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, it - will create a new volume based on the contents - of the specified data source. When the AnyVolumeDataSource - feature gate is enabled, dataSource contents - will be copied to dataSourceRef, and dataSourceRef - contents will be copied to dataSource when - dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef - will not be copied to dataSource.' + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2261,47 +2316,36 @@ spec: type: object x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies the object - from which to populate the volume with data, - if a non-empty volume is desired. This may - be any object from a non-empty API group (non + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding - will only succeed if the type of the specified - object matches some installed volume populator - or dynamic provisioner. This field will replace - the functionality of the dataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, when namespace isn''t specified - in dataSourceRef, both fields (dataSource - and dataSourceRef) will be set to the same - value automatically if one of them is empty - and the other is non-empty. When namespace - is specified in dataSourceRef, dataSource - isn''t set to the same value and must be empty. - There are three important differences between - dataSource and dataSourceRef: * While dataSource - only allows two specific types of objects, - dataSourceRef allows any non-core object, - as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values - (dropping them), dataSourceRef preserves all - values, and generates an error if a disallowed - value is specified. * While dataSource only - allows local objects, dataSourceRef allows - objects in any namespaces. (Beta) Using this - field requires the AnyVolumeDataSource feature - gate to be enabled. (Alpha) Using the namespace - field of dataSourceRef requires the CrossNamespaceVolumeDataSource - feature gate to be enabled.' + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2312,28 +2356,22 @@ spec: being referenced type: string namespace: - description: Namespace is the namespace - of resource being referenced Note that - when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant - object is required in the referent namespace - to allow that namespace's owner to accept - the reference. See the ReferenceGrant - documentation for details. (Alpha) This - field requires the CrossNamespaceVolumeDataSource - feature gate to be enabled. + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. type: string required: - kind - name type: object resources: - description: 'resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than - previous value but must still be higher than - capacity recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources properties: limits: additionalProperties: @@ -2342,9 +2380,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -2353,13 +2391,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object selector: @@ -2371,30 +2407,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2406,48 +2437,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic storageClassName: - description: 'storageClassName is the name of - the StorageClass required by the claim. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 type: string volumeAttributesClassName: - description: 'volumeAttributesClassName may - be used to set the VolumeAttributesClass used - by this claim. If specified, the CSI driver - will create or update the volume with the - attributes defined in the corresponding VolumeAttributesClass. - This has a different purpose than storageClassName, - it can be changed after the claim is created. - An empty string value means that no VolumeAttributesClass - will be applied to the claim but it''s not - allowed to reset this field to empty string - once it is set. If unspecified and the PersistentVolumeClaim - is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller - if it exists. If the resource referred to - by volumeAttributesClass does not exist, this - PersistentVolumeClaim will be set to a Pending - state, as reflected by the modifyVolumeStatus - field, until such as a resource exists. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass - feature gate to be enabled.' + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. type: string volumeMode: - description: volumeMode defines what type of - volume is required by the claim. Value of - Filesystem is implied when not included in - claim spec. + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. type: string volumeName: description: volumeName is the binding reference @@ -2464,20 +2484,20 @@ spec: to the pod. properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. TODO: how do we prevent - errors in the filesystem from compromising the machine' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: description: 'targetWWNs is Optional: FC target worldwide @@ -2486,26 +2506,27 @@ spec: type: string type: array wwids: - description: 'wwids Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. items: type: string type: array type: object flexVolume: - description: flexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. properties: driver: description: driver is the name of the driver to use for this volume. type: string fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default filesystem - depends on FlexVolume script. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. type: string options: additionalProperties: @@ -2514,22 +2535,23 @@ spec: extra command options if any.' type: object readOnly: - description: 'readOnly is Optional: defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: 'secretRef is Optional: secretRef is reference - to the secret object containing sensitive information - to pass to the plugin scripts. This may be empty if - no secret object is specified. If the secret object - contains more than one secret, all secrets are passed - to the plugin scripts.' + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -2542,9 +2564,9 @@ spec: control service being running properties: datasetName: - description: datasetName is Name of the dataset stored - as metadata -> name on the dataset for Flocker should - be considered as deprecated + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated type: string datasetUUID: description: datasetUUID is the UUID of the dataset. @@ -2552,54 +2574,55 @@ spec: type: string type: object gcePersistentDisk: - description: 'gcePersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk properties: fsType: - description: 'fsType is filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk format: int32 type: integer pdName: - description: 'pdName is unique name of the PD resource - in GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: boolean required: - pdName type: object gitRepo: - description: 'gitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an - InitContainer that clones the repo using git, then mount - the EmptyDir into the Pod''s container.' + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. properties: directory: - description: directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. type: string repository: description: repository is the URL @@ -2612,53 +2635,61 @@ spec: - repository type: object glusterfs: - description: 'glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: 'endpoints is the endpoint name that details - Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string path: - description: 'path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string readOnly: - description: 'readOnly here will force the Glusterfs - volume to be mounted with read-only permissions. Defaults - to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: boolean required: - endpoints - path type: object hostPath: - description: 'hostPath represents a pre-existing file or - directory on the host machine that is directly exposed - to the container. This is generally used for system agents - or other privileged things that are allowed to see the - host machine. Most containers will NOT need this. More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. properties: path: - description: 'path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string type: - description: 'type for HostPath Volume Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string required: - path type: object iscsi: - description: 'iscsi represents an ISCSI Disk resource that - is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether support @@ -2669,59 +2700,59 @@ spec: iSCSI Session CHAP authentication type: boolean fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: - description: initiatorName is the custom iSCSI Initiator - Name. If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for the connection. + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. type: string iqn: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: - description: iscsiInterface is the interface Name that - uses an iSCSI transport. Defaults to 'default' (tcp). + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). type: string lun: description: lun represents iSCSI Target Lun number. format: int32 type: integer portals: - description: portals is the iSCSI Target Portal List. - The portal is either an IP or ip_addr:port if the - port is other than default (typically TCP ports 860 - and 3260). + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: readOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. type: boolean secretRef: description: secretRef is the CHAP Secret for iSCSI target and initiator authentication properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic targetPortal: - description: targetPortal is iSCSI Target Portal. The - Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and - 3260). + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -2729,43 +2760,51 @@ spec: - targetPortal type: object name: - description: 'name of the volume. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string nfs: - description: 'nfs represents an NFS mount on the host that - shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs properties: path: - description: 'path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string readOnly: - description: 'readOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: boolean server: - description: 'server is the hostname or IP address of - the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string required: - path - server type: object persistentVolumeClaim: - description: 'persistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims properties: claimName: - description: 'claimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims type: string readOnly: - description: readOnly Will force the ReadOnly setting - in VolumeMounts. Default false. + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. type: boolean required: - claimName @@ -2776,10 +2815,10 @@ spec: machine properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: description: pdID is the ID that identifies Photon Controller @@ -2793,14 +2832,15 @@ spec: attached and mounted on kubelets host machine properties: fsType: - description: fSType represents the filesystem type to - mount Must be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean volumeID: description: volumeID uniquely identifies a Portworx @@ -2814,15 +2854,13 @@ spec: configmaps, and downward API properties: defaultMode: - description: defaultMode are the mode bits used to set - permissions on created files by default. Must be an - octal value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this - setting. This might be in conflict with other options - that affect the file mode, like fsGroup, and the result - can be other mode bits set. + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer sources: @@ -2832,57 +2870,48 @@ spec: with other supported volume types properties: clusterTrustBundle: - description: "ClusterTrustBundle allows a pod - to access the `.spec.trustBundle` field of ClusterTrustBundle - objects in an auto-updating file. \n Alpha, - gated by the ClusterTrustBundleProjection feature - gate. \n ClusterTrustBundle objects can either - be selected by name, or by the combination of - signer name and a label selector. \n Kubelet - performs aggressive normalization of the PEM - contents written into the pod filesystem. Esoteric - PEM features such as inter-block comments and - block headers are stripped. Certificates are - deduplicated. The ordering of certificates within - the file is arbitrary, and Kubelet may change - the order over time." + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + Alpha, gated by the ClusterTrustBundleProjection feature gate. + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. properties: labelSelector: - description: Select all ClusterTrustBundles - that match this label selector. Only has - effect if signerName is set. Mutually-exclusive - with name. If unset, interpreted as "match - nothing". If set but empty, interpreted - as "match everything". + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2895,39 +2924,35 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic name: - description: Select a single ClusterTrustBundle - by object name. Mutually-exclusive with - signerName and labelSelector. + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. type: string optional: - description: If true, don't block pod startup - if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the - named ClusterTrustBundle is allowed not - to exist. If using signerName, then the - combination of signerName and labelSelector - is allowed to match zero ClusterTrustBundles. + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. type: boolean path: description: Relative path from the volume root to write the bundle. type: string signerName: - description: Select all ClusterTrustBundles - that match this signer name. Mutually-exclusive - with name. The contents of all selected - ClusterTrustBundles will be unified and - deduplicated. + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. type: string required: - path @@ -2937,18 +2962,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -2957,26 +2978,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -2984,10 +3000,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the @@ -3026,18 +3042,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -3049,11 +3060,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required @@ -3087,18 +3096,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3107,26 +3112,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3134,10 +3134,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional field specify whether @@ -3150,29 +3150,25 @@ spec: about the serviceAccountToken data to project properties: audience: - description: audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience defaults - to the identifier of the apiserver. + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. type: string expirationSeconds: - description: expirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The kubelet - will start trying to rotate the token if - the token is older than 80 percent of its - time to live or if the token is older than - 24 hours.Defaults to 1 hour and must be - at least 10 minutes. + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. format: int64 type: integer path: - description: path is the path relative to - the mount point of the file to project the + description: |- + path is the path relative to the mount point of the file to project the token into. type: string required: @@ -3186,28 +3182,30 @@ spec: that shares a pod's lifetime properties: group: - description: group to map volume access to Default is - no group + description: |- + group to map volume access to + Default is no group type: string readOnly: - description: readOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults - to false. + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. type: boolean registry: - description: registry represents a single or multiple - Quobyte Registry services specified as a string as - host:port pair (multiple entries are separated with - commas) which acts as the central registry for volumes + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes type: string tenant: - description: tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned Quobyte - volumes, value is set by the plugin + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: user to map volume access to Defaults to - serivceaccount user + description: |- + user to map volume access to + Defaults to serivceaccount user type: string volume: description: volume is a string that references an already @@ -3218,57 +3216,68 @@ spec: - volume type: object rbd: - description: 'rbd represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: - description: 'image is the rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: - description: 'keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string monitors: - description: 'monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it items: type: string type: array pool: - description: 'pool is the rados pool name. Default is - rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: boolean secretRef: - description: 'secretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is the rados user name. Default is - admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string required: - image @@ -3279,9 +3288,11 @@ spec: attached and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is "xfs". + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". type: string gateway: description: gateway is the host address of the ScaleIO @@ -3292,18 +3303,20 @@ spec: Protection Domain for the configured storage. type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef references to the secret for - ScaleIO user and other sensitive information. If this - is not provided, Login operation will fail. + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -3312,8 +3325,8 @@ spec: with Gateway, default false type: boolean storageMode: - description: storageMode indicates whether the storage - for a volume should be ThickProvisioned or ThinProvisioned. + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: @@ -3325,9 +3338,9 @@ spec: as configured in ScaleIO. type: string volumeName: - description: volumeName is the name of a volume already - created in the ScaleIO system that is associated with - this volume source. + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. type: string required: - gateway @@ -3335,33 +3348,30 @@ spec: - system type: object secret: - description: 'secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret properties: defaultMode: - description: 'defaultMode is Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items If unspecified, each key-value pair - in the Data field of the referenced Secret will be - projected into the volume as a file whose name is - the key and content is the value. If specified, the - listed keys will be projected into the specified paths, - and unlisted keys will not be present. If a key is - specified which is not present in the Secret, the - volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3370,22 +3380,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -3398,8 +3406,9 @@ spec: or its keys must be defined type: boolean secretName: - description: 'secretName is the name of the secret in - the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret type: string type: object storageos: @@ -3407,42 +3416,42 @@ spec: and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef specifies the secret to use for - obtaining the StorageOS API credentials. If not specified, - default values will be attempted. + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeName: - description: volumeName is the human-readable name of - the StorageOS volume. Volume names are only unique - within a namespace. + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. type: string volumeNamespace: - description: volumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows - the Kubernetes name scoping to be mirrored within - StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: @@ -3450,10 +3459,10 @@ spec: and mounted on kubelets host machine properties: fsType: - description: fsType is filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: description: storagePolicyID is the storage Policy Based @@ -3475,56 +3484,60 @@ spec: type: object type: array logLevel: - description: LogLevel sets the log level for Envoy. Allowed values - are "trace", "debug", "info", "warn", "error", "critical", "off". + description: |- + LogLevel sets the log level for Envoy. + Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". type: string networkPublishing: description: NetworkPublishing defines how to expose Envoy to a network. properties: externalTrafficPolicy: - description: "ExternalTrafficPolicy describes how nodes distribute - service traffic they receive on one of the Service's \"externally-facing\" - addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). - \n If unset, defaults to \"Local\"." + description: |- + ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + and LoadBalancer IPs). + If unset, defaults to "Local". type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there is no value - provided, then this field will be set to SingleStack. Services - can be "SingleStack" (a single IP family), "PreferDualStack" - (two IP families on dual-stack configured clusters or a - single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise - fail). + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). type: string serviceAnnotations: additionalProperties: type: string - description: ServiceAnnotations is the annotations to add - to the provisioned Envoy service. + description: |- + ServiceAnnotations is the annotations to add to + the provisioned Envoy service. type: object type: - description: "NetworkPublishingType is the type of publishing - strategy to use. Valid values are: \n * LoadBalancerService - \n In this configuration, network endpoints for Envoy use - container networking. A Kubernetes LoadBalancer Service - is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - \n * NodePortService \n Publishes Envoy network endpoints - using a Kubernetes NodePort Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + description: |- + NetworkPublishingType is the type of publishing strategy to use. Valid values are: + * LoadBalancerService + In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + * NodePortService + Publishes Envoy network endpoints using a Kubernetes NodePort Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes NodePort Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport - \n NOTE: When provisioning an Envoy `NodePortService`, use - Gateway Listeners' port numbers to populate the Service's - node port values, there's no way to auto-allocate them. - \n See: https://github.com/projectcontour/contour/issues/4499 - \n * ClusterIPService \n Publishes Envoy network endpoints - using a Kubernetes ClusterIP Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + NOTE: + When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + the Service's node port values, there's no way to auto-allocate them. + See: https://github.com/projectcontour/contour/issues/4499 + * ClusterIPService + Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes ClusterIP Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - \n If unset, defaults to LoadBalancerService." + See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + If unset, defaults to LoadBalancerService. type: string type: object nodePlacement: @@ -3534,104 +3547,107 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object overloadMaxHeapSize: - description: 'OverloadMaxHeapSize defines the maximum heap memory - of the envoy controlled by the overload manager. When the value - is greater than 0, the overload manager is enabled, and when - envoy reaches 95% of the maximum heap size, it performs a shrink - heap operation, When it reaches 98% of the maximum heap size, - Envoy Will stop accepting requests. More info: https://projectcontour.io/docs/main/config/overload-manager/' + description: |- + OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ format: int64 type: integer podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Envoy pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Envoy replicas. If WorkloadType - is not \"Deployment\", this field is ignored. Otherwise, if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Envoy replicas. If WorkloadType + is not "Deployment", this field is ignored. Otherwise, if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by envoy container. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -3647,8 +3663,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -3657,15 +3674,16 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object workloadType: - description: WorkloadType is the type of workload to install Envoy + description: |- + WorkloadType is the type of workload to install Envoy as. Choices are DaemonSet and Deployment. If unset, defaults to DaemonSet. type: string @@ -3673,41 +3691,49 @@ spec: resourceLabels: additionalProperties: type: string - description: "ResourceLabels is a set of labels to add to the provisioned - Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels - instead. This field will be removed in a future release." + description: |- + ResourceLabels is a set of labels to add to the provisioned Contour resources. + Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release. type: object runtimeSettings: - description: RuntimeSettings is a ContourConfiguration spec to be - used when provisioning a Contour instance that will influence aspects - of the Contour instance's runtime behavior. + description: |- + RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance's runtime behavior. properties: debug: - description: Debug contains parameters to enable debug logging + description: |- + Debug contains parameters to enable debug logging and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. - \n Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how - to optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name - of the Kubernetes secret containing the client certificate - and private key to be used when establishing TLS connection - to upstream cluster. + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. properties: name: type: string @@ -3718,13 +3744,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that @@ -3752,35 +3779,35 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names - are looked up When configured as V4, the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If V6 is configured, the DNS resolver will only - perform a lookup for addresses in the IPv6 family. If - AUTO is configured, the DNS resolver will first perform - a lookup for addresses in the IPv6 family and fallback - to a lookup for addresses in the IPv4 family. If ALL - is specified, the DNS resolver will perform a lookup - for both IPv4 and IPv6 families, and return all resolved - addresses. When this is used, Happy Eyeballs will be - enabled for upstream connections. Refer to Happy Eyeballs - Support for more information. Note: This only applies - to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 @@ -3791,64 +3818,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set - of HTTPS versions the proxy should accept. HTTP versions - are strings of the form \"HTTP/xx\". Supported versions - are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, - `HTTP/2` (default: both). \n Other values will produce an - error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -3859,9 +3895,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -3876,9 +3912,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -3897,111 +3933,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, - the listener will use the exact connection balancer + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use - the default ConnectionBalancer, `exact`: use the Exact - ConnectionBalancer. \n Other values will produce an - error." + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header - if \"Transfer-Encoding: chunked\" is also set. This - is an emergency off-switch to revert back to Envoy's - default behavior in case of failures. Please file an - issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips - duplicate slashes from request URL paths. \n Contour's - default is false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 - connections and the limit for concurrent streams allowed - for a peer on a single HTTP/2 connection. It is recommended - to not set this lower than 100 but this field can be - used to bound resource usage by HTTP/2 connections and - mitigate attacks like CVE-2023-44487. The default value - when this is not set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The - default value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in - a single I/O cycle. Requests over this limit are processed - in subsequent I/O cycles. Can be used as a mitigation - for CVE-2023-44487 when abusive traffic is detected. - Configures the http.max_requests_per_io_cycle Envoy - runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the - Server header on the response path. When configured - as overwrite, overwrites any Server header with \"envoy\". - When configured as append_if_absent, if a Server header - is present, pass it through, otherwise set it to \"envoy\". - When configured as pass_through, pass through the value - of the Server header, and do not append a header if - none is present. \n Values: `overwrite` (default), `append_if_absent`, - `pass_through` \n Other values will produce an error. - Contour's default is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket - options for the listeners. Single set of options are - applied to all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field - (including 6 bit DSCP field) for IP packets originating - from Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv6-only - addresses, setting this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets - originating from the Envoy listeners. Single value - is applied to all listeners. If listeners are bound - to IPv4-only addresses, setting this option will - cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -4012,84 +4040,93 @@ spec: listener values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n - Contour's default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log - format. \n Values: `envoy` (default), `json`. \n Other - values will produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log - format when format is set to `envoy`. When empty, Envoy's - default format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that - JSON logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level - of the access log. \n Values: `info` (default, all requests - are logged), `error` (all non-success requests, i.e. - 300+ response code, are logged), `critical` (all 5xx - requests are logged) and `disabled`. \n Other values - will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -4100,9 +4137,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics - and health endpoints cannot have same port number when - metrics is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4120,24 +4157,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the - admin interface is disabled. \n Contour's default is - 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of - additional ingress proxy hops from the right side of - the x-forwarded-for HTTP header to trust when determining - the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -4148,95 +4187,100 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts - that can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy - should wait when establishing connection to upstream - service. If not set, a default value of 2 seconds will - be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the - proxy should wait while there are no active requests - (for HTTP/1.1) or streams (for HTTP/2) before terminating - an HTTP connection. Set to \"infinity\" to disable the - timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how - long the proxy will wait between sending an initial - GOAWAY frame and a second, final GOAWAY frame when terminating - an HTTP/2 connection. During this grace period, the - proxy will continue to respond to new streams. After - the final GOAWAY frame has been sent, the proxy will - refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy - will wait, once connection close processing has been - initiated, for the downstream peer to close the connection - before Envoy closes the socket associated with the connection. - \n Setting this timeout to 'infinity' will disable it, - equivalent to setting it to '0' in Envoy. Leaving it - unset will result in the Envoy default value being used. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum - period of time after an HTTP connection has been established - from the client to the proxy before it is closed by - the proxy, regardless of whether there has been activity - or not. Omit or set to \"infinity\" for no max duration. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for - the entire request, not an idle timeout. Omit or set - to \"infinity\" to disable the timeout entirely. \n + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for - HTTP/1.1) or stream activity (for HTTP/2) before terminating - the HTTP request or stream. Set to \"infinity\" to disable - the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour - features. Available toggles are: useEndpointSlices - configures - contour to fetch endpoint data from k8s endpoint slices. defaults - to false and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form - of "projectcontour.io//contour". If unset, the - gatewayclass controller will not be started. Exactly one - of ControllerName or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this - Contour instance corresponds to. If set, Contour will reconcile - only this gateway, and will not reconcile any gateway classes. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. Exactly one of ControllerName or GatewayRef must be set. properties: name: @@ -4249,26 +4293,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external - authorization filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -4276,36 +4323,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -4330,9 +4379,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8000 }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -4346,14 +4395,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. \n Contour's default - is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name - of the Kubernetes secret to use as fallback when a non-SNI - request is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -4383,9 +4433,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -4396,9 +4446,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4416,8 +4466,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will - apply to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -4447,18 +4498,20 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the - Rate Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a - default global rate limit policy for every HTTPProxy. HTTPProxy - can overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -4467,18 +4520,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -4487,17 +4540,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -4511,42 +4562,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -4554,61 +4599,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -4628,25 +4661,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating - error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled - it's translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit - Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -4661,10 +4695,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to - proceed when the Rate Limit Service fails to respond with - a valid rate limit decision within the timeout defined on - the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -4677,17 +4711,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag - name to create tags for the active span. + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request - header the label value is obtained from. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom @@ -4710,24 +4747,27 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span - of the trace. the default is true. Note: The Envoy pods - MUST have the HOSTNAME and CONTOUR_NAMESPACE environment - variables set for this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the - request path to extract and include in the HttpUrl tag. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of - trace data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. + description: |- + ServiceName defines the name for the service. contour's default is contour. type: string required: @@ -4737,18 +4777,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour - will serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour - will serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -4764,9 +4806,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values - will produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -4780,42 +4823,42 @@ spec: resource. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -4829,11 +4872,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -4859,7 +4903,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: extensionservices.projectcontour.io spec: preserveUnknownFields: false @@ -4877,19 +4921,26 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ExtensionService is the schema for the Contour extension services - API. An ExtensionService resource binds a network service to the Contour - API so that Contour API features can be implemented by collaborating components. + description: |- + ExtensionService is the schema for the Contour extension services API. + An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4898,101 +4949,111 @@ spec: resource. properties: loadBalancerPolicy: - description: The policy for load balancing GRPC service requests. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The policy for load balancing GRPC service requests. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy is chosen. - If an element of the supplied list of hash policies is invalid, - it will be ignored. If the list of hash policies is empty after - validation, the load balancing strategy will fall back to the - default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for an - individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when request - source IP hash based load balancing is desired. It must - be the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must be - the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP request - header that will be used to calculate the hash key. - If the header specified is not present on a request, - no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set when - request query parameter hash based load balancing is desired. - It must be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP request - query parameter that will be used to calculate the - hash key. If the query parameter specified is not - present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to true, - and the request attribute specified in the attribute hash - options is present, no further hash policies will be used - to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance requests - across the pool of backend pods. Valid policy names are `Random`, - `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. - If an unknown strategy name is specified or no policy is supplied, - the default `RoundRobin` policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object protocol: - description: Protocol may be used to specify (or override) the protocol - used to reach this Service. Values may be h2 or h2c. If omitted, - protocol-selection falls back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c type: string protocolVersion: - description: This field sets the version of the GRPC protocol that - Envoy uses to send requests to the extension service. Since Contour - always uses the v3 Envoy API, this is currently fixed at "v3". However, - other protocol options will be available in future. + description: |- + This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at "v3". However, other + protocol options will be available in future. enum: - v3 type: string services: - description: Services specifies the set of Kubernetes Service resources - that receive GRPC extension API requests. If no weights are specified - for any of the entries in this array, traffic will be spread evenly - across all the services. Otherwise, traffic is balanced proportionally - to the Weight field in each entry. + description: |- + Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry. items: - description: ExtensionServiceTarget defines an Kubernetes Service - to target with extension service traffic. + description: |- + ExtensionServiceTarget defines an Kubernetes Service to target with + extension service traffic. properties: name: - description: Name is the name of Kubernetes service that will - accept service traffic. + description: |- + Name is the name of Kubernetes service that will accept service + traffic. type: string port: description: Port (defined as Integer) to proxy traffic to since @@ -5016,24 +5077,23 @@ spec: description: The timeout policy for requests to the services. properties: idle: - description: Timeout for how long the proxy should wait while - there is no activity during single request/response (for HTTP/1.1) - or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 - connection is idle between two consecutive requests. If not - specified, there is no per-route idle timeout, though a connection - manager-wide stream_idle_timeout default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy to - the upstream service is kept when there are no active requests. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, Envoy's - default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -5042,27 +5102,26 @@ spec: service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes secret - used to validate the certificate presented by the backend. The - secret must contain key named ca.crt. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max length should - be the actual max possible length of a namespaced name (63 + - 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in the ''subjectAltName'' - of the presented certificate. Deprecated: migrate to using the - plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is expected to - be present in the 'subjectAltName of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -5080,75 +5139,67 @@ spec: - services type: object status: - description: ExtensionServiceStatus defines the observed state of an ExtensionService - resource. + description: |- + ExtensionServiceStatus defines the observed state of an + ExtensionService resource. properties: conditions: - description: "Conditions contains the current status of the ExtensionService - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the ExtensionService resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5162,10 +5213,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5177,32 +5228,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5216,43 +5266,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5266,10 +5315,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5302,7 +5351,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: httpproxies.projectcontour.io spec: preserveUnknownFields: false @@ -5340,14 +5389,19 @@ spec: description: HTTPProxy is an Ingress CRD specification. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5355,28 +5409,31 @@ spec: description: HTTPProxySpec defines the spec of the CRD. properties: includes: - description: Includes allow for specific routing configuration to - be included from another HTTPProxy, possibly in another namespace. + description: |- + Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace. items: description: Include describes a set of policies that can be applied to an HTTPProxy in a namespace. properties: conditions: - description: 'Conditions are a set of rules that are applied - to included HTTPProxies. In effect, they are added onto the - Conditions of included HTTPProxy Route structs. When applied, - they are merged using AND, with one exception: There can be - only one Prefix MatchCondition per Conditions slice. More - than one Prefix, or contradictory Conditions, will make the - include invalid. Exact and Regex match conditions are not - allowed on includes.' + description: |- + Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5384,56 +5441,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5446,37 +5505,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5486,7 +5547,8 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object @@ -5503,10 +5565,11 @@ spec: type: object type: array ingressClassName: - description: IngressClassName optionally specifies the ingress class - to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is - set, it is given precedence over this field. + description: |- + IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field. type: string routes: description: Routes are the ingress routes. If TCPProxy is present, @@ -5515,38 +5578,42 @@ spec: description: Route contains the set of routes for a virtual host. properties: authPolicy: - description: AuthPolicy updates the authorization policy that - was set on the root HTTPProxy object for client requests that + description: |- + AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that match this route. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object conditions: - description: 'Conditions are a set of rules that are applied - to a Route. When applied, they are merged using AND, with - one exception: There can be only one Prefix, Exact or Regex - MatchCondition per Conditions slice. More than one of these - condition types, or contradictory Conditions, will make the - route invalid.' + description: |- + Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5554,56 +5621,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5616,37 +5685,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5656,24 +5727,28 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object type: array cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header attributes. - Note that rewritten cookie names must be unique in this list. - Order rewrite policies are specified in does not matter. + description: |- + The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter. items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the Domain - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -5689,12 +5764,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the Path - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -5703,17 +5780,18 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute will - not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie Secure - element. If not set, Secure attribute will not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name @@ -5724,11 +5802,11 @@ spec: response directly. properties: body: - description: "Body is the content of the response body. - If this setting is omitted, no body is included in the - generated response. \n Note: Body is not recommended to - set too long otherwise it can have significant resource - usage impacts." + description: |- + Body is the content of the response body. + If this setting is omitted, no body is included in the generated response. + Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts. type: string statusCode: description: StatusCode is the HTTP response status to be @@ -5746,11 +5824,11 @@ spec: description: The health check policy for this route. properties: expectedStatuses: - description: The ranges of HTTP response statuses considered - healthy. Follow half-open semantics, i.e. for each range - the start is inclusive and the end is exclusive. Must - be within the range [100,600). If not specified, only - a 200 response status is considered healthy. + description: |- + The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy. items: properties: end: @@ -5779,9 +5857,10 @@ spec: minimum: 0 type: integer host: - description: The value of the host header in the HTTP health - check request. If left empty (default value), the name - "contour-envoy-healthcheck" will be used. + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the name "contour-envoy-healthcheck" + will be used. type: string intervalSeconds: description: The interval (seconds) between health checks @@ -5811,35 +5890,32 @@ spec: properties: allowCrossSchemeRedirect: default: Never - description: AllowCrossSchemeRedirect Allow internal redirect - to follow a target URI with a different scheme than the - value of x-forwarded-proto. SafeOnly allows same scheme - redirect and safe cross scheme redirect, which means if - the downstream scheme is HTTPS, both HTTPS and HTTP redirect - targets are allowed, but if the downstream scheme is HTTP, - only HTTP redirect targets are allowed. + description: |- + AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed. enum: - Always - Never - SafeOnly type: string denyRepeatedRouteRedirect: - description: If DenyRepeatedRouteRedirect is true, rejects - redirect targets that are pointing to a route that has - been followed by a previous redirect from the current - route. + description: |- + If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route. type: boolean maxInternalRedirects: - description: MaxInternalRedirects An internal redirect is - not handled, unless the number of previous internal redirects - that a downstream request has encountered is lower than - this value. + description: |- + MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value. format: int32 type: integer redirectResponseCodes: - description: RedirectResponseCodes If unspecified, only - 302 will be treated as internal redirect. Only 301, 302, - 303, 307 and 308 are valid values. + description: |- + RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values. items: description: RedirectResponseCode is a uint32 type alias with validation to ensure that the value is valid. @@ -5854,25 +5930,26 @@ spec: type: array type: object ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter - rules for which matching requests should be allowed. All other - requests will be denied. Only one of IPAllowFilterPolicy and - IPDenyFilterPolicy can be defined. The rules defined here - override any rules set on the root HTTPProxy. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -5883,25 +5960,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here override any rules - set on the root HTTPProxy. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -5916,93 +5994,93 @@ spec: route. properties: disabled: - description: Disabled defines whether to disable all JWT - verification for this route. This can be used to opt specific - routes out of the default JWT provider for the HTTPProxy. - At most one of this field or the "require" field can be - specified. + description: |- + Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + "require" field can be specified. type: boolean require: - description: Require names a specific JWT provider (defined - in the virtual host) to require for the route. If specified, - this field overrides the default provider if one exists. - If this field is not specified, the default provider will - be required if one exists. At most one of this field or - the "disabled" field can be specified. + description: |- + Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the "disabled" field can be specified. type: string type: object loadBalancerPolicy: description: The load balancing policy for this route. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash - policies to apply when the `RequestHash` load balancing - strategy is chosen. If an element of the supplied list - of hash policies is invalid, it will be ignored. If the - list of hash policies is empty after validation, the load - balancing strategy will fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration - for an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when - request header hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not - present on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the - HTTP request query parameter that will be used - to calculate the hash key. If the query parameter - specified is not present on a request, no hash - will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set - to true, and the request attribute specified in - the attribute hash options is present, no further - hash policies will be used to calculate a hash for - the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy - names are `Random`, `RoundRobin`, `WeightedLeastRequest`, - `Cookie`, and `RequestHash`. If an unknown strategy name - is specified or no policy is supplied, the default `RoundRobin` - policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object pathRewritePolicy: - description: The policy for rewriting the path of the request - URL after the request has been routed to a Service. + description: |- + The policy for rewriting the path of the request URL + after the request has been routed to a Service. properties: replacePrefix: description: ReplacePrefix describes how the path prefix @@ -6011,22 +6089,22 @@ spec: description: ReplacePrefix describes a path prefix replacement. properties: prefix: - description: "Prefix specifies the URL path prefix - to be replaced. \n If Prefix is specified, it must - exactly match the MatchCondition prefix that is - rendered by the chain of including HTTPProxies and - only that path prefix will be replaced by Replacement. - This allows HTTPProxies that are included through - multiple roots to only replace specific path prefixes, - leaving others unmodified. \n If Prefix is not specified, - all routing prefixes rendered by the include chain - will be replaced." + description: |- + Prefix specifies the URL path prefix to be replaced. + If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified. + If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced. minLength: 1 type: string replacement: - description: Replacement is the string that the routing - path prefix will be replaced with. This must not - be empty. + description: |- + Replacement is the string that the routing path prefix + will be replaced with. This must not be empty. minLength: 1 type: string required: @@ -6035,24 +6113,24 @@ spec: type: array type: object permitInsecure: - description: Allow this path to respond to insecure requests - over HTTP which are normally not permitted when a `virtualhost.tls` - block is present. + description: |- + Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a `virtualhost.tls` block is present. type: boolean rateLimitPolicy: description: The policy for rate limiting on the route. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to - an external rate limit service (RLS) for a rate limit - decision on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit - service. Each descriptor contains 1+ key-value pair - entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -6061,18 +6139,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this - struct must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of - the descriptor entry. If not set, - the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value @@ -6081,17 +6159,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given - header is present on the request. The - descriptor key is static, and the descriptor - value is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -6106,44 +6182,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if - the request's headers match a set of 1+ - match criteria. The descriptor key is - "header_match", and the descriptor value - is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match - the match criteria in order to generate - a descriptor entry (i.e. true), or - not match the match criteria in order - to generate a descriptor entry (i.e. - false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ - match criteria to apply against the - request to determine whether to populate - the descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition - specifies how to conditionally match - against HTTP headers. The Name field - is required, only one of Present, - NotPresent, Contains, NotContains, - Exact, NotExact and Regex can be - set. For negative matching rules - only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a @@ -6151,64 +6219,49 @@ spec: must be equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should - be case insensitive. Note that - this has no effect on the Regex - parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name - of the header to match against. - Name is required. Header names - are case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be - present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies - a string that the header value - must not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when - the named header is not present. - Note that setting NotPresent - to false does not make the condition - true if the named header is - present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies - that condition is true when - the named header is present, - regardless of its value. Note - that setting Present to false - does not make the condition - true if the named header is - absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a - regular expression pattern that - must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is - **only** supported for negative - matches (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -6228,32 +6281,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per - unit of time should be allowed before rate limiting - occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -6273,18 +6328,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within - which requests over the limit will be rate limited. - Valid values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -6296,15 +6353,16 @@ spec: type: object type: object requestHeadersPolicy: - description: "The policy for managing request headers during - proxying. \n You may dynamically rewrite the Host header to - be forwarded upstream to the content of a request header using - the below format \"%REQ(X-Header-Name)%\". If the value of - the header is empty, it is ignored. \n *NOTE: Pay attention - to the potential security implications of using this option. - Provided header must come from trusted source. \n **NOTE: - The header rewrite is only done while forwarding and has no - bearing on the routing decision." + description: |- + The policy for managing request headers during proxying. + You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format "%REQ(X-Header-Name)%". If the value of the header + is empty, it is ignored. + *NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source. + **NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision. properties: remove: description: Remove specifies a list of HTTP header names @@ -6313,10 +6371,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6340,39 +6397,44 @@ spec: description: RequestRedirectPolicy defines an HTTP redirection. properties: hostname: - description: Hostname is the precise hostname to be used - in the value of the `Location` header in the response. - When empty, the hostname of the request is used. No wildcards - are allowed. + description: |- + Hostname is the precise hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string path: - description: "Path allows for redirection to a different - path from the original on the request. The path must start - with a leading slash. \n Note: Only one of Path or Prefix - can be defined." + description: |- + Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string port: - description: Port is the port to be used in the value of - the `Location` header in the response. When empty, port - (if specified) of the request is used. + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. format: int32 maximum: 65535 minimum: 1 type: integer prefix: - description: "Prefix defines the value to swap the matched - prefix or path with. The prefix must start with a leading - slash. \n Note: Only one of Path or Prefix can be defined." + description: |- + Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string scheme: - description: Scheme is the scheme to be used in the value - of the `Location` header in the response. When empty, - the scheme of the request is used. + description: |- + Scheme is the scheme to be used in the value of the `Location` + header in the response. + When empty, the scheme of the request is used. enum: - http - https @@ -6387,8 +6449,9 @@ spec: type: integer type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header names @@ -6397,10 +6460,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6425,35 +6487,46 @@ spec: properties: count: default: 1 - description: NumRetries is maximum allowed number of retries. - If set to -1, then retries are disabled. If set to 0 or - not supplied, the value is set to the Envoy default of - 1. + description: |- + NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1. format: int64 minimum: -1 type: integer perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. + description: |- + PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string retriableStatusCodes: - description: "RetriableStatusCodes specifies the HTTP status - codes that should be retried. \n This field is only respected - when you include `retriable-status-codes` in the `RetryOn` - field." + description: |- + RetriableStatusCodes specifies the HTTP status codes that should be retried. + This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. items: format: int32 type: integer type: array retryOn: - description: "RetryOn specifies the conditions on which - to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): - \n - `5xx` - `gateway-error` - `reset` - `connect-failure` - - `retriable-4xx` - `refused-stream` - `retriable-status-codes` - - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): - \n - `cancelled` - `deadline-exceeded` - `internal` - - `resource-exhausted` - `unavailable`" + description: |- + RetryOn specifies the conditions on which to retry a request. + Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + - `5xx` + - `gateway-error` + - `reset` + - `connect-failure` + - `retriable-4xx` + - `refused-stream` + - `retriable-status-codes` + - `retriable-headers` + Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + - `cancelled` + - `deadline-exceeded` + - `internal` + - `resource-exhausted` + - `unavailable` items: description: RetryOn is a string type alias with validation to ensure that the value is valid. @@ -6486,13 +6559,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the - Set-Cookie Domain element. If not set, Domain - will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6508,12 +6582,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -6522,45 +6598,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If - Mirror is true, then fractional mirroring can be enabled - by optionally setting the Weight field. Legal values - for Weight are 1-100. Omitting the Weight field will - result in 100% mirroring. NOTE: Setting Weight explicitly - to 0 will unexpectedly result in 100% traffic mirroring. - This occurs since we cannot distinguish omitted fields - from those explicitly set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to - proxy traffic. Names defined here will be used to look - up corresponding endpoints which contain the ips to - route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -6570,10 +6644,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may - be tls, h2, h2c. If omitted, protocol-selection falls - back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -6590,10 +6663,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6614,9 +6686,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers - during proxying. Rewriting the 'Host' header is not - supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -6625,10 +6697,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6654,32 +6725,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. - When increasing the value for this parameter, the - speed of traffic ramp-up increases non-linearly. - The value of aggression parameter should be greater - than 0.0. \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of - traffic to send to new endpoints. A non-zero value - helps avoid a too small initial weight, which may - cause endpoints in slow start mode to receive no - traffic in the beginning of the slow start window. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", - "s", "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -6690,29 +6758,26 @@ spec: the backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to the - secret. Max length should be the actual max possible - length of a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of - the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -6741,26 +6806,23 @@ spec: description: The timeout policy for this route. properties: idle: - description: Timeout for how long the proxy should wait - while there is no activity during single request/response - (for HTTP/1.1) or stream (for HTTP/2). Timeout will not - trigger while HTTP/1.1 connection is idle between two - consecutive requests. If not specified, there is no per-route - idle timeout, though a connection manager-wide stream_idle_timeout - default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy - to the upstream service is kept when there are no active - requests. If not supplied, Envoy's default value of 1h - applies. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, - Envoy's default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -6807,11 +6869,10 @@ spec: - name type: object includes: - description: "IncludesDeprecated allow for specific routing configuration - to be appended to another HTTPProxy in another namespace. \n - Exists due to a mistake when developing HTTPProxy and the field - was marked plural when it should have been singular. This field - should stay to not break backwards compatibility to v1 users." + description: |- + IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 users. properties: name: description: Name of the child HTTPProxy @@ -6824,69 +6885,71 @@ spec: - name type: object loadBalancerPolicy: - description: The load balancing policy for the backend services. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The load balancing policy for the backend services. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy - is chosen. If an element of the supplied list of hash policies - is invalid, it will be ignored. If the list of hash policies - is empty after validation, the load balancing strategy will - fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for - an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must - be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not present - on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP - request query parameter that will be used to calculate - the hash key. If the query parameter specified - is not present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to - true, and the request attribute specified in the attribute - hash options is present, no further hash policies - will be used to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy names - are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. If an unknown strategy name is specified or no policy is supplied, the default `RoundRobin` policy is used. @@ -6904,12 +6967,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6925,12 +6990,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -6939,44 +7006,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If Mirror - is true, then fractional mirroring can be enabled by optionally - setting the Weight field. Legal values for Weight are - 1-100. Omitting the Weight field will result in 100% mirroring. - NOTE: Setting Weight explicitly to 0 will unexpectedly - result in 100% traffic mirroring. This occurs since we - cannot distinguish omitted fields from those explicitly - set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -6986,10 +7052,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be - tls, h2, h2c. If omitted, protocol-selection falls back - on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -7006,10 +7071,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7030,8 +7094,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -7040,10 +7105,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7069,32 +7133,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. When - increasing the value for this parameter, the speed - of traffic ramp-up increases non-linearly. The value - of aggression parameter should be greater than 0.0. - \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of traffic - to send to new endpoints. A non-zero value helps avoid - a too small initial weight, which may cause endpoints - in slow start mode to receive no traffic in the beginning - of the slow start window. If not specified, the default - is 10%. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", - "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -7105,28 +7166,25 @@ spec: backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with namespace - "namespace/name". When cross-namespace reference is - used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max - length should be the actual max possible length of - a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in - the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of the + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the presented certificate. items: type: string @@ -7154,34 +7212,38 @@ spec: type: array type: object virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root" HTTPProxy. + description: |- + Virtualhost appears at most once. If it is present, the object is considered + to be a "root" HTTPProxy. properties: authorization: - description: This field configures an extension service to perform - authorization for this virtual host. Authorization can only - be configured on virtual hosts that have TLS enabled. If the - TLS configuration requires client certificate validation, the - client certificate is always included in the authentication - check request. + description: |- + This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -7189,36 +7251,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -7270,20 +7334,21 @@ spec: minItems: 1 type: array allowOrigin: - description: AllowOrigin specifies the origins that will be - allowed to do CORS requests. Allowed values include "*" - which signifies any origin is allowed, an exact origin of - the form "scheme://host[:port]" (where port is optional), - or a valid regex pattern. Note that regex patterns are validated - and a simple "glob" pattern (e.g. *.foo.com) will be rejected - or produce unexpected matches when applied as a regex. + description: |- + AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include "*" which signifies any origin is allowed, an exact + origin of the form "scheme://host[:port]" (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex. items: type: string minItems: 1 type: array allowPrivateNetwork: - description: AllowPrivateNetwork specifies whether to allow - private network requests. See https://developer.chrome.com/blog/private-network-access-preflight. + description: |- + AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. type: boolean exposeHeaders: description: ExposeHeaders Specifies the content for the *access-control-expose-headers* @@ -7296,13 +7361,12 @@ spec: minItems: 1 type: array maxAge: - description: MaxAge indicates for how long the results of - a preflight request can be cached. MaxAge durations are - expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". Only positive values are allowed while 0 disables the - cache requiring a preflight OPTIONS check for all cross-origin - requests. + description: |- + MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$ type: string required: @@ -7310,30 +7374,32 @@ spec: - allowOrigin type: object fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn. + description: |- + The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn. pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be allowed. All other requests - will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7344,24 +7410,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7378,27 +7446,31 @@ spec: description: JWTProvider defines how to verify JWTs on requests. properties: audiences: - description: Audiences that JWTs are allowed to have in - the "aud" field. If not provided, JWT audiences are not - checked. + description: |- + Audiences that JWTs are allowed to have in the "aud" field. + If not provided, JWT audiences are not checked. items: type: string type: array default: - description: Whether the provider should apply to all routes - in the HTTPProxy/its includes by default. At most one - provider can be marked as the default. If no provider - is marked as the default, individual routes must explicitly + description: |- + Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly identify the provider they require. type: boolean forwardJWT: - description: Whether the JWT should be forwarded to the - backend service after successful verification. By default, + description: |- + Whether the JWT should be forwarded to the backend + service after successful verification. By default, the JWT is not forwarded. type: boolean issuer: - description: Issuer that JWTs are required to have in the - "iss" field. If not provided, JWT issuers are not checked. + description: |- + Issuer that JWTs are required to have in the "iss" field. + If not provided, JWT issuers are not checked. type: string name: description: Unique name for the provider. @@ -7408,33 +7480,34 @@ spec: description: Remote JWKS to use for verifying JWT signatures. properties: cacheDuration: - description: How long to cache the JWKS locally. If - not specified, Envoy's default of 5m applies. + description: |- + How long to cache the JWKS locally. If not specified, + Envoy's default of 5m applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string dnsLookupFamily: - description: "The DNS IP address resolution policy for - the JWKS URI. When configured as \"v4\", the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If \"v6\" is configured, the DNS resolver - will only perform a lookup for addresses in the IPv6 - family. If \"all\" is configured, the DNS resolver - will perform a lookup for addresses in both the IPv4 - and IPv6 family. If \"auto\" is configured, the DNS - resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If not specified, the Contour-wide - setting defined in the config file or ContourConfiguration - applies (defaults to \"auto\"). \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information." + description: |- + The DNS IP address resolution policy for the JWKS URI. + When configured as "v4", the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If "all" is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If "auto" is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to "auto"). + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. enum: - auto - v4 - v6 type: string timeout: - description: How long to wait for a response from the - URI. If not specified, a default of 1s applies. + description: |- + How long to wait for a response from the URI. + If not specified, a default of 1s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string uri: @@ -7446,31 +7519,26 @@ spec: the JWKS's TLS certificate. properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to - the secret. Max length should be the actual max - possible length of a namespaced name (63 + 253 - + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field - subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one - is expected to be present in the 'subjectAltName - of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -7497,15 +7565,16 @@ spec: description: The policy for rate limiting on the virtual host. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to an - external rate limit service (RLS) for a rate limit decision - on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -7514,18 +7583,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -7534,17 +7603,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -7558,42 +7625,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -7601,61 +7662,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -7675,31 +7724,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per unit - of time should be allowed before rate limiting occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -7719,18 +7771,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within which - requests over the limit will be rate limited. Valid - values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -7742,57 +7796,56 @@ spec: type: object type: object tls: - description: If present the fields describes TLS properties of - the virtual host. The SNI names that will be matched on are - described in fqdn, the tls.secretName secret must contain a - certificate that itself contains a name that matches the FQDN. + description: |- + If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN. properties: clientValidation: - description: "ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. \n This setting: \n 1. Enables TLS client certificate - validation. 2. Specifies how the client certificate will - be validated (i.e. validation required or skipped). \n Note: - Setting client certificate validation to be skipped should - be only used in conjunction with an external authorization - server that performs client validation as Contour will ensure - client certificates are passed along." + description: |- + ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy. + This setting: + 1. Enables TLS client certificate validation. + 2. Specifies how the client certificate will be validated (i.e. + validation required or skipped). + Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along. properties: caSecret: - description: Name of a Kubernetes secret that contains - a CA certificate bundle. The secret must contain key - named ca.crt. The client certificate must validate against - the certificates in the bundle. If specified and SkipClientCertValidation - is true, client certificates will be required on requests. + description: |- + Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. The name can be optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string crlOnlyVerifyLeafCert: - description: If this option is set to true, only the certificate - at the end of the certificate chain will be subject - to validation by CRL. + description: |- + If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL. type: boolean crlSecret: - description: Name of a Kubernetes opaque secret that contains - a concatenated list of PEM encoded CRLs. The secret - must contain key named crl.pem. This field will be used - to verify that a client certificate has not been revoked. - CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert - is true. Large CRL lists are not supported since individual - secrets are limited to 1MiB in size. The name can be - optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + description: |- + Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string forwardClientCertificate: - description: ForwardClientCertificate adds the selected - data from the passed client TLS certificate to the x-forwarded-client-cert - header. + description: |- + ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header. properties: cert: description: Client cert in URL encoded PEM format. @@ -7814,55 +7867,56 @@ spec: type: boolean type: object optionalClientCertificate: - description: OptionalClientCertificate when set to true - will request a client certificate but allow the connection - to continue if the client does not provide one. If a - client certificate is sent, it will be verified according - to the other properties, which includes disabling validation - if SkipClientCertValidation is set. Defaults to false. + description: |- + OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false. type: boolean skipClientCertValidation: - description: SkipClientCertValidation disables downstream - client certificate validation. Defaults to false. This - field is intended to be used in conjunction with external - authorization in order to enable the external authorization - server to validate client certificates. When this field - is set to true, client certificates are requested but - not verified by Envoy. If CACertificate is specified, - client certificates are required on requests, but not - verified. If external authorization is in use, they - are presented to the external authorization server. + description: |- + SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server. type: boolean type: object enableFallbackCertificate: - description: EnableFallbackCertificate defines if the vhost - should allow a default certificate to be applied which handles - all requests which don't match the SNI defined in this vhost. + description: |- + EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don't match the SNI defined in this vhost. type: boolean maximumProtocolVersion: - description: MaximumProtocolVersion is the maximum TLS version - this vhost should negotiate. Valid options are `1.2` and - `1.3` (default). Any other value defaults to TLS 1.3. + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are `1.2` and `1.3` (default). Any other value + defaults to TLS 1.3. type: string minimumProtocolVersion: - description: MinimumProtocolVersion is the minimum TLS version - this vhost should negotiate. Valid options are `1.2` (default) - and `1.3`. Any other value defaults to TLS 1.2. + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + defaults to TLS 1.2. type: string passthrough: - description: Passthrough defines whether the encrypted TLS - handshake will be passed through to the backing cluster. - Either Passthrough or SecretName must be specified, but - not both. + description: |- + Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both. type: boolean secretName: - description: SecretName is the name of a TLS secret. Either - SecretName or Passthrough must be specified, but not both. + description: |- + SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate - for the virtual host's FQDN. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must - exist in the namespace to grant access to the secret. + for the virtual host's FQDN. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. type: string type: object required: @@ -7877,75 +7931,67 @@ spec: HTTPProxy. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com/ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com/ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -7959,10 +8005,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -7974,32 +8020,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8013,43 +8058,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8063,10 +8107,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8097,48 +8141,49 @@ spec: balancer. properties: ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. properties: hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) type: string ipMode: - description: IPMode specifies how the load-balancer IP behaves, - and may only be specified when the ip field is specified. - Setting this to "VIP" indicates that traffic is delivered - to the node with the destination set to the load-balancer's - IP and port. Setting this to "Proxy" indicates that traffic - is delivered to the node or pod with the destination set - to the node's IP and node port or the pod's IP and port. - Service implementations may use this information to adjust - traffic routing. + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it items: properties: error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific error - values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8149,9 +8194,9 @@ spec: type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" type: string required: - port @@ -8176,7 +8221,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: tlscertificatedelegations.projectcontour.io spec: preserveUnknownFields: false @@ -8193,18 +8238,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD - specification. See design/tls-certificate-delegation.md for details. + description: |- + TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. + See design/tls-certificate-delegation.md for details. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -8213,18 +8264,20 @@ spec: properties: delegations: items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. + description: |- + CertificateDelegation maps the authority to reference a secret + in the current namespace to a set of namespaces. properties: secretName: description: required, the name of a secret in the current namespace. type: string targetNamespaces: - description: required, the namespaces the authority to reference - the secret will be delegated to. If TargetNamespaces is nil - or empty, the CertificateDelegation' is ignored. If the TargetNamespace - list contains the character, "*" the secret will be delegated - to all namespaces. + description: |- + required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation' + is ignored. If the TargetNamespace list contains the character, "*" + the secret will be delegated to all namespaces. items: type: string type: array @@ -8237,79 +8290,72 @@ spec: - delegations type: object status: - description: TLSCertificateDelegationStatus allows for the status of the - delegation to be presented to the user. + description: |- + TLSCertificateDelegationStatus allows for the status of the delegation + to be presented to the user. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com\\ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com\ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8323,10 +8369,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8338,32 +8384,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8377,43 +8422,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8427,10 +8471,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 7eedc8dd230..ed807e79e0d 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -222,7 +222,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourconfigurations.projectcontour.io spec: preserveUnknownFields: false @@ -242,47 +242,59 @@ spec: description: ContourConfiguration is the schema for a Contour instance. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourConfigurationSpec represents a configuration of a - Contour controller. It contains most of all the options that can be - customized, the other remaining options being command line flags. + description: |- + ContourConfigurationSpec represents a configuration of a Contour controller. + It contains most of all the options that can be customized, the + other remaining options being command line flags. properties: debug: - description: Debug contains parameters to enable debug logging and - debug interfaces inside Contour. + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. \n - Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how to - optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name of the - Kubernetes secret containing the client certificate and private - key to be used when establishing TLS connection to upstream + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream cluster. properties: name: @@ -294,13 +306,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that a @@ -328,34 +341,36 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names are - looked up When configured as V4, the DNS resolver will only - perform a lookup for addresses in the IPv4 family. If V6 - is configured, the DNS resolver will only perform a lookup - for addresses in the IPv6 family. If AUTO is configured, - the DNS resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If ALL is specified, the DNS resolver - will perform a lookup for both IPv4 and IPv6 families, and - return all resolved addresses. When this is used, Happy - Eyeballs will be enabled for upstream connections. Refer - to Happy Eyeballs Support for more information. Note: This - only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 @@ -365,59 +380,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set of HTTPS - versions the proxy should accept. HTTP versions are strings - of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" - and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). - \n Other values will produce an error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -428,9 +457,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -445,9 +474,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -466,106 +495,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, the - listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use the - default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. - \n Other values will produce an error." + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header if - \"Transfer-Encoding: chunked\" is also set. This is an emergency - off-switch to revert back to Envoy's default behavior in - case of failures. Please file an issue if failures are encountered. + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips duplicate - slashes from request URL paths. \n Contour's default is - false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 connections - and the limit for concurrent streams allowed for a peer - on a single HTTP/2 connection. It is recommended to not - set this lower than 100 but this field can be used to bound - resource usage by HTTP/2 connections and mitigate attacks - like CVE-2023-44487. The default value when this is not - set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The default - value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in a single - I/O cycle. Requests over this limit are processed in subsequent - I/O cycles. Can be used as a mitigation for CVE-2023-44487 - when abusive traffic is detected. Configures the http.max_requests_per_io_cycle - Envoy runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the Server - header on the response path. When configured as overwrite, - overwrites any Server header with \"envoy\". When configured - as append_if_absent, if a Server header is present, pass - it through, otherwise set it to \"envoy\". When configured - as pass_through, pass through the value of the Server header, - and do not append a header if none is present. \n Values: - `overwrite` (default), `append_if_absent`, `pass_through` - \n Other values will produce an error. Contour's default - is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket options - for the listeners. Single set of options are applied to - all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field (including - 6 bit DSCP field) for IP packets originating from Envoy - listeners. Single value is applied to all listeners. - If listeners are bound to IPv6-only addresses, setting - this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets originating - from the Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv4-only addresses, - setting this option will cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -576,79 +602,93 @@ spec: values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n Contour's - default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log format. - \n Values: `envoy` (default), `json`. \n Other values will - produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log format - when format is set to `envoy`. When empty, Envoy's default - format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that JSON - logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level of the - access log. \n Values: `info` (default, all requests are - logged), `error` (all non-success requests, i.e. 300+ response - code, are logged), `critical` (all 5xx requests are logged) - and `disabled`. \n Other values will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -659,9 +699,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -679,23 +719,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the admin - interface is disabled. \n Contour's default is 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of additional - ingress proxy hops from the right side of the x-forwarded-for - HTTP header to trust when determining the origin client’s - IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -706,93 +749,101 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts that - can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy should - wait when establishing connection to upstream service. If - not set, a default value of 2 seconds will be used. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the proxy - should wait while there are no active requests (for HTTP/1.1) - or streams (for HTTP/2) before terminating an HTTP connection. - Set to \"infinity\" to disable the timeout entirely. \n + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how long - the proxy will wait between sending an initial GOAWAY frame - and a second, final GOAWAY frame when terminating an HTTP/2 - connection. During this grace period, the proxy will continue - to respond to new streams. After the final GOAWAY frame - has been sent, the proxy will refuse new streams. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy will - wait, once connection close processing has been initiated, - for the downstream peer to close the connection before Envoy - closes the socket associated with the connection. \n Setting - this timeout to 'infinity' will disable it, equivalent to - setting it to '0' in Envoy. Leaving it unset will result - in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum period - of time after an HTTP connection has been established from - the client to the proxy before it is closed by the proxy, - regardless of whether there has been activity or not. Omit - or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for the - entire request, not an idle timeout. Omit or set to \"infinity\" - to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for HTTP/1.1) - or stream activity (for HTTP/2) before terminating the HTTP - request or stream. Set to \"infinity\" to disable the timeout - entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour features. - Available toggles are: useEndpointSlices - configures contour to - fetch endpoint data from k8s endpoint slices. defaults to false - and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form of - "projectcontour.io//contour". If unset, the gatewayclass - controller will not be started. Exactly one of ControllerName - or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this Contour - instance corresponds to. If set, Contour will reconcile only - this gateway, and will not reconcile any gateway classes. Exactly - one of ControllerName or GatewayRef must be set. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. properties: name: type: string @@ -804,26 +855,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external authorization - filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy for - client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -831,36 +885,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field is - not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field is - not specifies, the namespace of the resource that targets - the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server fails - to respond. This field should not be set in most cases. It is - intended for use only while migrating applications from internal - authorization to Contour external authorization. + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait for - a check response from the authorization server. Timeout durations - are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no - timeout. + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -885,9 +941,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve health - checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 - }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -901,13 +957,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the permitInsecure - field in HTTPProxy. \n Contour's default is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name of - the Kubernetes secret to use as fallback when a non-SNI request - is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -937,8 +995,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve metrics. - \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -949,9 +1008,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and health - endpoints cannot have same port number when metrics is served - over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -969,8 +1028,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will apply - to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -1000,17 +1060,19 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the Rate - Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a default - global rate limit policy for every HTTPProxy. HTTPProxy can - overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors that - will be generated and sent to the rate limit service. Each + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value @@ -1019,17 +1081,18 @@ spec: entries: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the descriptor - entry. If not set, the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of the @@ -1038,16 +1101,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and a value - equal to the client's IP address (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor key - is static, and the descriptor value is equal - to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the key @@ -1061,41 +1123,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines a - descriptor entry that's populated if the request's - headers match a set of 1+ match criteria. The - descriptor key is "header_match", and the descriptor - value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether the - request must positively match the match - criteria in order to generate a descriptor - entry (i.e. true), or not match the match - criteria in order to generate a descriptor - entry (i.e. false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request to - determine whether to populate the descriptor - entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against HTTP - headers. The Name field is required, only - one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching rules - only (e.g. NotContains or NotExact) you - can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies a substring - that must be present in the header - value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -1103,57 +1160,49 @@ spec: to. type: string ignoreCase: - description: IgnoreCase specifies that - string matching should be case insensitive. - Note that this has no effect on the - Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the - header to match against. Name is required. + description: |- + Name is the name of the header to match against. Name is required. Header names are case insensitive. type: string notcontains: - description: NotContains specifies a - substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a string - that the header value must not be - equal to. The condition is true if - the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that - condition is true when the named header - is not present. Note that setting - NotPresent to false does not make - the condition true if the named header - is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named header - is present, regardless of its value. - Note that setting Present to false - does not make the condition true if - the named header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies - if the header match rule specified - header does not exist, this header - value will be treated as empty. Defaults - to false. Unlike the underlying Envoy - implementation this is **only** supported - for negative matches (e.g. NotContains, - NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -1173,25 +1222,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not use - the default global rate limit policy defined by the Contour - configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating error - code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's - translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit Service - is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -1206,9 +1256,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to proceed - when the Rate Limit Service fails to respond with a valid rate - limit decision within the timeout defined on the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -1221,17 +1272,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag name + description: |- + CustomTag defines custom tags with unique tag name to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request header - the label value is obtained from. Precisely one of Literal, - RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom tag. @@ -1253,25 +1307,28 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span of the - trace. the default is true. Note: The Envoy pods MUST have the - HOSTNAME and CONTOUR_NAMESPACE environment variables set for - this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the request - path to extract and include in the HttpUrl tag. contour's default - is 256. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of trace - data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. contour's - default is contour. + description: |- + ServiceName defines the name for the service. + contour's default is contour. type: string required: - extensionService @@ -1280,18 +1337,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour will - serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour will - serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -1307,9 +1366,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values will - produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -1318,71 +1378,62 @@ spec: a ContourConfiguration resource. properties: conditions: - description: "Conditions contains the current status of the Contour - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the Contour resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1396,10 +1447,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1411,32 +1462,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1450,43 +1500,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1500,10 +1549,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1538,7 +1587,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourdeployments.projectcontour.io spec: preserveUnknownFields: false @@ -1558,26 +1607,33 @@ spec: description: ContourDeployment is the schema for a Contour Deployment. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourDeploymentSpec specifies options for how a Contour + description: |- + ContourDeploymentSpec specifies options for how a Contour instance should be provisioned. properties: contour: - description: Contour specifies deployment-time settings for the Contour - part of the installation, i.e. the xDS server/control plane and - associated resources, including things like replica count for the - Deployment, and node placement constraints for the pods. + description: |- + Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods. properties: deployment: description: Deployment describes the settings for running contour @@ -1593,47 +1649,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1643,14 +1697,16 @@ spec: type: object type: object kubernetesLogLevel: - description: KubernetesLogLevel Enable Kubernetes client debug - logging with log level. If unset, defaults to 0. + description: |- + KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0. maximum: 9 minimum: 0 type: integer logLevel: - description: LogLevel sets the log level for Contour Allowed values - are "info", "debug". + description: |- + LogLevel sets the log level for Contour + Allowed values are "info", "debug". type: string nodePlacement: description: NodePlacement describes node scheduling configuration @@ -1659,57 +1715,56 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1717,36 +1772,40 @@ spec: podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Contour pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Contour replicas. If if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Contour replicas. If if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by contour container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -1762,8 +1821,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1772,95 +1832,91 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object envoy: - description: Envoy specifies deployment-time settings for the Envoy - part of the installation, i.e. the xDS client/data plane and associated - resources, including things like the workload type to use (DaemonSet - or Deployment), node placement constraints for the pods, and various - options for the Envoy service. + description: |- + Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service. properties: baseID: - description: The base ID to use when allocating shared memory - regions. if Envoy needs to be run multiple times on the same - machine, each running Envoy will need a unique base ID so that - the shared memory regions do not conflict. defaults to 0. + description: |- + The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + so that the shared memory regions do not conflict. + defaults to 0. format: int32 minimum: 0 type: integer daemonSet: - description: DaemonSet describes the settings for running envoy - as a `DaemonSet`. if `WorkloadType` is `Deployment`,it's must - be nil + description: |- + DaemonSet describes the settings for running envoy as a `DaemonSet`. + if `WorkloadType` is `Deployment`,it's must be nil properties: updateStrategy: description: Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if type = "RollingUpdate". --- TODO: Update this to - follow our convention for oneOf, whatever we decide - it to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345' + description: |- + Rolling update config params. Present only if type = "RollingUpdate". + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345 properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of nodes with an - existing available DaemonSet pod that can have an - updated DaemonSet pod during during an update. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up to a minimum of 1. - Default value is 0. Example: when this is set to - 30%, at most 30% of the total number of nodes that - should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old - pod is marked as deleted. The update starts by launching - new pods on 30% of nodes. Once an updated pod is - available (Ready for at least minReadySeconds) the - old DaemonSet pod on that node is marked deleted. - If the old pod becomes unavailable for any reason - (Ready transitions to false, is evicted, or is drained) - an updated pod is immediatedly created on that node - without considering surge limits. Allowing surge - implies the possibility that the resources consumed - by the daemonset on any given node can double if - the readiness check fails, and so resource intensive - daemonsets should take into account that they may - cause evictions during disruption.' + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediatedly created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of DaemonSet pods - that can be unavailable during the update. Value - can be an absolute number (ex: 5) or a percentage - of total number of DaemonSet pods at the start of - the update (ex: 10%). Absolute number is calculated - from percentage by rounding up. This cannot be 0 - if MaxSurge is 0 Default value is 1. Example: when - this is set to 30%, at most 30% of the total number - of nodes that should be running the daemon pod (i.e. - status.desiredNumberScheduled) can have their pods - stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet - pods and then brings up new DaemonSet pods in their - place. Once the new pods are available, it then - proceeds onto other DaemonSet pods, thus ensuring - that at least 70% of original number of DaemonSet - pods are available at all times during the update.' + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. x-kubernetes-int-or-string: true type: object type: @@ -1870,9 +1926,9 @@ spec: type: object type: object deployment: - description: Deployment describes the settings for running envoy - as a `Deployment`. if `WorkloadType` is `DaemonSet`,it's must - be nil + description: |- + Deployment describes the settings for running envoy as a `Deployment`. + if `WorkloadType` is `DaemonSet`,it's must be nil properties: replicas: description: Replicas is the desired number of replicas. @@ -1884,47 +1940,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1941,33 +1995,36 @@ spec: a container. properties: mountPath: - description: Path within the container at which the volume - should be mounted. Must not contain ':'. + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are - propagated from the host to container and the other way - around. When not set, MountPropagationNone is used. This - field is beta in 1.10. + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. type: boolean subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which - the container's volume should be mounted. Behaves similarly - to SubPath but environment variable references $(VAR_NAME) - are expanded using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath are mutually - exclusive. + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. type: string required: - mountPath @@ -1981,36 +2038,36 @@ spec: may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'awsElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty).' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). format: int32 type: integer readOnly: - description: 'readOnly value true will force the readOnly - setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: boolean volumeID: - description: 'volumeID is unique ID of the persistent - disk resource in AWS (Amazon EBS volume). More info: - https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: string required: - volumeID @@ -2032,10 +2089,10 @@ spec: blob storage type: string fsType: - description: fsType is Filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: description: 'kind expected values are Shared: multiple @@ -2045,8 +2102,9 @@ spec: to shared' type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean required: - diskName @@ -2057,8 +2115,9 @@ spec: mount on the host and bind mount to the pod. properties: readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretName: description: secretName is the name of secret that @@ -2076,8 +2135,9 @@ spec: that shares a pod's lifetime properties: monitors: - description: 'monitors is Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it items: type: string type: array @@ -2086,63 +2146,72 @@ spec: root, rather than the full Ceph tree, default is /' type: string readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: boolean secretFile: - description: 'secretFile is Optional: SecretFile is - the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string secretRef: - description: 'secretRef is Optional: SecretRef is reference - to the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is optional: User is the rados user - name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string required: - monitors type: object cinder: - description: 'cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string readOnly: - description: 'readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: boolean secretRef: - description: 'secretRef is optional: points to a secret - object containing parameters used to connect to OpenStack.' + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeID: - description: 'volumeID used to identify the volume in - cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string required: - volumeID @@ -2152,29 +2221,25 @@ spec: populate this volume properties: defaultMode: - description: 'defaultMode is optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items if unspecified, each key-value pair - in the Data field of the referenced ConfigMap will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. If a - key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -2183,22 +2248,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -2207,8 +2270,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the ConfigMap @@ -2222,42 +2287,43 @@ spec: CSI drivers (Beta feature). properties: driver: - description: driver is the name of the CSI driver that - handles this volume. Consult with your admin for the - correct name as registered in the cluster. + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the - associated CSI driver which will determine the default - filesystem to apply. + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. type: string nodePublishSecretRef: - description: nodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all secret - references are passed. + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic readOnly: - description: readOnly specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: volumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. type: object required: - driver @@ -2267,17 +2333,15 @@ spec: pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: @@ -2305,16 +2369,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used to set - permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -2325,10 +2386,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required for @@ -2355,116 +2415,111 @@ spec: type: array type: object emptyDir: - description: 'emptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir properties: medium: - description: 'medium represents what type of storage - medium should back this directory. The default is - "" which means to use the node''s default medium. - Must be an empty string (default) or Memory. More - info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir type: string sizeLimit: anyOf: - type: integer - type: string - description: 'sizeLimit is the total amount of local - storage required for this EmptyDir volume. The size - limit is also applicable for memory medium. The maximum - usage on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and the - sum of memory limits of all containers in a pod. The - default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is - tied to the pod that defines it - it will be created before - the pod starts, and deleted when the pod is removed. \n - Use this if: a) the volume is only needed while the pod - runs, b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the storage - driver is specified through a storage class, and d) the - storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for - more information on the connection between this volume - type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n - Use CSI for light-weight local ephemeral volumes if the - CSI driver is meant to be used that way - see the documentation - of the driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes at the - same time." + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC - to provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the - PVC will be deleted together with the pod. The name - of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` - array entry. Pod validation will reject the pod if - the concatenated name is not valid for a PVC (for - example, too long). \n An existing PVC with that name - that is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the unrelated - PVC is removed. If such a pre-created PVC is meant - to be used by the pod, the PVC has to updated with - an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may - be useful when manually reconstructing a broken cluster. - \n This field is read-only and no changes will be - made by Kubernetes to the PVC after it has been created. - \n Required, must not be nil." + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + Required, must not be nil. properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected - during validation. + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the - PVC that gets created from this template. The - same fields as in a PersistentVolumeClaim are - also valid here. + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. properties: accessModes: - description: 'accessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 items: type: string type: array dataSource: - description: 'dataSource field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, it - will create a new volume based on the contents - of the specified data source. When the AnyVolumeDataSource - feature gate is enabled, dataSource contents - will be copied to dataSourceRef, and dataSourceRef - contents will be copied to dataSource when - dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef - will not be copied to dataSource.' + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2480,47 +2535,36 @@ spec: type: object x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies the object - from which to populate the volume with data, - if a non-empty volume is desired. This may - be any object from a non-empty API group (non + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding - will only succeed if the type of the specified - object matches some installed volume populator - or dynamic provisioner. This field will replace - the functionality of the dataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, when namespace isn''t specified - in dataSourceRef, both fields (dataSource - and dataSourceRef) will be set to the same - value automatically if one of them is empty - and the other is non-empty. When namespace - is specified in dataSourceRef, dataSource - isn''t set to the same value and must be empty. - There are three important differences between - dataSource and dataSourceRef: * While dataSource - only allows two specific types of objects, - dataSourceRef allows any non-core object, - as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values - (dropping them), dataSourceRef preserves all - values, and generates an error if a disallowed - value is specified. * While dataSource only - allows local objects, dataSourceRef allows - objects in any namespaces. (Beta) Using this - field requires the AnyVolumeDataSource feature - gate to be enabled. (Alpha) Using the namespace - field of dataSourceRef requires the CrossNamespaceVolumeDataSource - feature gate to be enabled.' + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2531,28 +2575,22 @@ spec: being referenced type: string namespace: - description: Namespace is the namespace - of resource being referenced Note that - when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant - object is required in the referent namespace - to allow that namespace's owner to accept - the reference. See the ReferenceGrant - documentation for details. (Alpha) This - field requires the CrossNamespaceVolumeDataSource - feature gate to be enabled. + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. type: string required: - kind - name type: object resources: - description: 'resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than - previous value but must still be higher than - capacity recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources properties: limits: additionalProperties: @@ -2561,9 +2599,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -2572,13 +2610,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object selector: @@ -2590,30 +2626,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2625,48 +2656,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic storageClassName: - description: 'storageClassName is the name of - the StorageClass required by the claim. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 type: string volumeAttributesClassName: - description: 'volumeAttributesClassName may - be used to set the VolumeAttributesClass used - by this claim. If specified, the CSI driver - will create or update the volume with the - attributes defined in the corresponding VolumeAttributesClass. - This has a different purpose than storageClassName, - it can be changed after the claim is created. - An empty string value means that no VolumeAttributesClass - will be applied to the claim but it''s not - allowed to reset this field to empty string - once it is set. If unspecified and the PersistentVolumeClaim - is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller - if it exists. If the resource referred to - by volumeAttributesClass does not exist, this - PersistentVolumeClaim will be set to a Pending - state, as reflected by the modifyVolumeStatus - field, until such as a resource exists. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass - feature gate to be enabled.' + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. type: string volumeMode: - description: volumeMode defines what type of - volume is required by the claim. Value of - Filesystem is implied when not included in - claim spec. + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. type: string volumeName: description: volumeName is the binding reference @@ -2683,20 +2703,20 @@ spec: to the pod. properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. TODO: how do we prevent - errors in the filesystem from compromising the machine' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: description: 'targetWWNs is Optional: FC target worldwide @@ -2705,26 +2725,27 @@ spec: type: string type: array wwids: - description: 'wwids Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. items: type: string type: array type: object flexVolume: - description: flexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. properties: driver: description: driver is the name of the driver to use for this volume. type: string fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default filesystem - depends on FlexVolume script. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. type: string options: additionalProperties: @@ -2733,22 +2754,23 @@ spec: extra command options if any.' type: object readOnly: - description: 'readOnly is Optional: defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: 'secretRef is Optional: secretRef is reference - to the secret object containing sensitive information - to pass to the plugin scripts. This may be empty if - no secret object is specified. If the secret object - contains more than one secret, all secrets are passed - to the plugin scripts.' + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -2761,9 +2783,9 @@ spec: control service being running properties: datasetName: - description: datasetName is Name of the dataset stored - as metadata -> name on the dataset for Flocker should - be considered as deprecated + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated type: string datasetUUID: description: datasetUUID is the UUID of the dataset. @@ -2771,54 +2793,55 @@ spec: type: string type: object gcePersistentDisk: - description: 'gcePersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk properties: fsType: - description: 'fsType is filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk format: int32 type: integer pdName: - description: 'pdName is unique name of the PD resource - in GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: boolean required: - pdName type: object gitRepo: - description: 'gitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an - InitContainer that clones the repo using git, then mount - the EmptyDir into the Pod''s container.' + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. properties: directory: - description: directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. type: string repository: description: repository is the URL @@ -2831,53 +2854,61 @@ spec: - repository type: object glusterfs: - description: 'glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: 'endpoints is the endpoint name that details - Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string path: - description: 'path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string readOnly: - description: 'readOnly here will force the Glusterfs - volume to be mounted with read-only permissions. Defaults - to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: boolean required: - endpoints - path type: object hostPath: - description: 'hostPath represents a pre-existing file or - directory on the host machine that is directly exposed - to the container. This is generally used for system agents - or other privileged things that are allowed to see the - host machine. Most containers will NOT need this. More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. properties: path: - description: 'path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string type: - description: 'type for HostPath Volume Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string required: - path type: object iscsi: - description: 'iscsi represents an ISCSI Disk resource that - is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether support @@ -2888,59 +2919,59 @@ spec: iSCSI Session CHAP authentication type: boolean fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: - description: initiatorName is the custom iSCSI Initiator - Name. If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for the connection. + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. type: string iqn: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: - description: iscsiInterface is the interface Name that - uses an iSCSI transport. Defaults to 'default' (tcp). + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). type: string lun: description: lun represents iSCSI Target Lun number. format: int32 type: integer portals: - description: portals is the iSCSI Target Portal List. - The portal is either an IP or ip_addr:port if the - port is other than default (typically TCP ports 860 - and 3260). + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: readOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. type: boolean secretRef: description: secretRef is the CHAP Secret for iSCSI target and initiator authentication properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic targetPortal: - description: targetPortal is iSCSI Target Portal. The - Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and - 3260). + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -2948,43 +2979,51 @@ spec: - targetPortal type: object name: - description: 'name of the volume. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string nfs: - description: 'nfs represents an NFS mount on the host that - shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs properties: path: - description: 'path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string readOnly: - description: 'readOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: boolean server: - description: 'server is the hostname or IP address of - the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string required: - path - server type: object persistentVolumeClaim: - description: 'persistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims properties: claimName: - description: 'claimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims type: string readOnly: - description: readOnly Will force the ReadOnly setting - in VolumeMounts. Default false. + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. type: boolean required: - claimName @@ -2995,10 +3034,10 @@ spec: machine properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: description: pdID is the ID that identifies Photon Controller @@ -3012,14 +3051,15 @@ spec: attached and mounted on kubelets host machine properties: fsType: - description: fSType represents the filesystem type to - mount Must be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean volumeID: description: volumeID uniquely identifies a Portworx @@ -3033,15 +3073,13 @@ spec: configmaps, and downward API properties: defaultMode: - description: defaultMode are the mode bits used to set - permissions on created files by default. Must be an - octal value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this - setting. This might be in conflict with other options - that affect the file mode, like fsGroup, and the result - can be other mode bits set. + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer sources: @@ -3051,57 +3089,48 @@ spec: with other supported volume types properties: clusterTrustBundle: - description: "ClusterTrustBundle allows a pod - to access the `.spec.trustBundle` field of ClusterTrustBundle - objects in an auto-updating file. \n Alpha, - gated by the ClusterTrustBundleProjection feature - gate. \n ClusterTrustBundle objects can either - be selected by name, or by the combination of - signer name and a label selector. \n Kubelet - performs aggressive normalization of the PEM - contents written into the pod filesystem. Esoteric - PEM features such as inter-block comments and - block headers are stripped. Certificates are - deduplicated. The ordering of certificates within - the file is arbitrary, and Kubelet may change - the order over time." + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + Alpha, gated by the ClusterTrustBundleProjection feature gate. + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. properties: labelSelector: - description: Select all ClusterTrustBundles - that match this label selector. Only has - effect if signerName is set. Mutually-exclusive - with name. If unset, interpreted as "match - nothing". If set but empty, interpreted - as "match everything". + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3114,39 +3143,35 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic name: - description: Select a single ClusterTrustBundle - by object name. Mutually-exclusive with - signerName and labelSelector. + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. type: string optional: - description: If true, don't block pod startup - if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the - named ClusterTrustBundle is allowed not - to exist. If using signerName, then the - combination of signerName and labelSelector - is allowed to match zero ClusterTrustBundles. + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. type: boolean path: description: Relative path from the volume root to write the bundle. type: string signerName: - description: Select all ClusterTrustBundles - that match this signer name. Mutually-exclusive - with name. The contents of all selected - ClusterTrustBundles will be unified and - deduplicated. + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. type: string required: - path @@ -3156,18 +3181,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3176,26 +3197,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3203,10 +3219,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the @@ -3245,18 +3261,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -3268,11 +3279,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required @@ -3306,18 +3315,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3326,26 +3331,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3353,10 +3353,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional field specify whether @@ -3369,29 +3369,25 @@ spec: about the serviceAccountToken data to project properties: audience: - description: audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience defaults - to the identifier of the apiserver. + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. type: string expirationSeconds: - description: expirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The kubelet - will start trying to rotate the token if - the token is older than 80 percent of its - time to live or if the token is older than - 24 hours.Defaults to 1 hour and must be - at least 10 minutes. + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. format: int64 type: integer path: - description: path is the path relative to - the mount point of the file to project the + description: |- + path is the path relative to the mount point of the file to project the token into. type: string required: @@ -3405,28 +3401,30 @@ spec: that shares a pod's lifetime properties: group: - description: group to map volume access to Default is - no group + description: |- + group to map volume access to + Default is no group type: string readOnly: - description: readOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults - to false. + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. type: boolean registry: - description: registry represents a single or multiple - Quobyte Registry services specified as a string as - host:port pair (multiple entries are separated with - commas) which acts as the central registry for volumes + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes type: string tenant: - description: tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned Quobyte - volumes, value is set by the plugin + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: user to map volume access to Defaults to - serivceaccount user + description: |- + user to map volume access to + Defaults to serivceaccount user type: string volume: description: volume is a string that references an already @@ -3437,57 +3435,68 @@ spec: - volume type: object rbd: - description: 'rbd represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: - description: 'image is the rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: - description: 'keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string monitors: - description: 'monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it items: type: string type: array pool: - description: 'pool is the rados pool name. Default is - rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: boolean secretRef: - description: 'secretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is the rados user name. Default is - admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string required: - image @@ -3498,9 +3507,11 @@ spec: attached and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is "xfs". + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". type: string gateway: description: gateway is the host address of the ScaleIO @@ -3511,18 +3522,20 @@ spec: Protection Domain for the configured storage. type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef references to the secret for - ScaleIO user and other sensitive information. If this - is not provided, Login operation will fail. + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -3531,8 +3544,8 @@ spec: with Gateway, default false type: boolean storageMode: - description: storageMode indicates whether the storage - for a volume should be ThickProvisioned or ThinProvisioned. + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: @@ -3544,9 +3557,9 @@ spec: as configured in ScaleIO. type: string volumeName: - description: volumeName is the name of a volume already - created in the ScaleIO system that is associated with - this volume source. + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. type: string required: - gateway @@ -3554,33 +3567,30 @@ spec: - system type: object secret: - description: 'secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret properties: defaultMode: - description: 'defaultMode is Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items If unspecified, each key-value pair - in the Data field of the referenced Secret will be - projected into the volume as a file whose name is - the key and content is the value. If specified, the - listed keys will be projected into the specified paths, - and unlisted keys will not be present. If a key is - specified which is not present in the Secret, the - volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3589,22 +3599,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -3617,8 +3625,9 @@ spec: or its keys must be defined type: boolean secretName: - description: 'secretName is the name of the secret in - the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret type: string type: object storageos: @@ -3626,42 +3635,42 @@ spec: and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef specifies the secret to use for - obtaining the StorageOS API credentials. If not specified, - default values will be attempted. + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeName: - description: volumeName is the human-readable name of - the StorageOS volume. Volume names are only unique - within a namespace. + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. type: string volumeNamespace: - description: volumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows - the Kubernetes name scoping to be mirrored within - StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: @@ -3669,10 +3678,10 @@ spec: and mounted on kubelets host machine properties: fsType: - description: fsType is filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: description: storagePolicyID is the storage Policy Based @@ -3694,56 +3703,60 @@ spec: type: object type: array logLevel: - description: LogLevel sets the log level for Envoy. Allowed values - are "trace", "debug", "info", "warn", "error", "critical", "off". + description: |- + LogLevel sets the log level for Envoy. + Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". type: string networkPublishing: description: NetworkPublishing defines how to expose Envoy to a network. properties: externalTrafficPolicy: - description: "ExternalTrafficPolicy describes how nodes distribute - service traffic they receive on one of the Service's \"externally-facing\" - addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). - \n If unset, defaults to \"Local\"." + description: |- + ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + and LoadBalancer IPs). + If unset, defaults to "Local". type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there is no value - provided, then this field will be set to SingleStack. Services - can be "SingleStack" (a single IP family), "PreferDualStack" - (two IP families on dual-stack configured clusters or a - single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise - fail). + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). type: string serviceAnnotations: additionalProperties: type: string - description: ServiceAnnotations is the annotations to add - to the provisioned Envoy service. + description: |- + ServiceAnnotations is the annotations to add to + the provisioned Envoy service. type: object type: - description: "NetworkPublishingType is the type of publishing - strategy to use. Valid values are: \n * LoadBalancerService - \n In this configuration, network endpoints for Envoy use - container networking. A Kubernetes LoadBalancer Service - is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - \n * NodePortService \n Publishes Envoy network endpoints - using a Kubernetes NodePort Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + description: |- + NetworkPublishingType is the type of publishing strategy to use. Valid values are: + * LoadBalancerService + In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + * NodePortService + Publishes Envoy network endpoints using a Kubernetes NodePort Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes NodePort Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport - \n NOTE: When provisioning an Envoy `NodePortService`, use - Gateway Listeners' port numbers to populate the Service's - node port values, there's no way to auto-allocate them. - \n See: https://github.com/projectcontour/contour/issues/4499 - \n * ClusterIPService \n Publishes Envoy network endpoints - using a Kubernetes ClusterIP Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + NOTE: + When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + the Service's node port values, there's no way to auto-allocate them. + See: https://github.com/projectcontour/contour/issues/4499 + * ClusterIPService + Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes ClusterIP Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - \n If unset, defaults to LoadBalancerService." + See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + If unset, defaults to LoadBalancerService. type: string type: object nodePlacement: @@ -3753,104 +3766,107 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object overloadMaxHeapSize: - description: 'OverloadMaxHeapSize defines the maximum heap memory - of the envoy controlled by the overload manager. When the value - is greater than 0, the overload manager is enabled, and when - envoy reaches 95% of the maximum heap size, it performs a shrink - heap operation, When it reaches 98% of the maximum heap size, - Envoy Will stop accepting requests. More info: https://projectcontour.io/docs/main/config/overload-manager/' + description: |- + OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ format: int64 type: integer podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Envoy pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Envoy replicas. If WorkloadType - is not \"Deployment\", this field is ignored. Otherwise, if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Envoy replicas. If WorkloadType + is not "Deployment", this field is ignored. Otherwise, if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by envoy container. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -3866,8 +3882,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -3876,15 +3893,16 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object workloadType: - description: WorkloadType is the type of workload to install Envoy + description: |- + WorkloadType is the type of workload to install Envoy as. Choices are DaemonSet and Deployment. If unset, defaults to DaemonSet. type: string @@ -3892,41 +3910,49 @@ spec: resourceLabels: additionalProperties: type: string - description: "ResourceLabels is a set of labels to add to the provisioned - Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels - instead. This field will be removed in a future release." + description: |- + ResourceLabels is a set of labels to add to the provisioned Contour resources. + Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release. type: object runtimeSettings: - description: RuntimeSettings is a ContourConfiguration spec to be - used when provisioning a Contour instance that will influence aspects - of the Contour instance's runtime behavior. + description: |- + RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance's runtime behavior. properties: debug: - description: Debug contains parameters to enable debug logging + description: |- + Debug contains parameters to enable debug logging and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. - \n Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how - to optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name - of the Kubernetes secret containing the client certificate - and private key to be used when establishing TLS connection - to upstream cluster. + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. properties: name: type: string @@ -3937,13 +3963,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that @@ -3971,35 +3998,35 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names - are looked up When configured as V4, the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If V6 is configured, the DNS resolver will only - perform a lookup for addresses in the IPv6 family. If - AUTO is configured, the DNS resolver will first perform - a lookup for addresses in the IPv6 family and fallback - to a lookup for addresses in the IPv4 family. If ALL - is specified, the DNS resolver will perform a lookup - for both IPv4 and IPv6 families, and return all resolved - addresses. When this is used, Happy Eyeballs will be - enabled for upstream connections. Refer to Happy Eyeballs - Support for more information. Note: This only applies - to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 @@ -4010,64 +4037,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set - of HTTPS versions the proxy should accept. HTTP versions - are strings of the form \"HTTP/xx\". Supported versions - are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, - `HTTP/2` (default: both). \n Other values will produce an - error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -4078,9 +4114,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -4095,9 +4131,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -4116,111 +4152,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, - the listener will use the exact connection balancer + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use - the default ConnectionBalancer, `exact`: use the Exact - ConnectionBalancer. \n Other values will produce an - error." + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header - if \"Transfer-Encoding: chunked\" is also set. This - is an emergency off-switch to revert back to Envoy's - default behavior in case of failures. Please file an - issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips - duplicate slashes from request URL paths. \n Contour's - default is false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 - connections and the limit for concurrent streams allowed - for a peer on a single HTTP/2 connection. It is recommended - to not set this lower than 100 but this field can be - used to bound resource usage by HTTP/2 connections and - mitigate attacks like CVE-2023-44487. The default value - when this is not set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The - default value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in - a single I/O cycle. Requests over this limit are processed - in subsequent I/O cycles. Can be used as a mitigation - for CVE-2023-44487 when abusive traffic is detected. - Configures the http.max_requests_per_io_cycle Envoy - runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the - Server header on the response path. When configured - as overwrite, overwrites any Server header with \"envoy\". - When configured as append_if_absent, if a Server header - is present, pass it through, otherwise set it to \"envoy\". - When configured as pass_through, pass through the value - of the Server header, and do not append a header if - none is present. \n Values: `overwrite` (default), `append_if_absent`, - `pass_through` \n Other values will produce an error. - Contour's default is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket - options for the listeners. Single set of options are - applied to all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field - (including 6 bit DSCP field) for IP packets originating - from Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv6-only - addresses, setting this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets - originating from the Envoy listeners. Single value - is applied to all listeners. If listeners are bound - to IPv4-only addresses, setting this option will - cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -4231,84 +4259,93 @@ spec: listener values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n - Contour's default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log - format. \n Values: `envoy` (default), `json`. \n Other - values will produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log - format when format is set to `envoy`. When empty, Envoy's - default format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that - JSON logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level - of the access log. \n Values: `info` (default, all requests - are logged), `error` (all non-success requests, i.e. - 300+ response code, are logged), `critical` (all 5xx - requests are logged) and `disabled`. \n Other values - will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -4319,9 +4356,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics - and health endpoints cannot have same port number when - metrics is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4339,24 +4376,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the - admin interface is disabled. \n Contour's default is - 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of - additional ingress proxy hops from the right side of - the x-forwarded-for HTTP header to trust when determining - the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -4367,95 +4406,100 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts - that can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy - should wait when establishing connection to upstream - service. If not set, a default value of 2 seconds will - be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the - proxy should wait while there are no active requests - (for HTTP/1.1) or streams (for HTTP/2) before terminating - an HTTP connection. Set to \"infinity\" to disable the - timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how - long the proxy will wait between sending an initial - GOAWAY frame and a second, final GOAWAY frame when terminating - an HTTP/2 connection. During this grace period, the - proxy will continue to respond to new streams. After - the final GOAWAY frame has been sent, the proxy will - refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy - will wait, once connection close processing has been - initiated, for the downstream peer to close the connection - before Envoy closes the socket associated with the connection. - \n Setting this timeout to 'infinity' will disable it, - equivalent to setting it to '0' in Envoy. Leaving it - unset will result in the Envoy default value being used. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum - period of time after an HTTP connection has been established - from the client to the proxy before it is closed by - the proxy, regardless of whether there has been activity - or not. Omit or set to \"infinity\" for no max duration. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for - the entire request, not an idle timeout. Omit or set - to \"infinity\" to disable the timeout entirely. \n + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for - HTTP/1.1) or stream activity (for HTTP/2) before terminating - the HTTP request or stream. Set to \"infinity\" to disable - the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour - features. Available toggles are: useEndpointSlices - configures - contour to fetch endpoint data from k8s endpoint slices. defaults - to false and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form - of "projectcontour.io//contour". If unset, the - gatewayclass controller will not be started. Exactly one - of ControllerName or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this - Contour instance corresponds to. If set, Contour will reconcile - only this gateway, and will not reconcile any gateway classes. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. Exactly one of ControllerName or GatewayRef must be set. properties: name: @@ -4468,26 +4512,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external - authorization filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -4495,36 +4542,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -4549,9 +4598,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8000 }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -4565,14 +4614,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. \n Contour's default - is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name - of the Kubernetes secret to use as fallback when a non-SNI - request is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -4602,9 +4652,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -4615,9 +4665,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4635,8 +4685,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will - apply to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -4666,18 +4717,20 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the - Rate Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a - default global rate limit policy for every HTTPProxy. HTTPProxy - can overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -4686,18 +4739,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -4706,17 +4759,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -4730,42 +4781,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -4773,61 +4818,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -4847,25 +4880,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating - error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled - it's translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit - Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -4880,10 +4914,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to - proceed when the Rate Limit Service fails to respond with - a valid rate limit decision within the timeout defined on - the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -4896,17 +4930,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag - name to create tags for the active span. + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request - header the label value is obtained from. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom @@ -4929,24 +4966,27 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span - of the trace. the default is true. Note: The Envoy pods - MUST have the HOSTNAME and CONTOUR_NAMESPACE environment - variables set for this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the - request path to extract and include in the HttpUrl tag. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of - trace data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. + description: |- + ServiceName defines the name for the service. contour's default is contour. type: string required: @@ -4956,18 +4996,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour - will serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour - will serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -4983,9 +5025,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values - will produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -4999,42 +5042,42 @@ spec: resource. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5048,11 +5091,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5078,7 +5122,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: extensionservices.projectcontour.io spec: preserveUnknownFields: false @@ -5096,19 +5140,26 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ExtensionService is the schema for the Contour extension services - API. An ExtensionService resource binds a network service to the Contour - API so that Contour API features can be implemented by collaborating components. + description: |- + ExtensionService is the schema for the Contour extension services API. + An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5117,101 +5168,111 @@ spec: resource. properties: loadBalancerPolicy: - description: The policy for load balancing GRPC service requests. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The policy for load balancing GRPC service requests. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy is chosen. - If an element of the supplied list of hash policies is invalid, - it will be ignored. If the list of hash policies is empty after - validation, the load balancing strategy will fall back to the - default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for an - individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when request - source IP hash based load balancing is desired. It must - be the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must be - the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP request - header that will be used to calculate the hash key. - If the header specified is not present on a request, - no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set when - request query parameter hash based load balancing is desired. - It must be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP request - query parameter that will be used to calculate the - hash key. If the query parameter specified is not - present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to true, - and the request attribute specified in the attribute hash - options is present, no further hash policies will be used - to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance requests - across the pool of backend pods. Valid policy names are `Random`, - `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. - If an unknown strategy name is specified or no policy is supplied, - the default `RoundRobin` policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object protocol: - description: Protocol may be used to specify (or override) the protocol - used to reach this Service. Values may be h2 or h2c. If omitted, - protocol-selection falls back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c type: string protocolVersion: - description: This field sets the version of the GRPC protocol that - Envoy uses to send requests to the extension service. Since Contour - always uses the v3 Envoy API, this is currently fixed at "v3". However, - other protocol options will be available in future. + description: |- + This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at "v3". However, other + protocol options will be available in future. enum: - v3 type: string services: - description: Services specifies the set of Kubernetes Service resources - that receive GRPC extension API requests. If no weights are specified - for any of the entries in this array, traffic will be spread evenly - across all the services. Otherwise, traffic is balanced proportionally - to the Weight field in each entry. + description: |- + Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry. items: - description: ExtensionServiceTarget defines an Kubernetes Service - to target with extension service traffic. + description: |- + ExtensionServiceTarget defines an Kubernetes Service to target with + extension service traffic. properties: name: - description: Name is the name of Kubernetes service that will - accept service traffic. + description: |- + Name is the name of Kubernetes service that will accept service + traffic. type: string port: description: Port (defined as Integer) to proxy traffic to since @@ -5235,24 +5296,23 @@ spec: description: The timeout policy for requests to the services. properties: idle: - description: Timeout for how long the proxy should wait while - there is no activity during single request/response (for HTTP/1.1) - or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 - connection is idle between two consecutive requests. If not - specified, there is no per-route idle timeout, though a connection - manager-wide stream_idle_timeout default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy to - the upstream service is kept when there are no active requests. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, Envoy's - default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -5261,27 +5321,26 @@ spec: service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes secret - used to validate the certificate presented by the backend. The - secret must contain key named ca.crt. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max length should - be the actual max possible length of a namespaced name (63 + - 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in the ''subjectAltName'' - of the presented certificate. Deprecated: migrate to using the - plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is expected to - be present in the 'subjectAltName of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -5299,75 +5358,67 @@ spec: - services type: object status: - description: ExtensionServiceStatus defines the observed state of an ExtensionService - resource. + description: |- + ExtensionServiceStatus defines the observed state of an + ExtensionService resource. properties: conditions: - description: "Conditions contains the current status of the ExtensionService - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the ExtensionService resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5381,10 +5432,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5396,32 +5447,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5435,43 +5485,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5485,10 +5534,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5521,7 +5570,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: httpproxies.projectcontour.io spec: preserveUnknownFields: false @@ -5559,14 +5608,19 @@ spec: description: HTTPProxy is an Ingress CRD specification. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5574,28 +5628,31 @@ spec: description: HTTPProxySpec defines the spec of the CRD. properties: includes: - description: Includes allow for specific routing configuration to - be included from another HTTPProxy, possibly in another namespace. + description: |- + Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace. items: description: Include describes a set of policies that can be applied to an HTTPProxy in a namespace. properties: conditions: - description: 'Conditions are a set of rules that are applied - to included HTTPProxies. In effect, they are added onto the - Conditions of included HTTPProxy Route structs. When applied, - they are merged using AND, with one exception: There can be - only one Prefix MatchCondition per Conditions slice. More - than one Prefix, or contradictory Conditions, will make the - include invalid. Exact and Regex match conditions are not - allowed on includes.' + description: |- + Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5603,56 +5660,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5665,37 +5724,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5705,7 +5766,8 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object @@ -5722,10 +5784,11 @@ spec: type: object type: array ingressClassName: - description: IngressClassName optionally specifies the ingress class - to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is - set, it is given precedence over this field. + description: |- + IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field. type: string routes: description: Routes are the ingress routes. If TCPProxy is present, @@ -5734,38 +5797,42 @@ spec: description: Route contains the set of routes for a virtual host. properties: authPolicy: - description: AuthPolicy updates the authorization policy that - was set on the root HTTPProxy object for client requests that + description: |- + AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that match this route. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object conditions: - description: 'Conditions are a set of rules that are applied - to a Route. When applied, they are merged using AND, with - one exception: There can be only one Prefix, Exact or Regex - MatchCondition per Conditions slice. More than one of these - condition types, or contradictory Conditions, will make the - route invalid.' + description: |- + Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5773,56 +5840,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5835,37 +5904,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5875,24 +5946,28 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object type: array cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header attributes. - Note that rewritten cookie names must be unique in this list. - Order rewrite policies are specified in does not matter. + description: |- + The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter. items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the Domain - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -5908,12 +5983,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the Path - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -5922,17 +5999,18 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute will - not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie Secure - element. If not set, Secure attribute will not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name @@ -5943,11 +6021,11 @@ spec: response directly. properties: body: - description: "Body is the content of the response body. - If this setting is omitted, no body is included in the - generated response. \n Note: Body is not recommended to - set too long otherwise it can have significant resource - usage impacts." + description: |- + Body is the content of the response body. + If this setting is omitted, no body is included in the generated response. + Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts. type: string statusCode: description: StatusCode is the HTTP response status to be @@ -5965,11 +6043,11 @@ spec: description: The health check policy for this route. properties: expectedStatuses: - description: The ranges of HTTP response statuses considered - healthy. Follow half-open semantics, i.e. for each range - the start is inclusive and the end is exclusive. Must - be within the range [100,600). If not specified, only - a 200 response status is considered healthy. + description: |- + The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy. items: properties: end: @@ -5998,9 +6076,10 @@ spec: minimum: 0 type: integer host: - description: The value of the host header in the HTTP health - check request. If left empty (default value), the name - "contour-envoy-healthcheck" will be used. + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the name "contour-envoy-healthcheck" + will be used. type: string intervalSeconds: description: The interval (seconds) between health checks @@ -6030,35 +6109,32 @@ spec: properties: allowCrossSchemeRedirect: default: Never - description: AllowCrossSchemeRedirect Allow internal redirect - to follow a target URI with a different scheme than the - value of x-forwarded-proto. SafeOnly allows same scheme - redirect and safe cross scheme redirect, which means if - the downstream scheme is HTTPS, both HTTPS and HTTP redirect - targets are allowed, but if the downstream scheme is HTTP, - only HTTP redirect targets are allowed. + description: |- + AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed. enum: - Always - Never - SafeOnly type: string denyRepeatedRouteRedirect: - description: If DenyRepeatedRouteRedirect is true, rejects - redirect targets that are pointing to a route that has - been followed by a previous redirect from the current - route. + description: |- + If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route. type: boolean maxInternalRedirects: - description: MaxInternalRedirects An internal redirect is - not handled, unless the number of previous internal redirects - that a downstream request has encountered is lower than - this value. + description: |- + MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value. format: int32 type: integer redirectResponseCodes: - description: RedirectResponseCodes If unspecified, only - 302 will be treated as internal redirect. Only 301, 302, - 303, 307 and 308 are valid values. + description: |- + RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values. items: description: RedirectResponseCode is a uint32 type alias with validation to ensure that the value is valid. @@ -6073,25 +6149,26 @@ spec: type: array type: object ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter - rules for which matching requests should be allowed. All other - requests will be denied. Only one of IPAllowFilterPolicy and - IPDenyFilterPolicy can be defined. The rules defined here - override any rules set on the root HTTPProxy. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -6102,25 +6179,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here override any rules - set on the root HTTPProxy. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -6135,93 +6213,93 @@ spec: route. properties: disabled: - description: Disabled defines whether to disable all JWT - verification for this route. This can be used to opt specific - routes out of the default JWT provider for the HTTPProxy. - At most one of this field or the "require" field can be - specified. + description: |- + Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + "require" field can be specified. type: boolean require: - description: Require names a specific JWT provider (defined - in the virtual host) to require for the route. If specified, - this field overrides the default provider if one exists. - If this field is not specified, the default provider will - be required if one exists. At most one of this field or - the "disabled" field can be specified. + description: |- + Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the "disabled" field can be specified. type: string type: object loadBalancerPolicy: description: The load balancing policy for this route. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash - policies to apply when the `RequestHash` load balancing - strategy is chosen. If an element of the supplied list - of hash policies is invalid, it will be ignored. If the - list of hash policies is empty after validation, the load - balancing strategy will fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration - for an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when - request header hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not - present on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the - HTTP request query parameter that will be used - to calculate the hash key. If the query parameter - specified is not present on a request, no hash - will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set - to true, and the request attribute specified in - the attribute hash options is present, no further - hash policies will be used to calculate a hash for - the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy - names are `Random`, `RoundRobin`, `WeightedLeastRequest`, - `Cookie`, and `RequestHash`. If an unknown strategy name - is specified or no policy is supplied, the default `RoundRobin` - policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object pathRewritePolicy: - description: The policy for rewriting the path of the request - URL after the request has been routed to a Service. + description: |- + The policy for rewriting the path of the request URL + after the request has been routed to a Service. properties: replacePrefix: description: ReplacePrefix describes how the path prefix @@ -6230,22 +6308,22 @@ spec: description: ReplacePrefix describes a path prefix replacement. properties: prefix: - description: "Prefix specifies the URL path prefix - to be replaced. \n If Prefix is specified, it must - exactly match the MatchCondition prefix that is - rendered by the chain of including HTTPProxies and - only that path prefix will be replaced by Replacement. - This allows HTTPProxies that are included through - multiple roots to only replace specific path prefixes, - leaving others unmodified. \n If Prefix is not specified, - all routing prefixes rendered by the include chain - will be replaced." + description: |- + Prefix specifies the URL path prefix to be replaced. + If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified. + If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced. minLength: 1 type: string replacement: - description: Replacement is the string that the routing - path prefix will be replaced with. This must not - be empty. + description: |- + Replacement is the string that the routing path prefix + will be replaced with. This must not be empty. minLength: 1 type: string required: @@ -6254,24 +6332,24 @@ spec: type: array type: object permitInsecure: - description: Allow this path to respond to insecure requests - over HTTP which are normally not permitted when a `virtualhost.tls` - block is present. + description: |- + Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a `virtualhost.tls` block is present. type: boolean rateLimitPolicy: description: The policy for rate limiting on the route. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to - an external rate limit service (RLS) for a rate limit - decision on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit - service. Each descriptor contains 1+ key-value pair - entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -6280,18 +6358,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this - struct must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of - the descriptor entry. If not set, - the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value @@ -6300,17 +6378,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given - header is present on the request. The - descriptor key is static, and the descriptor - value is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -6325,44 +6401,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if - the request's headers match a set of 1+ - match criteria. The descriptor key is - "header_match", and the descriptor value - is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match - the match criteria in order to generate - a descriptor entry (i.e. true), or - not match the match criteria in order - to generate a descriptor entry (i.e. - false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ - match criteria to apply against the - request to determine whether to populate - the descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition - specifies how to conditionally match - against HTTP headers. The Name field - is required, only one of Present, - NotPresent, Contains, NotContains, - Exact, NotExact and Regex can be - set. For negative matching rules - only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a @@ -6370,64 +6438,49 @@ spec: must be equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should - be case insensitive. Note that - this has no effect on the Regex - parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name - of the header to match against. - Name is required. Header names - are case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be - present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies - a string that the header value - must not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when - the named header is not present. - Note that setting NotPresent - to false does not make the condition - true if the named header is - present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies - that condition is true when - the named header is present, - regardless of its value. Note - that setting Present to false - does not make the condition - true if the named header is - absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a - regular expression pattern that - must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is - **only** supported for negative - matches (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -6447,32 +6500,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per - unit of time should be allowed before rate limiting - occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -6492,18 +6547,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within - which requests over the limit will be rate limited. - Valid values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -6515,15 +6572,16 @@ spec: type: object type: object requestHeadersPolicy: - description: "The policy for managing request headers during - proxying. \n You may dynamically rewrite the Host header to - be forwarded upstream to the content of a request header using - the below format \"%REQ(X-Header-Name)%\". If the value of - the header is empty, it is ignored. \n *NOTE: Pay attention - to the potential security implications of using this option. - Provided header must come from trusted source. \n **NOTE: - The header rewrite is only done while forwarding and has no - bearing on the routing decision." + description: |- + The policy for managing request headers during proxying. + You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format "%REQ(X-Header-Name)%". If the value of the header + is empty, it is ignored. + *NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source. + **NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision. properties: remove: description: Remove specifies a list of HTTP header names @@ -6532,10 +6590,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6559,39 +6616,44 @@ spec: description: RequestRedirectPolicy defines an HTTP redirection. properties: hostname: - description: Hostname is the precise hostname to be used - in the value of the `Location` header in the response. - When empty, the hostname of the request is used. No wildcards - are allowed. + description: |- + Hostname is the precise hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string path: - description: "Path allows for redirection to a different - path from the original on the request. The path must start - with a leading slash. \n Note: Only one of Path or Prefix - can be defined." + description: |- + Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string port: - description: Port is the port to be used in the value of - the `Location` header in the response. When empty, port - (if specified) of the request is used. + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. format: int32 maximum: 65535 minimum: 1 type: integer prefix: - description: "Prefix defines the value to swap the matched - prefix or path with. The prefix must start with a leading - slash. \n Note: Only one of Path or Prefix can be defined." + description: |- + Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string scheme: - description: Scheme is the scheme to be used in the value - of the `Location` header in the response. When empty, - the scheme of the request is used. + description: |- + Scheme is the scheme to be used in the value of the `Location` + header in the response. + When empty, the scheme of the request is used. enum: - http - https @@ -6606,8 +6668,9 @@ spec: type: integer type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header names @@ -6616,10 +6679,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6644,35 +6706,46 @@ spec: properties: count: default: 1 - description: NumRetries is maximum allowed number of retries. - If set to -1, then retries are disabled. If set to 0 or - not supplied, the value is set to the Envoy default of - 1. + description: |- + NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1. format: int64 minimum: -1 type: integer perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. + description: |- + PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string retriableStatusCodes: - description: "RetriableStatusCodes specifies the HTTP status - codes that should be retried. \n This field is only respected - when you include `retriable-status-codes` in the `RetryOn` - field." + description: |- + RetriableStatusCodes specifies the HTTP status codes that should be retried. + This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. items: format: int32 type: integer type: array retryOn: - description: "RetryOn specifies the conditions on which - to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): - \n - `5xx` - `gateway-error` - `reset` - `connect-failure` - - `retriable-4xx` - `refused-stream` - `retriable-status-codes` - - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): - \n - `cancelled` - `deadline-exceeded` - `internal` - - `resource-exhausted` - `unavailable`" + description: |- + RetryOn specifies the conditions on which to retry a request. + Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + - `5xx` + - `gateway-error` + - `reset` + - `connect-failure` + - `retriable-4xx` + - `refused-stream` + - `retriable-status-codes` + - `retriable-headers` + Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + - `cancelled` + - `deadline-exceeded` + - `internal` + - `resource-exhausted` + - `unavailable` items: description: RetryOn is a string type alias with validation to ensure that the value is valid. @@ -6705,13 +6778,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the - Set-Cookie Domain element. If not set, Domain - will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6727,12 +6801,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -6741,45 +6817,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If - Mirror is true, then fractional mirroring can be enabled - by optionally setting the Weight field. Legal values - for Weight are 1-100. Omitting the Weight field will - result in 100% mirroring. NOTE: Setting Weight explicitly - to 0 will unexpectedly result in 100% traffic mirroring. - This occurs since we cannot distinguish omitted fields - from those explicitly set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to - proxy traffic. Names defined here will be used to look - up corresponding endpoints which contain the ips to - route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -6789,10 +6863,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may - be tls, h2, h2c. If omitted, protocol-selection falls - back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -6809,10 +6882,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6833,9 +6905,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers - during proxying. Rewriting the 'Host' header is not - supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -6844,10 +6916,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6873,32 +6944,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. - When increasing the value for this parameter, the - speed of traffic ramp-up increases non-linearly. - The value of aggression parameter should be greater - than 0.0. \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of - traffic to send to new endpoints. A non-zero value - helps avoid a too small initial weight, which may - cause endpoints in slow start mode to receive no - traffic in the beginning of the slow start window. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", - "s", "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -6909,29 +6977,26 @@ spec: the backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to the - secret. Max length should be the actual max possible - length of a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of - the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -6960,26 +7025,23 @@ spec: description: The timeout policy for this route. properties: idle: - description: Timeout for how long the proxy should wait - while there is no activity during single request/response - (for HTTP/1.1) or stream (for HTTP/2). Timeout will not - trigger while HTTP/1.1 connection is idle between two - consecutive requests. If not specified, there is no per-route - idle timeout, though a connection manager-wide stream_idle_timeout - default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy - to the upstream service is kept when there are no active - requests. If not supplied, Envoy's default value of 1h - applies. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, - Envoy's default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -7026,11 +7088,10 @@ spec: - name type: object includes: - description: "IncludesDeprecated allow for specific routing configuration - to be appended to another HTTPProxy in another namespace. \n - Exists due to a mistake when developing HTTPProxy and the field - was marked plural when it should have been singular. This field - should stay to not break backwards compatibility to v1 users." + description: |- + IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 users. properties: name: description: Name of the child HTTPProxy @@ -7043,69 +7104,71 @@ spec: - name type: object loadBalancerPolicy: - description: The load balancing policy for the backend services. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The load balancing policy for the backend services. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy - is chosen. If an element of the supplied list of hash policies - is invalid, it will be ignored. If the list of hash policies - is empty after validation, the load balancing strategy will - fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for - an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must - be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not present - on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP - request query parameter that will be used to calculate - the hash key. If the query parameter specified - is not present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to - true, and the request attribute specified in the attribute - hash options is present, no further hash policies - will be used to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy names - are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. If an unknown strategy name is specified or no policy is supplied, the default `RoundRobin` policy is used. @@ -7123,12 +7186,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -7144,12 +7209,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -7158,44 +7225,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If Mirror - is true, then fractional mirroring can be enabled by optionally - setting the Weight field. Legal values for Weight are - 1-100. Omitting the Weight field will result in 100% mirroring. - NOTE: Setting Weight explicitly to 0 will unexpectedly - result in 100% traffic mirroring. This occurs since we - cannot distinguish omitted fields from those explicitly - set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -7205,10 +7271,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be - tls, h2, h2c. If omitted, protocol-selection falls back - on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -7225,10 +7290,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7249,8 +7313,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -7259,10 +7324,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7288,32 +7352,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. When - increasing the value for this parameter, the speed - of traffic ramp-up increases non-linearly. The value - of aggression parameter should be greater than 0.0. - \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of traffic - to send to new endpoints. A non-zero value helps avoid - a too small initial weight, which may cause endpoints - in slow start mode to receive no traffic in the beginning - of the slow start window. If not specified, the default - is 10%. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", - "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -7324,28 +7385,25 @@ spec: backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with namespace - "namespace/name". When cross-namespace reference is - used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max - length should be the actual max possible length of - a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in - the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of the + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the presented certificate. items: type: string @@ -7373,34 +7431,38 @@ spec: type: array type: object virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root" HTTPProxy. + description: |- + Virtualhost appears at most once. If it is present, the object is considered + to be a "root" HTTPProxy. properties: authorization: - description: This field configures an extension service to perform - authorization for this virtual host. Authorization can only - be configured on virtual hosts that have TLS enabled. If the - TLS configuration requires client certificate validation, the - client certificate is always included in the authentication - check request. + description: |- + This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -7408,36 +7470,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -7489,20 +7553,21 @@ spec: minItems: 1 type: array allowOrigin: - description: AllowOrigin specifies the origins that will be - allowed to do CORS requests. Allowed values include "*" - which signifies any origin is allowed, an exact origin of - the form "scheme://host[:port]" (where port is optional), - or a valid regex pattern. Note that regex patterns are validated - and a simple "glob" pattern (e.g. *.foo.com) will be rejected - or produce unexpected matches when applied as a regex. + description: |- + AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include "*" which signifies any origin is allowed, an exact + origin of the form "scheme://host[:port]" (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex. items: type: string minItems: 1 type: array allowPrivateNetwork: - description: AllowPrivateNetwork specifies whether to allow - private network requests. See https://developer.chrome.com/blog/private-network-access-preflight. + description: |- + AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. type: boolean exposeHeaders: description: ExposeHeaders Specifies the content for the *access-control-expose-headers* @@ -7515,13 +7580,12 @@ spec: minItems: 1 type: array maxAge: - description: MaxAge indicates for how long the results of - a preflight request can be cached. MaxAge durations are - expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". Only positive values are allowed while 0 disables the - cache requiring a preflight OPTIONS check for all cross-origin - requests. + description: |- + MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$ type: string required: @@ -7529,30 +7593,32 @@ spec: - allowOrigin type: object fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn. + description: |- + The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn. pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be allowed. All other requests - will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7563,24 +7629,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7597,27 +7665,31 @@ spec: description: JWTProvider defines how to verify JWTs on requests. properties: audiences: - description: Audiences that JWTs are allowed to have in - the "aud" field. If not provided, JWT audiences are not - checked. + description: |- + Audiences that JWTs are allowed to have in the "aud" field. + If not provided, JWT audiences are not checked. items: type: string type: array default: - description: Whether the provider should apply to all routes - in the HTTPProxy/its includes by default. At most one - provider can be marked as the default. If no provider - is marked as the default, individual routes must explicitly + description: |- + Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly identify the provider they require. type: boolean forwardJWT: - description: Whether the JWT should be forwarded to the - backend service after successful verification. By default, + description: |- + Whether the JWT should be forwarded to the backend + service after successful verification. By default, the JWT is not forwarded. type: boolean issuer: - description: Issuer that JWTs are required to have in the - "iss" field. If not provided, JWT issuers are not checked. + description: |- + Issuer that JWTs are required to have in the "iss" field. + If not provided, JWT issuers are not checked. type: string name: description: Unique name for the provider. @@ -7627,33 +7699,34 @@ spec: description: Remote JWKS to use for verifying JWT signatures. properties: cacheDuration: - description: How long to cache the JWKS locally. If - not specified, Envoy's default of 5m applies. + description: |- + How long to cache the JWKS locally. If not specified, + Envoy's default of 5m applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string dnsLookupFamily: - description: "The DNS IP address resolution policy for - the JWKS URI. When configured as \"v4\", the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If \"v6\" is configured, the DNS resolver - will only perform a lookup for addresses in the IPv6 - family. If \"all\" is configured, the DNS resolver - will perform a lookup for addresses in both the IPv4 - and IPv6 family. If \"auto\" is configured, the DNS - resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If not specified, the Contour-wide - setting defined in the config file or ContourConfiguration - applies (defaults to \"auto\"). \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information." + description: |- + The DNS IP address resolution policy for the JWKS URI. + When configured as "v4", the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If "all" is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If "auto" is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to "auto"). + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. enum: - auto - v4 - v6 type: string timeout: - description: How long to wait for a response from the - URI. If not specified, a default of 1s applies. + description: |- + How long to wait for a response from the URI. + If not specified, a default of 1s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string uri: @@ -7665,31 +7738,26 @@ spec: the JWKS's TLS certificate. properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to - the secret. Max length should be the actual max - possible length of a namespaced name (63 + 253 - + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field - subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one - is expected to be present in the 'subjectAltName - of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -7716,15 +7784,16 @@ spec: description: The policy for rate limiting on the virtual host. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to an - external rate limit service (RLS) for a rate limit decision - on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -7733,18 +7802,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -7753,17 +7822,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -7777,42 +7844,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -7820,61 +7881,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -7894,31 +7943,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per unit - of time should be allowed before rate limiting occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -7938,18 +7990,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within which - requests over the limit will be rate limited. Valid - values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -7961,57 +8015,56 @@ spec: type: object type: object tls: - description: If present the fields describes TLS properties of - the virtual host. The SNI names that will be matched on are - described in fqdn, the tls.secretName secret must contain a - certificate that itself contains a name that matches the FQDN. + description: |- + If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN. properties: clientValidation: - description: "ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. \n This setting: \n 1. Enables TLS client certificate - validation. 2. Specifies how the client certificate will - be validated (i.e. validation required or skipped). \n Note: - Setting client certificate validation to be skipped should - be only used in conjunction with an external authorization - server that performs client validation as Contour will ensure - client certificates are passed along." + description: |- + ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy. + This setting: + 1. Enables TLS client certificate validation. + 2. Specifies how the client certificate will be validated (i.e. + validation required or skipped). + Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along. properties: caSecret: - description: Name of a Kubernetes secret that contains - a CA certificate bundle. The secret must contain key - named ca.crt. The client certificate must validate against - the certificates in the bundle. If specified and SkipClientCertValidation - is true, client certificates will be required on requests. + description: |- + Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. The name can be optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string crlOnlyVerifyLeafCert: - description: If this option is set to true, only the certificate - at the end of the certificate chain will be subject - to validation by CRL. + description: |- + If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL. type: boolean crlSecret: - description: Name of a Kubernetes opaque secret that contains - a concatenated list of PEM encoded CRLs. The secret - must contain key named crl.pem. This field will be used - to verify that a client certificate has not been revoked. - CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert - is true. Large CRL lists are not supported since individual - secrets are limited to 1MiB in size. The name can be - optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + description: |- + Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string forwardClientCertificate: - description: ForwardClientCertificate adds the selected - data from the passed client TLS certificate to the x-forwarded-client-cert - header. + description: |- + ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header. properties: cert: description: Client cert in URL encoded PEM format. @@ -8033,55 +8086,56 @@ spec: type: boolean type: object optionalClientCertificate: - description: OptionalClientCertificate when set to true - will request a client certificate but allow the connection - to continue if the client does not provide one. If a - client certificate is sent, it will be verified according - to the other properties, which includes disabling validation - if SkipClientCertValidation is set. Defaults to false. + description: |- + OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false. type: boolean skipClientCertValidation: - description: SkipClientCertValidation disables downstream - client certificate validation. Defaults to false. This - field is intended to be used in conjunction with external - authorization in order to enable the external authorization - server to validate client certificates. When this field - is set to true, client certificates are requested but - not verified by Envoy. If CACertificate is specified, - client certificates are required on requests, but not - verified. If external authorization is in use, they - are presented to the external authorization server. + description: |- + SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server. type: boolean type: object enableFallbackCertificate: - description: EnableFallbackCertificate defines if the vhost - should allow a default certificate to be applied which handles - all requests which don't match the SNI defined in this vhost. + description: |- + EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don't match the SNI defined in this vhost. type: boolean maximumProtocolVersion: - description: MaximumProtocolVersion is the maximum TLS version - this vhost should negotiate. Valid options are `1.2` and - `1.3` (default). Any other value defaults to TLS 1.3. + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are `1.2` and `1.3` (default). Any other value + defaults to TLS 1.3. type: string minimumProtocolVersion: - description: MinimumProtocolVersion is the minimum TLS version - this vhost should negotiate. Valid options are `1.2` (default) - and `1.3`. Any other value defaults to TLS 1.2. + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + defaults to TLS 1.2. type: string passthrough: - description: Passthrough defines whether the encrypted TLS - handshake will be passed through to the backing cluster. - Either Passthrough or SecretName must be specified, but - not both. + description: |- + Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both. type: boolean secretName: - description: SecretName is the name of a TLS secret. Either - SecretName or Passthrough must be specified, but not both. + description: |- + SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate - for the virtual host's FQDN. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must - exist in the namespace to grant access to the secret. + for the virtual host's FQDN. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. type: string type: object required: @@ -8096,75 +8150,67 @@ spec: HTTPProxy. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com/ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com/ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8178,10 +8224,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8193,32 +8239,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8232,43 +8277,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8282,10 +8326,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8316,48 +8360,49 @@ spec: balancer. properties: ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. properties: hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) type: string ipMode: - description: IPMode specifies how the load-balancer IP behaves, - and may only be specified when the ip field is specified. - Setting this to "VIP" indicates that traffic is delivered - to the node with the destination set to the load-balancer's - IP and port. Setting this to "Proxy" indicates that traffic - is delivered to the node or pod with the destination set - to the node's IP and node port or the pod's IP and port. - Service implementations may use this information to adjust - traffic routing. + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it items: properties: error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific error - values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8368,9 +8413,9 @@ spec: type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" type: string required: - port @@ -8395,7 +8440,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: tlscertificatedelegations.projectcontour.io spec: preserveUnknownFields: false @@ -8412,18 +8457,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD - specification. See design/tls-certificate-delegation.md for details. + description: |- + TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. + See design/tls-certificate-delegation.md for details. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -8432,18 +8483,20 @@ spec: properties: delegations: items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. + description: |- + CertificateDelegation maps the authority to reference a secret + in the current namespace to a set of namespaces. properties: secretName: description: required, the name of a secret in the current namespace. type: string targetNamespaces: - description: required, the namespaces the authority to reference - the secret will be delegated to. If TargetNamespaces is nil - or empty, the CertificateDelegation' is ignored. If the TargetNamespace - list contains the character, "*" the secret will be delegated - to all namespaces. + description: |- + required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation' + is ignored. If the TargetNamespace list contains the character, "*" + the secret will be delegated to all namespaces. items: type: string type: array @@ -8456,79 +8509,72 @@ spec: - delegations type: object status: - description: TLSCertificateDelegationStatus allows for the status of the - delegation to be presented to the user. + description: |- + TLSCertificateDelegationStatus allows for the status of the delegation + to be presented to the user. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com\\ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com\ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8542,10 +8588,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8557,32 +8603,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8596,43 +8641,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8646,10 +8690,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index c49b7176c1e..518e9803a5e 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -14,7 +14,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourconfigurations.projectcontour.io spec: preserveUnknownFields: false @@ -34,47 +34,59 @@ spec: description: ContourConfiguration is the schema for a Contour instance. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourConfigurationSpec represents a configuration of a - Contour controller. It contains most of all the options that can be - customized, the other remaining options being command line flags. + description: |- + ContourConfigurationSpec represents a configuration of a Contour controller. + It contains most of all the options that can be customized, the + other remaining options being command line flags. properties: debug: - description: Debug contains parameters to enable debug logging and - debug interfaces inside Contour. + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. \n - Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how to - optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name of the - Kubernetes secret containing the client certificate and private - key to be used when establishing TLS connection to upstream + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream cluster. properties: name: @@ -86,13 +98,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that a @@ -120,34 +133,36 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names are - looked up When configured as V4, the DNS resolver will only - perform a lookup for addresses in the IPv4 family. If V6 - is configured, the DNS resolver will only perform a lookup - for addresses in the IPv6 family. If AUTO is configured, - the DNS resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If ALL is specified, the DNS resolver - will perform a lookup for both IPv4 and IPv6 families, and - return all resolved addresses. When this is used, Happy - Eyeballs will be enabled for upstream connections. Refer - to Happy Eyeballs Support for more information. Note: This - only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 @@ -157,59 +172,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set of HTTPS - versions the proxy should accept. HTTP versions are strings - of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" - and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). - \n Other values will produce an error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -220,9 +249,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -237,9 +266,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -258,106 +287,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, the - listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use the - default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. - \n Other values will produce an error." + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header if - \"Transfer-Encoding: chunked\" is also set. This is an emergency - off-switch to revert back to Envoy's default behavior in - case of failures. Please file an issue if failures are encountered. + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips duplicate - slashes from request URL paths. \n Contour's default is - false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 connections - and the limit for concurrent streams allowed for a peer - on a single HTTP/2 connection. It is recommended to not - set this lower than 100 but this field can be used to bound - resource usage by HTTP/2 connections and mitigate attacks - like CVE-2023-44487. The default value when this is not - set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The default - value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in a single - I/O cycle. Requests over this limit are processed in subsequent - I/O cycles. Can be used as a mitigation for CVE-2023-44487 - when abusive traffic is detected. Configures the http.max_requests_per_io_cycle - Envoy runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the Server - header on the response path. When configured as overwrite, - overwrites any Server header with \"envoy\". When configured - as append_if_absent, if a Server header is present, pass - it through, otherwise set it to \"envoy\". When configured - as pass_through, pass through the value of the Server header, - and do not append a header if none is present. \n Values: - `overwrite` (default), `append_if_absent`, `pass_through` - \n Other values will produce an error. Contour's default - is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket options - for the listeners. Single set of options are applied to - all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field (including - 6 bit DSCP field) for IP packets originating from Envoy - listeners. Single value is applied to all listeners. - If listeners are bound to IPv6-only addresses, setting - this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets originating - from the Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv4-only addresses, - setting this option will cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -368,79 +394,93 @@ spec: values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n Contour's - default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log format. - \n Values: `envoy` (default), `json`. \n Other values will - produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log format - when format is set to `envoy`. When empty, Envoy's default - format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that JSON - logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level of the - access log. \n Values: `info` (default, all requests are - logged), `error` (all non-success requests, i.e. 300+ response - code, are logged), `critical` (all 5xx requests are logged) - and `disabled`. \n Other values will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -451,9 +491,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -471,23 +511,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the admin - interface is disabled. \n Contour's default is 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of additional - ingress proxy hops from the right side of the x-forwarded-for - HTTP header to trust when determining the origin client’s - IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -498,93 +541,101 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts that - can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy should - wait when establishing connection to upstream service. If - not set, a default value of 2 seconds will be used. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the proxy - should wait while there are no active requests (for HTTP/1.1) - or streams (for HTTP/2) before terminating an HTTP connection. - Set to \"infinity\" to disable the timeout entirely. \n + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how long - the proxy will wait between sending an initial GOAWAY frame - and a second, final GOAWAY frame when terminating an HTTP/2 - connection. During this grace period, the proxy will continue - to respond to new streams. After the final GOAWAY frame - has been sent, the proxy will refuse new streams. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy will - wait, once connection close processing has been initiated, - for the downstream peer to close the connection before Envoy - closes the socket associated with the connection. \n Setting - this timeout to 'infinity' will disable it, equivalent to - setting it to '0' in Envoy. Leaving it unset will result - in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum period - of time after an HTTP connection has been established from - the client to the proxy before it is closed by the proxy, - regardless of whether there has been activity or not. Omit - or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for the - entire request, not an idle timeout. Omit or set to \"infinity\" - to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for HTTP/1.1) - or stream activity (for HTTP/2) before terminating the HTTP - request or stream. Set to \"infinity\" to disable the timeout - entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour features. - Available toggles are: useEndpointSlices - configures contour to - fetch endpoint data from k8s endpoint slices. defaults to false - and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form of - "projectcontour.io//contour". If unset, the gatewayclass - controller will not be started. Exactly one of ControllerName - or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this Contour - instance corresponds to. If set, Contour will reconcile only - this gateway, and will not reconcile any gateway classes. Exactly - one of ControllerName or GatewayRef must be set. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. properties: name: type: string @@ -596,26 +647,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external authorization - filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy for - client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -623,36 +677,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field is - not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field is - not specifies, the namespace of the resource that targets - the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server fails - to respond. This field should not be set in most cases. It is - intended for use only while migrating applications from internal - authorization to Contour external authorization. + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait for - a check response from the authorization server. Timeout durations - are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no - timeout. + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -677,9 +733,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve health - checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 - }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -693,13 +749,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the permitInsecure - field in HTTPProxy. \n Contour's default is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name of - the Kubernetes secret to use as fallback when a non-SNI request - is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -729,8 +787,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve metrics. - \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -741,9 +800,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and health - endpoints cannot have same port number when metrics is served - over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -761,8 +820,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will apply - to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -792,17 +852,19 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the Rate - Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a default - global rate limit policy for every HTTPProxy. HTTPProxy can - overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors that - will be generated and sent to the rate limit service. Each + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value @@ -811,17 +873,18 @@ spec: entries: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the descriptor - entry. If not set, the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of the @@ -830,16 +893,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and a value - equal to the client's IP address (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor key - is static, and the descriptor value is equal - to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the key @@ -853,41 +915,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines a - descriptor entry that's populated if the request's - headers match a set of 1+ match criteria. The - descriptor key is "header_match", and the descriptor - value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether the - request must positively match the match - criteria in order to generate a descriptor - entry (i.e. true), or not match the match - criteria in order to generate a descriptor - entry (i.e. false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request to - determine whether to populate the descriptor - entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against HTTP - headers. The Name field is required, only - one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching rules - only (e.g. NotContains or NotExact) you - can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies a substring - that must be present in the header - value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -895,57 +952,49 @@ spec: to. type: string ignoreCase: - description: IgnoreCase specifies that - string matching should be case insensitive. - Note that this has no effect on the - Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the - header to match against. Name is required. + description: |- + Name is the name of the header to match against. Name is required. Header names are case insensitive. type: string notcontains: - description: NotContains specifies a - substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a string - that the header value must not be - equal to. The condition is true if - the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that - condition is true when the named header - is not present. Note that setting - NotPresent to false does not make - the condition true if the named header - is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named header - is present, regardless of its value. - Note that setting Present to false - does not make the condition true if - the named header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies - if the header match rule specified - header does not exist, this header - value will be treated as empty. Defaults - to false. Unlike the underlying Envoy - implementation this is **only** supported - for negative matches (e.g. NotContains, - NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -965,25 +1014,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not use - the default global rate limit policy defined by the Contour - configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating error - code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's - translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit Service - is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -998,9 +1048,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to proceed - when the Rate Limit Service fails to respond with a valid rate - limit decision within the timeout defined on the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -1013,17 +1064,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag name + description: |- + CustomTag defines custom tags with unique tag name to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request header - the label value is obtained from. Precisely one of Literal, - RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom tag. @@ -1045,25 +1099,28 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span of the - trace. the default is true. Note: The Envoy pods MUST have the - HOSTNAME and CONTOUR_NAMESPACE environment variables set for - this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the request - path to extract and include in the HttpUrl tag. contour's default - is 256. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of trace - data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. contour's - default is contour. + description: |- + ServiceName defines the name for the service. + contour's default is contour. type: string required: - extensionService @@ -1072,18 +1129,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour will - serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour will - serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -1099,9 +1158,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values will - produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -1110,71 +1170,62 @@ spec: a ContourConfiguration resource. properties: conditions: - description: "Conditions contains the current status of the Contour - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the Contour resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1188,10 +1239,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1203,32 +1254,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1242,43 +1292,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1292,10 +1341,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1330,7 +1379,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourdeployments.projectcontour.io spec: preserveUnknownFields: false @@ -1350,26 +1399,33 @@ spec: description: ContourDeployment is the schema for a Contour Deployment. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourDeploymentSpec specifies options for how a Contour + description: |- + ContourDeploymentSpec specifies options for how a Contour instance should be provisioned. properties: contour: - description: Contour specifies deployment-time settings for the Contour - part of the installation, i.e. the xDS server/control plane and - associated resources, including things like replica count for the - Deployment, and node placement constraints for the pods. + description: |- + Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods. properties: deployment: description: Deployment describes the settings for running contour @@ -1385,47 +1441,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1435,14 +1489,16 @@ spec: type: object type: object kubernetesLogLevel: - description: KubernetesLogLevel Enable Kubernetes client debug - logging with log level. If unset, defaults to 0. + description: |- + KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0. maximum: 9 minimum: 0 type: integer logLevel: - description: LogLevel sets the log level for Contour Allowed values - are "info", "debug". + description: |- + LogLevel sets the log level for Contour + Allowed values are "info", "debug". type: string nodePlacement: description: NodePlacement describes node scheduling configuration @@ -1451,57 +1507,56 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1509,36 +1564,40 @@ spec: podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Contour pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Contour replicas. If if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Contour replicas. If if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by contour container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -1554,8 +1613,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1564,95 +1624,91 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object envoy: - description: Envoy specifies deployment-time settings for the Envoy - part of the installation, i.e. the xDS client/data plane and associated - resources, including things like the workload type to use (DaemonSet - or Deployment), node placement constraints for the pods, and various - options for the Envoy service. + description: |- + Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service. properties: baseID: - description: The base ID to use when allocating shared memory - regions. if Envoy needs to be run multiple times on the same - machine, each running Envoy will need a unique base ID so that - the shared memory regions do not conflict. defaults to 0. + description: |- + The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + so that the shared memory regions do not conflict. + defaults to 0. format: int32 minimum: 0 type: integer daemonSet: - description: DaemonSet describes the settings for running envoy - as a `DaemonSet`. if `WorkloadType` is `Deployment`,it's must - be nil + description: |- + DaemonSet describes the settings for running envoy as a `DaemonSet`. + if `WorkloadType` is `Deployment`,it's must be nil properties: updateStrategy: description: Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if type = "RollingUpdate". --- TODO: Update this to - follow our convention for oneOf, whatever we decide - it to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345' + description: |- + Rolling update config params. Present only if type = "RollingUpdate". + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345 properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of nodes with an - existing available DaemonSet pod that can have an - updated DaemonSet pod during during an update. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up to a minimum of 1. - Default value is 0. Example: when this is set to - 30%, at most 30% of the total number of nodes that - should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old - pod is marked as deleted. The update starts by launching - new pods on 30% of nodes. Once an updated pod is - available (Ready for at least minReadySeconds) the - old DaemonSet pod on that node is marked deleted. - If the old pod becomes unavailable for any reason - (Ready transitions to false, is evicted, or is drained) - an updated pod is immediatedly created on that node - without considering surge limits. Allowing surge - implies the possibility that the resources consumed - by the daemonset on any given node can double if - the readiness check fails, and so resource intensive - daemonsets should take into account that they may - cause evictions during disruption.' + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediatedly created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of DaemonSet pods - that can be unavailable during the update. Value - can be an absolute number (ex: 5) or a percentage - of total number of DaemonSet pods at the start of - the update (ex: 10%). Absolute number is calculated - from percentage by rounding up. This cannot be 0 - if MaxSurge is 0 Default value is 1. Example: when - this is set to 30%, at most 30% of the total number - of nodes that should be running the daemon pod (i.e. - status.desiredNumberScheduled) can have their pods - stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet - pods and then brings up new DaemonSet pods in their - place. Once the new pods are available, it then - proceeds onto other DaemonSet pods, thus ensuring - that at least 70% of original number of DaemonSet - pods are available at all times during the update.' + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. x-kubernetes-int-or-string: true type: object type: @@ -1662,9 +1718,9 @@ spec: type: object type: object deployment: - description: Deployment describes the settings for running envoy - as a `Deployment`. if `WorkloadType` is `DaemonSet`,it's must - be nil + description: |- + Deployment describes the settings for running envoy as a `Deployment`. + if `WorkloadType` is `DaemonSet`,it's must be nil properties: replicas: description: Replicas is the desired number of replicas. @@ -1676,47 +1732,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1733,33 +1787,36 @@ spec: a container. properties: mountPath: - description: Path within the container at which the volume - should be mounted. Must not contain ':'. + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are - propagated from the host to container and the other way - around. When not set, MountPropagationNone is used. This - field is beta in 1.10. + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. type: boolean subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which - the container's volume should be mounted. Behaves similarly - to SubPath but environment variable references $(VAR_NAME) - are expanded using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath are mutually - exclusive. + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. type: string required: - mountPath @@ -1773,36 +1830,36 @@ spec: may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'awsElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty).' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). format: int32 type: integer readOnly: - description: 'readOnly value true will force the readOnly - setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: boolean volumeID: - description: 'volumeID is unique ID of the persistent - disk resource in AWS (Amazon EBS volume). More info: - https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: string required: - volumeID @@ -1824,10 +1881,10 @@ spec: blob storage type: string fsType: - description: fsType is Filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: description: 'kind expected values are Shared: multiple @@ -1837,8 +1894,9 @@ spec: to shared' type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean required: - diskName @@ -1849,8 +1907,9 @@ spec: mount on the host and bind mount to the pod. properties: readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretName: description: secretName is the name of secret that @@ -1868,8 +1927,9 @@ spec: that shares a pod's lifetime properties: monitors: - description: 'monitors is Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it items: type: string type: array @@ -1878,63 +1938,72 @@ spec: root, rather than the full Ceph tree, default is /' type: string readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: boolean secretFile: - description: 'secretFile is Optional: SecretFile is - the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string secretRef: - description: 'secretRef is Optional: SecretRef is reference - to the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is optional: User is the rados user - name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string required: - monitors type: object cinder: - description: 'cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string readOnly: - description: 'readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: boolean secretRef: - description: 'secretRef is optional: points to a secret - object containing parameters used to connect to OpenStack.' + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeID: - description: 'volumeID used to identify the volume in - cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string required: - volumeID @@ -1944,29 +2013,25 @@ spec: populate this volume properties: defaultMode: - description: 'defaultMode is optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items if unspecified, each key-value pair - in the Data field of the referenced ConfigMap will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. If a - key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -1975,22 +2040,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -1999,8 +2062,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the ConfigMap @@ -2014,42 +2079,43 @@ spec: CSI drivers (Beta feature). properties: driver: - description: driver is the name of the CSI driver that - handles this volume. Consult with your admin for the - correct name as registered in the cluster. + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the - associated CSI driver which will determine the default - filesystem to apply. + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. type: string nodePublishSecretRef: - description: nodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all secret - references are passed. + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic readOnly: - description: readOnly specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: volumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. type: object required: - driver @@ -2059,17 +2125,15 @@ spec: pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: @@ -2097,16 +2161,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used to set - permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -2117,10 +2178,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required for @@ -2147,116 +2207,111 @@ spec: type: array type: object emptyDir: - description: 'emptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir properties: medium: - description: 'medium represents what type of storage - medium should back this directory. The default is - "" which means to use the node''s default medium. - Must be an empty string (default) or Memory. More - info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir type: string sizeLimit: anyOf: - type: integer - type: string - description: 'sizeLimit is the total amount of local - storage required for this EmptyDir volume. The size - limit is also applicable for memory medium. The maximum - usage on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and the - sum of memory limits of all containers in a pod. The - default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is - tied to the pod that defines it - it will be created before - the pod starts, and deleted when the pod is removed. \n - Use this if: a) the volume is only needed while the pod - runs, b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the storage - driver is specified through a storage class, and d) the - storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for - more information on the connection between this volume - type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n - Use CSI for light-weight local ephemeral volumes if the - CSI driver is meant to be used that way - see the documentation - of the driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes at the - same time." + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC - to provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the - PVC will be deleted together with the pod. The name - of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` - array entry. Pod validation will reject the pod if - the concatenated name is not valid for a PVC (for - example, too long). \n An existing PVC with that name - that is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the unrelated - PVC is removed. If such a pre-created PVC is meant - to be used by the pod, the PVC has to updated with - an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may - be useful when manually reconstructing a broken cluster. - \n This field is read-only and no changes will be - made by Kubernetes to the PVC after it has been created. - \n Required, must not be nil." + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + Required, must not be nil. properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected - during validation. + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the - PVC that gets created from this template. The - same fields as in a PersistentVolumeClaim are - also valid here. + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. properties: accessModes: - description: 'accessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 items: type: string type: array dataSource: - description: 'dataSource field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, it - will create a new volume based on the contents - of the specified data source. When the AnyVolumeDataSource - feature gate is enabled, dataSource contents - will be copied to dataSourceRef, and dataSourceRef - contents will be copied to dataSource when - dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef - will not be copied to dataSource.' + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2272,47 +2327,36 @@ spec: type: object x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies the object - from which to populate the volume with data, - if a non-empty volume is desired. This may - be any object from a non-empty API group (non + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding - will only succeed if the type of the specified - object matches some installed volume populator - or dynamic provisioner. This field will replace - the functionality of the dataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, when namespace isn''t specified - in dataSourceRef, both fields (dataSource - and dataSourceRef) will be set to the same - value automatically if one of them is empty - and the other is non-empty. When namespace - is specified in dataSourceRef, dataSource - isn''t set to the same value and must be empty. - There are three important differences between - dataSource and dataSourceRef: * While dataSource - only allows two specific types of objects, - dataSourceRef allows any non-core object, - as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values - (dropping them), dataSourceRef preserves all - values, and generates an error if a disallowed - value is specified. * While dataSource only - allows local objects, dataSourceRef allows - objects in any namespaces. (Beta) Using this - field requires the AnyVolumeDataSource feature - gate to be enabled. (Alpha) Using the namespace - field of dataSourceRef requires the CrossNamespaceVolumeDataSource - feature gate to be enabled.' + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2323,28 +2367,22 @@ spec: being referenced type: string namespace: - description: Namespace is the namespace - of resource being referenced Note that - when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant - object is required in the referent namespace - to allow that namespace's owner to accept - the reference. See the ReferenceGrant - documentation for details. (Alpha) This - field requires the CrossNamespaceVolumeDataSource - feature gate to be enabled. + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. type: string required: - kind - name type: object resources: - description: 'resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than - previous value but must still be higher than - capacity recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources properties: limits: additionalProperties: @@ -2353,9 +2391,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -2364,13 +2402,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object selector: @@ -2382,30 +2418,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2417,48 +2448,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic storageClassName: - description: 'storageClassName is the name of - the StorageClass required by the claim. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 type: string volumeAttributesClassName: - description: 'volumeAttributesClassName may - be used to set the VolumeAttributesClass used - by this claim. If specified, the CSI driver - will create or update the volume with the - attributes defined in the corresponding VolumeAttributesClass. - This has a different purpose than storageClassName, - it can be changed after the claim is created. - An empty string value means that no VolumeAttributesClass - will be applied to the claim but it''s not - allowed to reset this field to empty string - once it is set. If unspecified and the PersistentVolumeClaim - is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller - if it exists. If the resource referred to - by volumeAttributesClass does not exist, this - PersistentVolumeClaim will be set to a Pending - state, as reflected by the modifyVolumeStatus - field, until such as a resource exists. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass - feature gate to be enabled.' + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. type: string volumeMode: - description: volumeMode defines what type of - volume is required by the claim. Value of - Filesystem is implied when not included in - claim spec. + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. type: string volumeName: description: volumeName is the binding reference @@ -2475,20 +2495,20 @@ spec: to the pod. properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. TODO: how do we prevent - errors in the filesystem from compromising the machine' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: description: 'targetWWNs is Optional: FC target worldwide @@ -2497,26 +2517,27 @@ spec: type: string type: array wwids: - description: 'wwids Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. items: type: string type: array type: object flexVolume: - description: flexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. properties: driver: description: driver is the name of the driver to use for this volume. type: string fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default filesystem - depends on FlexVolume script. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. type: string options: additionalProperties: @@ -2525,22 +2546,23 @@ spec: extra command options if any.' type: object readOnly: - description: 'readOnly is Optional: defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: 'secretRef is Optional: secretRef is reference - to the secret object containing sensitive information - to pass to the plugin scripts. This may be empty if - no secret object is specified. If the secret object - contains more than one secret, all secrets are passed - to the plugin scripts.' + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -2553,9 +2575,9 @@ spec: control service being running properties: datasetName: - description: datasetName is Name of the dataset stored - as metadata -> name on the dataset for Flocker should - be considered as deprecated + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated type: string datasetUUID: description: datasetUUID is the UUID of the dataset. @@ -2563,54 +2585,55 @@ spec: type: string type: object gcePersistentDisk: - description: 'gcePersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk properties: fsType: - description: 'fsType is filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk format: int32 type: integer pdName: - description: 'pdName is unique name of the PD resource - in GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: boolean required: - pdName type: object gitRepo: - description: 'gitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an - InitContainer that clones the repo using git, then mount - the EmptyDir into the Pod''s container.' + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. properties: directory: - description: directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. type: string repository: description: repository is the URL @@ -2623,53 +2646,61 @@ spec: - repository type: object glusterfs: - description: 'glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: 'endpoints is the endpoint name that details - Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string path: - description: 'path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string readOnly: - description: 'readOnly here will force the Glusterfs - volume to be mounted with read-only permissions. Defaults - to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: boolean required: - endpoints - path type: object hostPath: - description: 'hostPath represents a pre-existing file or - directory on the host machine that is directly exposed - to the container. This is generally used for system agents - or other privileged things that are allowed to see the - host machine. Most containers will NOT need this. More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. properties: path: - description: 'path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string type: - description: 'type for HostPath Volume Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string required: - path type: object iscsi: - description: 'iscsi represents an ISCSI Disk resource that - is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether support @@ -2680,59 +2711,59 @@ spec: iSCSI Session CHAP authentication type: boolean fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: - description: initiatorName is the custom iSCSI Initiator - Name. If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for the connection. + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. type: string iqn: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: - description: iscsiInterface is the interface Name that - uses an iSCSI transport. Defaults to 'default' (tcp). + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). type: string lun: description: lun represents iSCSI Target Lun number. format: int32 type: integer portals: - description: portals is the iSCSI Target Portal List. - The portal is either an IP or ip_addr:port if the - port is other than default (typically TCP ports 860 - and 3260). + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: readOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. type: boolean secretRef: description: secretRef is the CHAP Secret for iSCSI target and initiator authentication properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic targetPortal: - description: targetPortal is iSCSI Target Portal. The - Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and - 3260). + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -2740,43 +2771,51 @@ spec: - targetPortal type: object name: - description: 'name of the volume. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string nfs: - description: 'nfs represents an NFS mount on the host that - shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs properties: path: - description: 'path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string readOnly: - description: 'readOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: boolean server: - description: 'server is the hostname or IP address of - the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string required: - path - server type: object persistentVolumeClaim: - description: 'persistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims properties: claimName: - description: 'claimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims type: string readOnly: - description: readOnly Will force the ReadOnly setting - in VolumeMounts. Default false. + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. type: boolean required: - claimName @@ -2787,10 +2826,10 @@ spec: machine properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: description: pdID is the ID that identifies Photon Controller @@ -2804,14 +2843,15 @@ spec: attached and mounted on kubelets host machine properties: fsType: - description: fSType represents the filesystem type to - mount Must be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean volumeID: description: volumeID uniquely identifies a Portworx @@ -2825,15 +2865,13 @@ spec: configmaps, and downward API properties: defaultMode: - description: defaultMode are the mode bits used to set - permissions on created files by default. Must be an - octal value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this - setting. This might be in conflict with other options - that affect the file mode, like fsGroup, and the result - can be other mode bits set. + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer sources: @@ -2843,57 +2881,48 @@ spec: with other supported volume types properties: clusterTrustBundle: - description: "ClusterTrustBundle allows a pod - to access the `.spec.trustBundle` field of ClusterTrustBundle - objects in an auto-updating file. \n Alpha, - gated by the ClusterTrustBundleProjection feature - gate. \n ClusterTrustBundle objects can either - be selected by name, or by the combination of - signer name and a label selector. \n Kubelet - performs aggressive normalization of the PEM - contents written into the pod filesystem. Esoteric - PEM features such as inter-block comments and - block headers are stripped. Certificates are - deduplicated. The ordering of certificates within - the file is arbitrary, and Kubelet may change - the order over time." + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + Alpha, gated by the ClusterTrustBundleProjection feature gate. + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. properties: labelSelector: - description: Select all ClusterTrustBundles - that match this label selector. Only has - effect if signerName is set. Mutually-exclusive - with name. If unset, interpreted as "match - nothing". If set but empty, interpreted - as "match everything". + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2906,39 +2935,35 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic name: - description: Select a single ClusterTrustBundle - by object name. Mutually-exclusive with - signerName and labelSelector. + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. type: string optional: - description: If true, don't block pod startup - if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the - named ClusterTrustBundle is allowed not - to exist. If using signerName, then the - combination of signerName and labelSelector - is allowed to match zero ClusterTrustBundles. + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. type: boolean path: description: Relative path from the volume root to write the bundle. type: string signerName: - description: Select all ClusterTrustBundles - that match this signer name. Mutually-exclusive - with name. The contents of all selected - ClusterTrustBundles will be unified and - deduplicated. + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. type: string required: - path @@ -2948,18 +2973,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -2968,26 +2989,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -2995,10 +3011,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the @@ -3037,18 +3053,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -3060,11 +3071,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required @@ -3098,18 +3107,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3118,26 +3123,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3145,10 +3145,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional field specify whether @@ -3161,29 +3161,25 @@ spec: about the serviceAccountToken data to project properties: audience: - description: audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience defaults - to the identifier of the apiserver. + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. type: string expirationSeconds: - description: expirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The kubelet - will start trying to rotate the token if - the token is older than 80 percent of its - time to live or if the token is older than - 24 hours.Defaults to 1 hour and must be - at least 10 minutes. + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. format: int64 type: integer path: - description: path is the path relative to - the mount point of the file to project the + description: |- + path is the path relative to the mount point of the file to project the token into. type: string required: @@ -3197,28 +3193,30 @@ spec: that shares a pod's lifetime properties: group: - description: group to map volume access to Default is - no group + description: |- + group to map volume access to + Default is no group type: string readOnly: - description: readOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults - to false. + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. type: boolean registry: - description: registry represents a single or multiple - Quobyte Registry services specified as a string as - host:port pair (multiple entries are separated with - commas) which acts as the central registry for volumes + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes type: string tenant: - description: tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned Quobyte - volumes, value is set by the plugin + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: user to map volume access to Defaults to - serivceaccount user + description: |- + user to map volume access to + Defaults to serivceaccount user type: string volume: description: volume is a string that references an already @@ -3229,57 +3227,68 @@ spec: - volume type: object rbd: - description: 'rbd represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: - description: 'image is the rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: - description: 'keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string monitors: - description: 'monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it items: type: string type: array pool: - description: 'pool is the rados pool name. Default is - rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: boolean secretRef: - description: 'secretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is the rados user name. Default is - admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string required: - image @@ -3290,9 +3299,11 @@ spec: attached and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is "xfs". + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". type: string gateway: description: gateway is the host address of the ScaleIO @@ -3303,18 +3314,20 @@ spec: Protection Domain for the configured storage. type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef references to the secret for - ScaleIO user and other sensitive information. If this - is not provided, Login operation will fail. + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -3323,8 +3336,8 @@ spec: with Gateway, default false type: boolean storageMode: - description: storageMode indicates whether the storage - for a volume should be ThickProvisioned or ThinProvisioned. + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: @@ -3336,9 +3349,9 @@ spec: as configured in ScaleIO. type: string volumeName: - description: volumeName is the name of a volume already - created in the ScaleIO system that is associated with - this volume source. + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. type: string required: - gateway @@ -3346,33 +3359,30 @@ spec: - system type: object secret: - description: 'secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret properties: defaultMode: - description: 'defaultMode is Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items If unspecified, each key-value pair - in the Data field of the referenced Secret will be - projected into the volume as a file whose name is - the key and content is the value. If specified, the - listed keys will be projected into the specified paths, - and unlisted keys will not be present. If a key is - specified which is not present in the Secret, the - volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3381,22 +3391,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -3409,8 +3417,9 @@ spec: or its keys must be defined type: boolean secretName: - description: 'secretName is the name of the secret in - the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret type: string type: object storageos: @@ -3418,42 +3427,42 @@ spec: and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef specifies the secret to use for - obtaining the StorageOS API credentials. If not specified, - default values will be attempted. + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeName: - description: volumeName is the human-readable name of - the StorageOS volume. Volume names are only unique - within a namespace. + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. type: string volumeNamespace: - description: volumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows - the Kubernetes name scoping to be mirrored within - StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: @@ -3461,10 +3470,10 @@ spec: and mounted on kubelets host machine properties: fsType: - description: fsType is filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: description: storagePolicyID is the storage Policy Based @@ -3486,56 +3495,60 @@ spec: type: object type: array logLevel: - description: LogLevel sets the log level for Envoy. Allowed values - are "trace", "debug", "info", "warn", "error", "critical", "off". + description: |- + LogLevel sets the log level for Envoy. + Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". type: string networkPublishing: description: NetworkPublishing defines how to expose Envoy to a network. properties: externalTrafficPolicy: - description: "ExternalTrafficPolicy describes how nodes distribute - service traffic they receive on one of the Service's \"externally-facing\" - addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). - \n If unset, defaults to \"Local\"." + description: |- + ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + and LoadBalancer IPs). + If unset, defaults to "Local". type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there is no value - provided, then this field will be set to SingleStack. Services - can be "SingleStack" (a single IP family), "PreferDualStack" - (two IP families on dual-stack configured clusters or a - single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise - fail). + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). type: string serviceAnnotations: additionalProperties: type: string - description: ServiceAnnotations is the annotations to add - to the provisioned Envoy service. + description: |- + ServiceAnnotations is the annotations to add to + the provisioned Envoy service. type: object type: - description: "NetworkPublishingType is the type of publishing - strategy to use. Valid values are: \n * LoadBalancerService - \n In this configuration, network endpoints for Envoy use - container networking. A Kubernetes LoadBalancer Service - is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - \n * NodePortService \n Publishes Envoy network endpoints - using a Kubernetes NodePort Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + description: |- + NetworkPublishingType is the type of publishing strategy to use. Valid values are: + * LoadBalancerService + In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + * NodePortService + Publishes Envoy network endpoints using a Kubernetes NodePort Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes NodePort Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport - \n NOTE: When provisioning an Envoy `NodePortService`, use - Gateway Listeners' port numbers to populate the Service's - node port values, there's no way to auto-allocate them. - \n See: https://github.com/projectcontour/contour/issues/4499 - \n * ClusterIPService \n Publishes Envoy network endpoints - using a Kubernetes ClusterIP Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + NOTE: + When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + the Service's node port values, there's no way to auto-allocate them. + See: https://github.com/projectcontour/contour/issues/4499 + * ClusterIPService + Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes ClusterIP Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - \n If unset, defaults to LoadBalancerService." + See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + If unset, defaults to LoadBalancerService. type: string type: object nodePlacement: @@ -3545,104 +3558,107 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object overloadMaxHeapSize: - description: 'OverloadMaxHeapSize defines the maximum heap memory - of the envoy controlled by the overload manager. When the value - is greater than 0, the overload manager is enabled, and when - envoy reaches 95% of the maximum heap size, it performs a shrink - heap operation, When it reaches 98% of the maximum heap size, - Envoy Will stop accepting requests. More info: https://projectcontour.io/docs/main/config/overload-manager/' + description: |- + OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ format: int64 type: integer podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Envoy pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Envoy replicas. If WorkloadType - is not \"Deployment\", this field is ignored. Otherwise, if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Envoy replicas. If WorkloadType + is not "Deployment", this field is ignored. Otherwise, if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by envoy container. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -3658,8 +3674,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -3668,15 +3685,16 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object workloadType: - description: WorkloadType is the type of workload to install Envoy + description: |- + WorkloadType is the type of workload to install Envoy as. Choices are DaemonSet and Deployment. If unset, defaults to DaemonSet. type: string @@ -3684,41 +3702,49 @@ spec: resourceLabels: additionalProperties: type: string - description: "ResourceLabels is a set of labels to add to the provisioned - Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels - instead. This field will be removed in a future release." + description: |- + ResourceLabels is a set of labels to add to the provisioned Contour resources. + Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release. type: object runtimeSettings: - description: RuntimeSettings is a ContourConfiguration spec to be - used when provisioning a Contour instance that will influence aspects - of the Contour instance's runtime behavior. + description: |- + RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance's runtime behavior. properties: debug: - description: Debug contains parameters to enable debug logging + description: |- + Debug contains parameters to enable debug logging and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. - \n Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how - to optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name - of the Kubernetes secret containing the client certificate - and private key to be used when establishing TLS connection - to upstream cluster. + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. properties: name: type: string @@ -3729,13 +3755,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that @@ -3763,35 +3790,35 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names - are looked up When configured as V4, the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If V6 is configured, the DNS resolver will only - perform a lookup for addresses in the IPv6 family. If - AUTO is configured, the DNS resolver will first perform - a lookup for addresses in the IPv6 family and fallback - to a lookup for addresses in the IPv4 family. If ALL - is specified, the DNS resolver will perform a lookup - for both IPv4 and IPv6 families, and return all resolved - addresses. When this is used, Happy Eyeballs will be - enabled for upstream connections. Refer to Happy Eyeballs - Support for more information. Note: This only applies - to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 @@ -3802,64 +3829,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set - of HTTPS versions the proxy should accept. HTTP versions - are strings of the form \"HTTP/xx\". Supported versions - are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, - `HTTP/2` (default: both). \n Other values will produce an - error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -3870,9 +3906,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -3887,9 +3923,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -3908,111 +3944,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, - the listener will use the exact connection balancer + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use - the default ConnectionBalancer, `exact`: use the Exact - ConnectionBalancer. \n Other values will produce an - error." + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header - if \"Transfer-Encoding: chunked\" is also set. This - is an emergency off-switch to revert back to Envoy's - default behavior in case of failures. Please file an - issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips - duplicate slashes from request URL paths. \n Contour's - default is false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 - connections and the limit for concurrent streams allowed - for a peer on a single HTTP/2 connection. It is recommended - to not set this lower than 100 but this field can be - used to bound resource usage by HTTP/2 connections and - mitigate attacks like CVE-2023-44487. The default value - when this is not set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The - default value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in - a single I/O cycle. Requests over this limit are processed - in subsequent I/O cycles. Can be used as a mitigation - for CVE-2023-44487 when abusive traffic is detected. - Configures the http.max_requests_per_io_cycle Envoy - runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the - Server header on the response path. When configured - as overwrite, overwrites any Server header with \"envoy\". - When configured as append_if_absent, if a Server header - is present, pass it through, otherwise set it to \"envoy\". - When configured as pass_through, pass through the value - of the Server header, and do not append a header if - none is present. \n Values: `overwrite` (default), `append_if_absent`, - `pass_through` \n Other values will produce an error. - Contour's default is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket - options for the listeners. Single set of options are - applied to all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field - (including 6 bit DSCP field) for IP packets originating - from Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv6-only - addresses, setting this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets - originating from the Envoy listeners. Single value - is applied to all listeners. If listeners are bound - to IPv4-only addresses, setting this option will - cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -4023,84 +4051,93 @@ spec: listener values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n - Contour's default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log - format. \n Values: `envoy` (default), `json`. \n Other - values will produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log - format when format is set to `envoy`. When empty, Envoy's - default format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that - JSON logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level - of the access log. \n Values: `info` (default, all requests - are logged), `error` (all non-success requests, i.e. - 300+ response code, are logged), `critical` (all 5xx - requests are logged) and `disabled`. \n Other values - will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -4111,9 +4148,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics - and health endpoints cannot have same port number when - metrics is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4131,24 +4168,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the - admin interface is disabled. \n Contour's default is - 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of - additional ingress proxy hops from the right side of - the x-forwarded-for HTTP header to trust when determining - the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -4159,95 +4198,100 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts - that can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy - should wait when establishing connection to upstream - service. If not set, a default value of 2 seconds will - be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the - proxy should wait while there are no active requests - (for HTTP/1.1) or streams (for HTTP/2) before terminating - an HTTP connection. Set to \"infinity\" to disable the - timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how - long the proxy will wait between sending an initial - GOAWAY frame and a second, final GOAWAY frame when terminating - an HTTP/2 connection. During this grace period, the - proxy will continue to respond to new streams. After - the final GOAWAY frame has been sent, the proxy will - refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy - will wait, once connection close processing has been - initiated, for the downstream peer to close the connection - before Envoy closes the socket associated with the connection. - \n Setting this timeout to 'infinity' will disable it, - equivalent to setting it to '0' in Envoy. Leaving it - unset will result in the Envoy default value being used. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum - period of time after an HTTP connection has been established - from the client to the proxy before it is closed by - the proxy, regardless of whether there has been activity - or not. Omit or set to \"infinity\" for no max duration. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for - the entire request, not an idle timeout. Omit or set - to \"infinity\" to disable the timeout entirely. \n + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for - HTTP/1.1) or stream activity (for HTTP/2) before terminating - the HTTP request or stream. Set to \"infinity\" to disable - the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour - features. Available toggles are: useEndpointSlices - configures - contour to fetch endpoint data from k8s endpoint slices. defaults - to false and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form - of "projectcontour.io//contour". If unset, the - gatewayclass controller will not be started. Exactly one - of ControllerName or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this - Contour instance corresponds to. If set, Contour will reconcile - only this gateway, and will not reconcile any gateway classes. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. Exactly one of ControllerName or GatewayRef must be set. properties: name: @@ -4260,26 +4304,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external - authorization filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -4287,36 +4334,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -4341,9 +4390,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8000 }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -4357,14 +4406,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. \n Contour's default - is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name - of the Kubernetes secret to use as fallback when a non-SNI - request is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -4394,9 +4444,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -4407,9 +4457,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4427,8 +4477,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will - apply to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -4458,18 +4509,20 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the - Rate Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a - default global rate limit policy for every HTTPProxy. HTTPProxy - can overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -4478,18 +4531,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -4498,17 +4551,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -4522,42 +4573,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -4565,61 +4610,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -4639,25 +4672,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating - error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled - it's translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit - Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -4672,10 +4706,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to - proceed when the Rate Limit Service fails to respond with - a valid rate limit decision within the timeout defined on - the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -4688,17 +4722,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag - name to create tags for the active span. + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request - header the label value is obtained from. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom @@ -4721,24 +4758,27 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span - of the trace. the default is true. Note: The Envoy pods - MUST have the HOSTNAME and CONTOUR_NAMESPACE environment - variables set for this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the - request path to extract and include in the HttpUrl tag. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of - trace data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. + description: |- + ServiceName defines the name for the service. contour's default is contour. type: string required: @@ -4748,18 +4788,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour - will serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour - will serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -4775,9 +4817,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values - will produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -4791,42 +4834,42 @@ spec: resource. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -4840,11 +4883,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -4870,7 +4914,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: extensionservices.projectcontour.io spec: preserveUnknownFields: false @@ -4888,19 +4932,26 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ExtensionService is the schema for the Contour extension services - API. An ExtensionService resource binds a network service to the Contour - API so that Contour API features can be implemented by collaborating components. + description: |- + ExtensionService is the schema for the Contour extension services API. + An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4909,101 +4960,111 @@ spec: resource. properties: loadBalancerPolicy: - description: The policy for load balancing GRPC service requests. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The policy for load balancing GRPC service requests. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy is chosen. - If an element of the supplied list of hash policies is invalid, - it will be ignored. If the list of hash policies is empty after - validation, the load balancing strategy will fall back to the - default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for an - individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when request - source IP hash based load balancing is desired. It must - be the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must be - the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP request - header that will be used to calculate the hash key. - If the header specified is not present on a request, - no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set when - request query parameter hash based load balancing is desired. - It must be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP request - query parameter that will be used to calculate the - hash key. If the query parameter specified is not - present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to true, - and the request attribute specified in the attribute hash - options is present, no further hash policies will be used - to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance requests - across the pool of backend pods. Valid policy names are `Random`, - `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. - If an unknown strategy name is specified or no policy is supplied, - the default `RoundRobin` policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object protocol: - description: Protocol may be used to specify (or override) the protocol - used to reach this Service. Values may be h2 or h2c. If omitted, - protocol-selection falls back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c type: string protocolVersion: - description: This field sets the version of the GRPC protocol that - Envoy uses to send requests to the extension service. Since Contour - always uses the v3 Envoy API, this is currently fixed at "v3". However, - other protocol options will be available in future. + description: |- + This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at "v3". However, other + protocol options will be available in future. enum: - v3 type: string services: - description: Services specifies the set of Kubernetes Service resources - that receive GRPC extension API requests. If no weights are specified - for any of the entries in this array, traffic will be spread evenly - across all the services. Otherwise, traffic is balanced proportionally - to the Weight field in each entry. + description: |- + Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry. items: - description: ExtensionServiceTarget defines an Kubernetes Service - to target with extension service traffic. + description: |- + ExtensionServiceTarget defines an Kubernetes Service to target with + extension service traffic. properties: name: - description: Name is the name of Kubernetes service that will - accept service traffic. + description: |- + Name is the name of Kubernetes service that will accept service + traffic. type: string port: description: Port (defined as Integer) to proxy traffic to since @@ -5027,24 +5088,23 @@ spec: description: The timeout policy for requests to the services. properties: idle: - description: Timeout for how long the proxy should wait while - there is no activity during single request/response (for HTTP/1.1) - or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 - connection is idle between two consecutive requests. If not - specified, there is no per-route idle timeout, though a connection - manager-wide stream_idle_timeout default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy to - the upstream service is kept when there are no active requests. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, Envoy's - default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -5053,27 +5113,26 @@ spec: service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes secret - used to validate the certificate presented by the backend. The - secret must contain key named ca.crt. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max length should - be the actual max possible length of a namespaced name (63 + - 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in the ''subjectAltName'' - of the presented certificate. Deprecated: migrate to using the - plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is expected to - be present in the 'subjectAltName of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -5091,75 +5150,67 @@ spec: - services type: object status: - description: ExtensionServiceStatus defines the observed state of an ExtensionService - resource. + description: |- + ExtensionServiceStatus defines the observed state of an + ExtensionService resource. properties: conditions: - description: "Conditions contains the current status of the ExtensionService - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the ExtensionService resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5173,10 +5224,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5188,32 +5239,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5227,43 +5277,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5277,10 +5326,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5313,7 +5362,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: httpproxies.projectcontour.io spec: preserveUnknownFields: false @@ -5351,14 +5400,19 @@ spec: description: HTTPProxy is an Ingress CRD specification. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5366,28 +5420,31 @@ spec: description: HTTPProxySpec defines the spec of the CRD. properties: includes: - description: Includes allow for specific routing configuration to - be included from another HTTPProxy, possibly in another namespace. + description: |- + Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace. items: description: Include describes a set of policies that can be applied to an HTTPProxy in a namespace. properties: conditions: - description: 'Conditions are a set of rules that are applied - to included HTTPProxies. In effect, they are added onto the - Conditions of included HTTPProxy Route structs. When applied, - they are merged using AND, with one exception: There can be - only one Prefix MatchCondition per Conditions slice. More - than one Prefix, or contradictory Conditions, will make the - include invalid. Exact and Regex match conditions are not - allowed on includes.' + description: |- + Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5395,56 +5452,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5457,37 +5516,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5497,7 +5558,8 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object @@ -5514,10 +5576,11 @@ spec: type: object type: array ingressClassName: - description: IngressClassName optionally specifies the ingress class - to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is - set, it is given precedence over this field. + description: |- + IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field. type: string routes: description: Routes are the ingress routes. If TCPProxy is present, @@ -5526,38 +5589,42 @@ spec: description: Route contains the set of routes for a virtual host. properties: authPolicy: - description: AuthPolicy updates the authorization policy that - was set on the root HTTPProxy object for client requests that + description: |- + AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that match this route. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object conditions: - description: 'Conditions are a set of rules that are applied - to a Route. When applied, they are merged using AND, with - one exception: There can be only one Prefix, Exact or Regex - MatchCondition per Conditions slice. More than one of these - condition types, or contradictory Conditions, will make the - route invalid.' + description: |- + Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5565,56 +5632,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5627,37 +5696,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5667,24 +5738,28 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object type: array cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header attributes. - Note that rewritten cookie names must be unique in this list. - Order rewrite policies are specified in does not matter. + description: |- + The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter. items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the Domain - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -5700,12 +5775,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the Path - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -5714,17 +5791,18 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute will - not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie Secure - element. If not set, Secure attribute will not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name @@ -5735,11 +5813,11 @@ spec: response directly. properties: body: - description: "Body is the content of the response body. - If this setting is omitted, no body is included in the - generated response. \n Note: Body is not recommended to - set too long otherwise it can have significant resource - usage impacts." + description: |- + Body is the content of the response body. + If this setting is omitted, no body is included in the generated response. + Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts. type: string statusCode: description: StatusCode is the HTTP response status to be @@ -5757,11 +5835,11 @@ spec: description: The health check policy for this route. properties: expectedStatuses: - description: The ranges of HTTP response statuses considered - healthy. Follow half-open semantics, i.e. for each range - the start is inclusive and the end is exclusive. Must - be within the range [100,600). If not specified, only - a 200 response status is considered healthy. + description: |- + The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy. items: properties: end: @@ -5790,9 +5868,10 @@ spec: minimum: 0 type: integer host: - description: The value of the host header in the HTTP health - check request. If left empty (default value), the name - "contour-envoy-healthcheck" will be used. + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the name "contour-envoy-healthcheck" + will be used. type: string intervalSeconds: description: The interval (seconds) between health checks @@ -5822,35 +5901,32 @@ spec: properties: allowCrossSchemeRedirect: default: Never - description: AllowCrossSchemeRedirect Allow internal redirect - to follow a target URI with a different scheme than the - value of x-forwarded-proto. SafeOnly allows same scheme - redirect and safe cross scheme redirect, which means if - the downstream scheme is HTTPS, both HTTPS and HTTP redirect - targets are allowed, but if the downstream scheme is HTTP, - only HTTP redirect targets are allowed. + description: |- + AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed. enum: - Always - Never - SafeOnly type: string denyRepeatedRouteRedirect: - description: If DenyRepeatedRouteRedirect is true, rejects - redirect targets that are pointing to a route that has - been followed by a previous redirect from the current - route. + description: |- + If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route. type: boolean maxInternalRedirects: - description: MaxInternalRedirects An internal redirect is - not handled, unless the number of previous internal redirects - that a downstream request has encountered is lower than - this value. + description: |- + MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value. format: int32 type: integer redirectResponseCodes: - description: RedirectResponseCodes If unspecified, only - 302 will be treated as internal redirect. Only 301, 302, - 303, 307 and 308 are valid values. + description: |- + RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values. items: description: RedirectResponseCode is a uint32 type alias with validation to ensure that the value is valid. @@ -5865,25 +5941,26 @@ spec: type: array type: object ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter - rules for which matching requests should be allowed. All other - requests will be denied. Only one of IPAllowFilterPolicy and - IPDenyFilterPolicy can be defined. The rules defined here - override any rules set on the root HTTPProxy. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -5894,25 +5971,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here override any rules - set on the root HTTPProxy. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -5927,93 +6005,93 @@ spec: route. properties: disabled: - description: Disabled defines whether to disable all JWT - verification for this route. This can be used to opt specific - routes out of the default JWT provider for the HTTPProxy. - At most one of this field or the "require" field can be - specified. + description: |- + Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + "require" field can be specified. type: boolean require: - description: Require names a specific JWT provider (defined - in the virtual host) to require for the route. If specified, - this field overrides the default provider if one exists. - If this field is not specified, the default provider will - be required if one exists. At most one of this field or - the "disabled" field can be specified. + description: |- + Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the "disabled" field can be specified. type: string type: object loadBalancerPolicy: description: The load balancing policy for this route. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash - policies to apply when the `RequestHash` load balancing - strategy is chosen. If an element of the supplied list - of hash policies is invalid, it will be ignored. If the - list of hash policies is empty after validation, the load - balancing strategy will fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration - for an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when - request header hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not - present on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the - HTTP request query parameter that will be used - to calculate the hash key. If the query parameter - specified is not present on a request, no hash - will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set - to true, and the request attribute specified in - the attribute hash options is present, no further - hash policies will be used to calculate a hash for - the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy - names are `Random`, `RoundRobin`, `WeightedLeastRequest`, - `Cookie`, and `RequestHash`. If an unknown strategy name - is specified or no policy is supplied, the default `RoundRobin` - policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object pathRewritePolicy: - description: The policy for rewriting the path of the request - URL after the request has been routed to a Service. + description: |- + The policy for rewriting the path of the request URL + after the request has been routed to a Service. properties: replacePrefix: description: ReplacePrefix describes how the path prefix @@ -6022,22 +6100,22 @@ spec: description: ReplacePrefix describes a path prefix replacement. properties: prefix: - description: "Prefix specifies the URL path prefix - to be replaced. \n If Prefix is specified, it must - exactly match the MatchCondition prefix that is - rendered by the chain of including HTTPProxies and - only that path prefix will be replaced by Replacement. - This allows HTTPProxies that are included through - multiple roots to only replace specific path prefixes, - leaving others unmodified. \n If Prefix is not specified, - all routing prefixes rendered by the include chain - will be replaced." + description: |- + Prefix specifies the URL path prefix to be replaced. + If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified. + If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced. minLength: 1 type: string replacement: - description: Replacement is the string that the routing - path prefix will be replaced with. This must not - be empty. + description: |- + Replacement is the string that the routing path prefix + will be replaced with. This must not be empty. minLength: 1 type: string required: @@ -6046,24 +6124,24 @@ spec: type: array type: object permitInsecure: - description: Allow this path to respond to insecure requests - over HTTP which are normally not permitted when a `virtualhost.tls` - block is present. + description: |- + Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a `virtualhost.tls` block is present. type: boolean rateLimitPolicy: description: The policy for rate limiting on the route. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to - an external rate limit service (RLS) for a rate limit - decision on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit - service. Each descriptor contains 1+ key-value pair - entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -6072,18 +6150,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this - struct must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of - the descriptor entry. If not set, - the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value @@ -6092,17 +6170,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given - header is present on the request. The - descriptor key is static, and the descriptor - value is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -6117,44 +6193,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if - the request's headers match a set of 1+ - match criteria. The descriptor key is - "header_match", and the descriptor value - is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match - the match criteria in order to generate - a descriptor entry (i.e. true), or - not match the match criteria in order - to generate a descriptor entry (i.e. - false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ - match criteria to apply against the - request to determine whether to populate - the descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition - specifies how to conditionally match - against HTTP headers. The Name field - is required, only one of Present, - NotPresent, Contains, NotContains, - Exact, NotExact and Regex can be - set. For negative matching rules - only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a @@ -6162,64 +6230,49 @@ spec: must be equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should - be case insensitive. Note that - this has no effect on the Regex - parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name - of the header to match against. - Name is required. Header names - are case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be - present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies - a string that the header value - must not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when - the named header is not present. - Note that setting NotPresent - to false does not make the condition - true if the named header is - present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies - that condition is true when - the named header is present, - regardless of its value. Note - that setting Present to false - does not make the condition - true if the named header is - absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a - regular expression pattern that - must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is - **only** supported for negative - matches (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -6239,32 +6292,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per - unit of time should be allowed before rate limiting - occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -6284,18 +6339,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within - which requests over the limit will be rate limited. - Valid values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -6307,15 +6364,16 @@ spec: type: object type: object requestHeadersPolicy: - description: "The policy for managing request headers during - proxying. \n You may dynamically rewrite the Host header to - be forwarded upstream to the content of a request header using - the below format \"%REQ(X-Header-Name)%\". If the value of - the header is empty, it is ignored. \n *NOTE: Pay attention - to the potential security implications of using this option. - Provided header must come from trusted source. \n **NOTE: - The header rewrite is only done while forwarding and has no - bearing on the routing decision." + description: |- + The policy for managing request headers during proxying. + You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format "%REQ(X-Header-Name)%". If the value of the header + is empty, it is ignored. + *NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source. + **NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision. properties: remove: description: Remove specifies a list of HTTP header names @@ -6324,10 +6382,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6351,39 +6408,44 @@ spec: description: RequestRedirectPolicy defines an HTTP redirection. properties: hostname: - description: Hostname is the precise hostname to be used - in the value of the `Location` header in the response. - When empty, the hostname of the request is used. No wildcards - are allowed. + description: |- + Hostname is the precise hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string path: - description: "Path allows for redirection to a different - path from the original on the request. The path must start - with a leading slash. \n Note: Only one of Path or Prefix - can be defined." + description: |- + Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string port: - description: Port is the port to be used in the value of - the `Location` header in the response. When empty, port - (if specified) of the request is used. + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. format: int32 maximum: 65535 minimum: 1 type: integer prefix: - description: "Prefix defines the value to swap the matched - prefix or path with. The prefix must start with a leading - slash. \n Note: Only one of Path or Prefix can be defined." + description: |- + Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string scheme: - description: Scheme is the scheme to be used in the value - of the `Location` header in the response. When empty, - the scheme of the request is used. + description: |- + Scheme is the scheme to be used in the value of the `Location` + header in the response. + When empty, the scheme of the request is used. enum: - http - https @@ -6398,8 +6460,9 @@ spec: type: integer type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header names @@ -6408,10 +6471,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6436,35 +6498,46 @@ spec: properties: count: default: 1 - description: NumRetries is maximum allowed number of retries. - If set to -1, then retries are disabled. If set to 0 or - not supplied, the value is set to the Envoy default of - 1. + description: |- + NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1. format: int64 minimum: -1 type: integer perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. + description: |- + PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string retriableStatusCodes: - description: "RetriableStatusCodes specifies the HTTP status - codes that should be retried. \n This field is only respected - when you include `retriable-status-codes` in the `RetryOn` - field." + description: |- + RetriableStatusCodes specifies the HTTP status codes that should be retried. + This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. items: format: int32 type: integer type: array retryOn: - description: "RetryOn specifies the conditions on which - to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): - \n - `5xx` - `gateway-error` - `reset` - `connect-failure` - - `retriable-4xx` - `refused-stream` - `retriable-status-codes` - - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): - \n - `cancelled` - `deadline-exceeded` - `internal` - - `resource-exhausted` - `unavailable`" + description: |- + RetryOn specifies the conditions on which to retry a request. + Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + - `5xx` + - `gateway-error` + - `reset` + - `connect-failure` + - `retriable-4xx` + - `refused-stream` + - `retriable-status-codes` + - `retriable-headers` + Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + - `cancelled` + - `deadline-exceeded` + - `internal` + - `resource-exhausted` + - `unavailable` items: description: RetryOn is a string type alias with validation to ensure that the value is valid. @@ -6497,13 +6570,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the - Set-Cookie Domain element. If not set, Domain - will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6519,12 +6593,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -6533,45 +6609,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If - Mirror is true, then fractional mirroring can be enabled - by optionally setting the Weight field. Legal values - for Weight are 1-100. Omitting the Weight field will - result in 100% mirroring. NOTE: Setting Weight explicitly - to 0 will unexpectedly result in 100% traffic mirroring. - This occurs since we cannot distinguish omitted fields - from those explicitly set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to - proxy traffic. Names defined here will be used to look - up corresponding endpoints which contain the ips to - route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -6581,10 +6655,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may - be tls, h2, h2c. If omitted, protocol-selection falls - back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -6601,10 +6674,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6625,9 +6697,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers - during proxying. Rewriting the 'Host' header is not - supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -6636,10 +6708,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6665,32 +6736,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. - When increasing the value for this parameter, the - speed of traffic ramp-up increases non-linearly. - The value of aggression parameter should be greater - than 0.0. \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of - traffic to send to new endpoints. A non-zero value - helps avoid a too small initial weight, which may - cause endpoints in slow start mode to receive no - traffic in the beginning of the slow start window. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", - "s", "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -6701,29 +6769,26 @@ spec: the backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to the - secret. Max length should be the actual max possible - length of a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of - the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -6752,26 +6817,23 @@ spec: description: The timeout policy for this route. properties: idle: - description: Timeout for how long the proxy should wait - while there is no activity during single request/response - (for HTTP/1.1) or stream (for HTTP/2). Timeout will not - trigger while HTTP/1.1 connection is idle between two - consecutive requests. If not specified, there is no per-route - idle timeout, though a connection manager-wide stream_idle_timeout - default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy - to the upstream service is kept when there are no active - requests. If not supplied, Envoy's default value of 1h - applies. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, - Envoy's default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -6818,11 +6880,10 @@ spec: - name type: object includes: - description: "IncludesDeprecated allow for specific routing configuration - to be appended to another HTTPProxy in another namespace. \n - Exists due to a mistake when developing HTTPProxy and the field - was marked plural when it should have been singular. This field - should stay to not break backwards compatibility to v1 users." + description: |- + IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 users. properties: name: description: Name of the child HTTPProxy @@ -6835,69 +6896,71 @@ spec: - name type: object loadBalancerPolicy: - description: The load balancing policy for the backend services. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The load balancing policy for the backend services. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy - is chosen. If an element of the supplied list of hash policies - is invalid, it will be ignored. If the list of hash policies - is empty after validation, the load balancing strategy will - fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for - an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must - be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not present - on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP - request query parameter that will be used to calculate - the hash key. If the query parameter specified - is not present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to - true, and the request attribute specified in the attribute - hash options is present, no further hash policies - will be used to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy names - are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. If an unknown strategy name is specified or no policy is supplied, the default `RoundRobin` policy is used. @@ -6915,12 +6978,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6936,12 +7001,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -6950,44 +7017,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If Mirror - is true, then fractional mirroring can be enabled by optionally - setting the Weight field. Legal values for Weight are - 1-100. Omitting the Weight field will result in 100% mirroring. - NOTE: Setting Weight explicitly to 0 will unexpectedly - result in 100% traffic mirroring. This occurs since we - cannot distinguish omitted fields from those explicitly - set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -6997,10 +7063,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be - tls, h2, h2c. If omitted, protocol-selection falls back - on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -7017,10 +7082,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7041,8 +7105,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -7051,10 +7116,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7080,32 +7144,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. When - increasing the value for this parameter, the speed - of traffic ramp-up increases non-linearly. The value - of aggression parameter should be greater than 0.0. - \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of traffic - to send to new endpoints. A non-zero value helps avoid - a too small initial weight, which may cause endpoints - in slow start mode to receive no traffic in the beginning - of the slow start window. If not specified, the default - is 10%. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", - "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -7116,28 +7177,25 @@ spec: backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with namespace - "namespace/name". When cross-namespace reference is - used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max - length should be the actual max possible length of - a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in - the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of the + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the presented certificate. items: type: string @@ -7165,34 +7223,38 @@ spec: type: array type: object virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root" HTTPProxy. + description: |- + Virtualhost appears at most once. If it is present, the object is considered + to be a "root" HTTPProxy. properties: authorization: - description: This field configures an extension service to perform - authorization for this virtual host. Authorization can only - be configured on virtual hosts that have TLS enabled. If the - TLS configuration requires client certificate validation, the - client certificate is always included in the authentication - check request. + description: |- + This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -7200,36 +7262,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -7281,20 +7345,21 @@ spec: minItems: 1 type: array allowOrigin: - description: AllowOrigin specifies the origins that will be - allowed to do CORS requests. Allowed values include "*" - which signifies any origin is allowed, an exact origin of - the form "scheme://host[:port]" (where port is optional), - or a valid regex pattern. Note that regex patterns are validated - and a simple "glob" pattern (e.g. *.foo.com) will be rejected - or produce unexpected matches when applied as a regex. + description: |- + AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include "*" which signifies any origin is allowed, an exact + origin of the form "scheme://host[:port]" (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex. items: type: string minItems: 1 type: array allowPrivateNetwork: - description: AllowPrivateNetwork specifies whether to allow - private network requests. See https://developer.chrome.com/blog/private-network-access-preflight. + description: |- + AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. type: boolean exposeHeaders: description: ExposeHeaders Specifies the content for the *access-control-expose-headers* @@ -7307,13 +7372,12 @@ spec: minItems: 1 type: array maxAge: - description: MaxAge indicates for how long the results of - a preflight request can be cached. MaxAge durations are - expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". Only positive values are allowed while 0 disables the - cache requiring a preflight OPTIONS check for all cross-origin - requests. + description: |- + MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$ type: string required: @@ -7321,30 +7385,32 @@ spec: - allowOrigin type: object fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn. + description: |- + The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn. pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be allowed. All other requests - will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7355,24 +7421,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7389,27 +7457,31 @@ spec: description: JWTProvider defines how to verify JWTs on requests. properties: audiences: - description: Audiences that JWTs are allowed to have in - the "aud" field. If not provided, JWT audiences are not - checked. + description: |- + Audiences that JWTs are allowed to have in the "aud" field. + If not provided, JWT audiences are not checked. items: type: string type: array default: - description: Whether the provider should apply to all routes - in the HTTPProxy/its includes by default. At most one - provider can be marked as the default. If no provider - is marked as the default, individual routes must explicitly + description: |- + Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly identify the provider they require. type: boolean forwardJWT: - description: Whether the JWT should be forwarded to the - backend service after successful verification. By default, + description: |- + Whether the JWT should be forwarded to the backend + service after successful verification. By default, the JWT is not forwarded. type: boolean issuer: - description: Issuer that JWTs are required to have in the - "iss" field. If not provided, JWT issuers are not checked. + description: |- + Issuer that JWTs are required to have in the "iss" field. + If not provided, JWT issuers are not checked. type: string name: description: Unique name for the provider. @@ -7419,33 +7491,34 @@ spec: description: Remote JWKS to use for verifying JWT signatures. properties: cacheDuration: - description: How long to cache the JWKS locally. If - not specified, Envoy's default of 5m applies. + description: |- + How long to cache the JWKS locally. If not specified, + Envoy's default of 5m applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string dnsLookupFamily: - description: "The DNS IP address resolution policy for - the JWKS URI. When configured as \"v4\", the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If \"v6\" is configured, the DNS resolver - will only perform a lookup for addresses in the IPv6 - family. If \"all\" is configured, the DNS resolver - will perform a lookup for addresses in both the IPv4 - and IPv6 family. If \"auto\" is configured, the DNS - resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If not specified, the Contour-wide - setting defined in the config file or ContourConfiguration - applies (defaults to \"auto\"). \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information." + description: |- + The DNS IP address resolution policy for the JWKS URI. + When configured as "v4", the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If "all" is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If "auto" is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to "auto"). + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. enum: - auto - v4 - v6 type: string timeout: - description: How long to wait for a response from the - URI. If not specified, a default of 1s applies. + description: |- + How long to wait for a response from the URI. + If not specified, a default of 1s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string uri: @@ -7457,31 +7530,26 @@ spec: the JWKS's TLS certificate. properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to - the secret. Max length should be the actual max - possible length of a namespaced name (63 + 253 - + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field - subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one - is expected to be present in the 'subjectAltName - of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -7508,15 +7576,16 @@ spec: description: The policy for rate limiting on the virtual host. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to an - external rate limit service (RLS) for a rate limit decision - on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -7525,18 +7594,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -7545,17 +7614,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -7569,42 +7636,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -7612,61 +7673,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -7686,31 +7735,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per unit - of time should be allowed before rate limiting occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -7730,18 +7782,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within which - requests over the limit will be rate limited. Valid - values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -7753,57 +7807,56 @@ spec: type: object type: object tls: - description: If present the fields describes TLS properties of - the virtual host. The SNI names that will be matched on are - described in fqdn, the tls.secretName secret must contain a - certificate that itself contains a name that matches the FQDN. + description: |- + If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN. properties: clientValidation: - description: "ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. \n This setting: \n 1. Enables TLS client certificate - validation. 2. Specifies how the client certificate will - be validated (i.e. validation required or skipped). \n Note: - Setting client certificate validation to be skipped should - be only used in conjunction with an external authorization - server that performs client validation as Contour will ensure - client certificates are passed along." + description: |- + ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy. + This setting: + 1. Enables TLS client certificate validation. + 2. Specifies how the client certificate will be validated (i.e. + validation required or skipped). + Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along. properties: caSecret: - description: Name of a Kubernetes secret that contains - a CA certificate bundle. The secret must contain key - named ca.crt. The client certificate must validate against - the certificates in the bundle. If specified and SkipClientCertValidation - is true, client certificates will be required on requests. + description: |- + Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. The name can be optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string crlOnlyVerifyLeafCert: - description: If this option is set to true, only the certificate - at the end of the certificate chain will be subject - to validation by CRL. + description: |- + If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL. type: boolean crlSecret: - description: Name of a Kubernetes opaque secret that contains - a concatenated list of PEM encoded CRLs. The secret - must contain key named crl.pem. This field will be used - to verify that a client certificate has not been revoked. - CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert - is true. Large CRL lists are not supported since individual - secrets are limited to 1MiB in size. The name can be - optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + description: |- + Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string forwardClientCertificate: - description: ForwardClientCertificate adds the selected - data from the passed client TLS certificate to the x-forwarded-client-cert - header. + description: |- + ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header. properties: cert: description: Client cert in URL encoded PEM format. @@ -7825,55 +7878,56 @@ spec: type: boolean type: object optionalClientCertificate: - description: OptionalClientCertificate when set to true - will request a client certificate but allow the connection - to continue if the client does not provide one. If a - client certificate is sent, it will be verified according - to the other properties, which includes disabling validation - if SkipClientCertValidation is set. Defaults to false. + description: |- + OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false. type: boolean skipClientCertValidation: - description: SkipClientCertValidation disables downstream - client certificate validation. Defaults to false. This - field is intended to be used in conjunction with external - authorization in order to enable the external authorization - server to validate client certificates. When this field - is set to true, client certificates are requested but - not verified by Envoy. If CACertificate is specified, - client certificates are required on requests, but not - verified. If external authorization is in use, they - are presented to the external authorization server. + description: |- + SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server. type: boolean type: object enableFallbackCertificate: - description: EnableFallbackCertificate defines if the vhost - should allow a default certificate to be applied which handles - all requests which don't match the SNI defined in this vhost. + description: |- + EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don't match the SNI defined in this vhost. type: boolean maximumProtocolVersion: - description: MaximumProtocolVersion is the maximum TLS version - this vhost should negotiate. Valid options are `1.2` and - `1.3` (default). Any other value defaults to TLS 1.3. + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are `1.2` and `1.3` (default). Any other value + defaults to TLS 1.3. type: string minimumProtocolVersion: - description: MinimumProtocolVersion is the minimum TLS version - this vhost should negotiate. Valid options are `1.2` (default) - and `1.3`. Any other value defaults to TLS 1.2. + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + defaults to TLS 1.2. type: string passthrough: - description: Passthrough defines whether the encrypted TLS - handshake will be passed through to the backing cluster. - Either Passthrough or SecretName must be specified, but - not both. + description: |- + Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both. type: boolean secretName: - description: SecretName is the name of a TLS secret. Either - SecretName or Passthrough must be specified, but not both. + description: |- + SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate - for the virtual host's FQDN. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must - exist in the namespace to grant access to the secret. + for the virtual host's FQDN. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. type: string type: object required: @@ -7888,75 +7942,67 @@ spec: HTTPProxy. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com/ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com/ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -7970,10 +8016,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -7985,32 +8031,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8024,43 +8069,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8074,10 +8118,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8108,48 +8152,49 @@ spec: balancer. properties: ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. properties: hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) type: string ipMode: - description: IPMode specifies how the load-balancer IP behaves, - and may only be specified when the ip field is specified. - Setting this to "VIP" indicates that traffic is delivered - to the node with the destination set to the load-balancer's - IP and port. Setting this to "Proxy" indicates that traffic - is delivered to the node or pod with the destination set - to the node's IP and node port or the pod's IP and port. - Service implementations may use this information to adjust - traffic routing. + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it items: properties: error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific error - values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8160,9 +8205,9 @@ spec: type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" type: string required: - port @@ -8187,7 +8232,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: tlscertificatedelegations.projectcontour.io spec: preserveUnknownFields: false @@ -8204,18 +8249,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD - specification. See design/tls-certificate-delegation.md for details. + description: |- + TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. + See design/tls-certificate-delegation.md for details. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -8224,18 +8275,20 @@ spec: properties: delegations: items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. + description: |- + CertificateDelegation maps the authority to reference a secret + in the current namespace to a set of namespaces. properties: secretName: description: required, the name of a secret in the current namespace. type: string targetNamespaces: - description: required, the namespaces the authority to reference - the secret will be delegated to. If TargetNamespaces is nil - or empty, the CertificateDelegation' is ignored. If the TargetNamespace - list contains the character, "*" the secret will be delegated - to all namespaces. + description: |- + required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation' + is ignored. If the TargetNamespace list contains the character, "*" + the secret will be delegated to all namespaces. items: type: string type: array @@ -8248,79 +8301,72 @@ spec: - delegations type: object status: - description: TLSCertificateDelegationStatus allows for the status of the - delegation to be presented to the user. + description: |- + TLSCertificateDelegationStatus allows for the status of the delegation + to be presented to the user. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com\\ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com\ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8334,10 +8380,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8349,32 +8395,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8388,43 +8433,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8438,10 +8482,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index fe9a5922c4d..1e2bdedfd16 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -225,7 +225,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourconfigurations.projectcontour.io spec: preserveUnknownFields: false @@ -245,47 +245,59 @@ spec: description: ContourConfiguration is the schema for a Contour instance. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourConfigurationSpec represents a configuration of a - Contour controller. It contains most of all the options that can be - customized, the other remaining options being command line flags. + description: |- + ContourConfigurationSpec represents a configuration of a Contour controller. + It contains most of all the options that can be customized, the + other remaining options being command line flags. properties: debug: - description: Debug contains parameters to enable debug logging and - debug interfaces inside Contour. + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. \n - Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how to - optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name of the - Kubernetes secret containing the client certificate and private - key to be used when establishing TLS connection to upstream + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream cluster. properties: name: @@ -297,13 +309,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that a @@ -331,34 +344,36 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names are - looked up When configured as V4, the DNS resolver will only - perform a lookup for addresses in the IPv4 family. If V6 - is configured, the DNS resolver will only perform a lookup - for addresses in the IPv6 family. If AUTO is configured, - the DNS resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If ALL is specified, the DNS resolver - will perform a lookup for both IPv4 and IPv6 families, and - return all resolved addresses. When this is used, Happy - Eyeballs will be enabled for upstream connections. Refer - to Happy Eyeballs Support for more information. Note: This - only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 @@ -368,59 +383,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set of HTTPS - versions the proxy should accept. HTTP versions are strings - of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" - and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). - \n Other values will produce an error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -431,9 +460,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -448,9 +477,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -469,106 +498,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, the - listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use the - default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. - \n Other values will produce an error." + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header if - \"Transfer-Encoding: chunked\" is also set. This is an emergency - off-switch to revert back to Envoy's default behavior in - case of failures. Please file an issue if failures are encountered. + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips duplicate - slashes from request URL paths. \n Contour's default is - false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 connections - and the limit for concurrent streams allowed for a peer - on a single HTTP/2 connection. It is recommended to not - set this lower than 100 but this field can be used to bound - resource usage by HTTP/2 connections and mitigate attacks - like CVE-2023-44487. The default value when this is not - set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The default - value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in a single - I/O cycle. Requests over this limit are processed in subsequent - I/O cycles. Can be used as a mitigation for CVE-2023-44487 - when abusive traffic is detected. Configures the http.max_requests_per_io_cycle - Envoy runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the Server - header on the response path. When configured as overwrite, - overwrites any Server header with \"envoy\". When configured - as append_if_absent, if a Server header is present, pass - it through, otherwise set it to \"envoy\". When configured - as pass_through, pass through the value of the Server header, - and do not append a header if none is present. \n Values: - `overwrite` (default), `append_if_absent`, `pass_through` - \n Other values will produce an error. Contour's default - is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket options - for the listeners. Single set of options are applied to - all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field (including - 6 bit DSCP field) for IP packets originating from Envoy - listeners. Single value is applied to all listeners. - If listeners are bound to IPv6-only addresses, setting - this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets originating - from the Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv4-only addresses, - setting this option will cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -579,79 +605,93 @@ spec: values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n Contour's - default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log format. - \n Values: `envoy` (default), `json`. \n Other values will - produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log format - when format is set to `envoy`. When empty, Envoy's default - format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that JSON - logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level of the - access log. \n Values: `info` (default, all requests are - logged), `error` (all non-success requests, i.e. 300+ response - code, are logged), `critical` (all 5xx requests are logged) - and `disabled`. \n Other values will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -662,9 +702,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -682,23 +722,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the admin - interface is disabled. \n Contour's default is 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of additional - ingress proxy hops from the right side of the x-forwarded-for - HTTP header to trust when determining the origin client’s - IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -709,93 +752,101 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts that - can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy should - wait when establishing connection to upstream service. If - not set, a default value of 2 seconds will be used. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the proxy - should wait while there are no active requests (for HTTP/1.1) - or streams (for HTTP/2) before terminating an HTTP connection. - Set to \"infinity\" to disable the timeout entirely. \n + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how long - the proxy will wait between sending an initial GOAWAY frame - and a second, final GOAWAY frame when terminating an HTTP/2 - connection. During this grace period, the proxy will continue - to respond to new streams. After the final GOAWAY frame - has been sent, the proxy will refuse new streams. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy will - wait, once connection close processing has been initiated, - for the downstream peer to close the connection before Envoy - closes the socket associated with the connection. \n Setting - this timeout to 'infinity' will disable it, equivalent to - setting it to '0' in Envoy. Leaving it unset will result - in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum period - of time after an HTTP connection has been established from - the client to the proxy before it is closed by the proxy, - regardless of whether there has been activity or not. Omit - or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for the - entire request, not an idle timeout. Omit or set to \"infinity\" - to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for HTTP/1.1) - or stream activity (for HTTP/2) before terminating the HTTP - request or stream. Set to \"infinity\" to disable the timeout - entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour features. - Available toggles are: useEndpointSlices - configures contour to - fetch endpoint data from k8s endpoint slices. defaults to false - and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form of - "projectcontour.io//contour". If unset, the gatewayclass - controller will not be started. Exactly one of ControllerName - or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this Contour - instance corresponds to. If set, Contour will reconcile only - this gateway, and will not reconcile any gateway classes. Exactly - one of ControllerName or GatewayRef must be set. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. properties: name: type: string @@ -807,26 +858,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external authorization - filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy for - client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -834,36 +888,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field is - not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field is - not specifies, the namespace of the resource that targets - the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server fails - to respond. This field should not be set in most cases. It is - intended for use only while migrating applications from internal - authorization to Contour external authorization. + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait for - a check response from the authorization server. Timeout durations - are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no - timeout. + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -888,9 +944,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve health - checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 - }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -904,13 +960,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the permitInsecure - field in HTTPProxy. \n Contour's default is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name of - the Kubernetes secret to use as fallback when a non-SNI request - is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -940,8 +998,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve metrics. - \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -952,9 +1011,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and health - endpoints cannot have same port number when metrics is served - over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -972,8 +1031,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will apply - to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -1003,17 +1063,19 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the Rate - Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a default - global rate limit policy for every HTTPProxy. HTTPProxy can - overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors that - will be generated and sent to the rate limit service. Each + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value @@ -1022,17 +1084,18 @@ spec: entries: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the descriptor - entry. If not set, the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of the @@ -1041,16 +1104,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and a value - equal to the client's IP address (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor key - is static, and the descriptor value is equal - to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the key @@ -1064,41 +1126,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines a - descriptor entry that's populated if the request's - headers match a set of 1+ match criteria. The - descriptor key is "header_match", and the descriptor - value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether the - request must positively match the match - criteria in order to generate a descriptor - entry (i.e. true), or not match the match - criteria in order to generate a descriptor - entry (i.e. false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request to - determine whether to populate the descriptor - entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against HTTP - headers. The Name field is required, only - one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching rules - only (e.g. NotContains or NotExact) you - can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies a substring - that must be present in the header - value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -1106,57 +1163,49 @@ spec: to. type: string ignoreCase: - description: IgnoreCase specifies that - string matching should be case insensitive. - Note that this has no effect on the - Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the - header to match against. Name is required. + description: |- + Name is the name of the header to match against. Name is required. Header names are case insensitive. type: string notcontains: - description: NotContains specifies a - substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a string - that the header value must not be - equal to. The condition is true if - the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that - condition is true when the named header - is not present. Note that setting - NotPresent to false does not make - the condition true if the named header - is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named header - is present, regardless of its value. - Note that setting Present to false - does not make the condition true if - the named header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies - if the header match rule specified - header does not exist, this header - value will be treated as empty. Defaults - to false. Unlike the underlying Envoy - implementation this is **only** supported - for negative matches (e.g. NotContains, - NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -1176,25 +1225,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not use - the default global rate limit policy defined by the Contour - configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating error - code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's - translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit Service - is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -1209,9 +1259,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to proceed - when the Rate Limit Service fails to respond with a valid rate - limit decision within the timeout defined on the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -1224,17 +1275,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag name + description: |- + CustomTag defines custom tags with unique tag name to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request header - the label value is obtained from. Precisely one of Literal, - RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom tag. @@ -1256,25 +1310,28 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span of the - trace. the default is true. Note: The Envoy pods MUST have the - HOSTNAME and CONTOUR_NAMESPACE environment variables set for - this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the request - path to extract and include in the HttpUrl tag. contour's default - is 256. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of trace - data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. contour's - default is contour. + description: |- + ServiceName defines the name for the service. + contour's default is contour. type: string required: - extensionService @@ -1283,18 +1340,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour will - serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour will - serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -1310,9 +1369,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values will - produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -1321,71 +1381,62 @@ spec: a ContourConfiguration resource. properties: conditions: - description: "Conditions contains the current status of the Contour - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the Contour resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1399,10 +1450,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1414,32 +1465,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1453,43 +1503,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1503,10 +1552,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1541,7 +1590,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourdeployments.projectcontour.io spec: preserveUnknownFields: false @@ -1561,26 +1610,33 @@ spec: description: ContourDeployment is the schema for a Contour Deployment. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourDeploymentSpec specifies options for how a Contour + description: |- + ContourDeploymentSpec specifies options for how a Contour instance should be provisioned. properties: contour: - description: Contour specifies deployment-time settings for the Contour - part of the installation, i.e. the xDS server/control plane and - associated resources, including things like replica count for the - Deployment, and node placement constraints for the pods. + description: |- + Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods. properties: deployment: description: Deployment describes the settings for running contour @@ -1596,47 +1652,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1646,14 +1700,16 @@ spec: type: object type: object kubernetesLogLevel: - description: KubernetesLogLevel Enable Kubernetes client debug - logging with log level. If unset, defaults to 0. + description: |- + KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0. maximum: 9 minimum: 0 type: integer logLevel: - description: LogLevel sets the log level for Contour Allowed values - are "info", "debug". + description: |- + LogLevel sets the log level for Contour + Allowed values are "info", "debug". type: string nodePlacement: description: NodePlacement describes node scheduling configuration @@ -1662,57 +1718,56 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1720,36 +1775,40 @@ spec: podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Contour pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Contour replicas. If if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Contour replicas. If if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by contour container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -1765,8 +1824,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1775,95 +1835,91 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object envoy: - description: Envoy specifies deployment-time settings for the Envoy - part of the installation, i.e. the xDS client/data plane and associated - resources, including things like the workload type to use (DaemonSet - or Deployment), node placement constraints for the pods, and various - options for the Envoy service. + description: |- + Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service. properties: baseID: - description: The base ID to use when allocating shared memory - regions. if Envoy needs to be run multiple times on the same - machine, each running Envoy will need a unique base ID so that - the shared memory regions do not conflict. defaults to 0. + description: |- + The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + so that the shared memory regions do not conflict. + defaults to 0. format: int32 minimum: 0 type: integer daemonSet: - description: DaemonSet describes the settings for running envoy - as a `DaemonSet`. if `WorkloadType` is `Deployment`,it's must - be nil + description: |- + DaemonSet describes the settings for running envoy as a `DaemonSet`. + if `WorkloadType` is `Deployment`,it's must be nil properties: updateStrategy: description: Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if type = "RollingUpdate". --- TODO: Update this to - follow our convention for oneOf, whatever we decide - it to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345' + description: |- + Rolling update config params. Present only if type = "RollingUpdate". + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345 properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of nodes with an - existing available DaemonSet pod that can have an - updated DaemonSet pod during during an update. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up to a minimum of 1. - Default value is 0. Example: when this is set to - 30%, at most 30% of the total number of nodes that - should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old - pod is marked as deleted. The update starts by launching - new pods on 30% of nodes. Once an updated pod is - available (Ready for at least minReadySeconds) the - old DaemonSet pod on that node is marked deleted. - If the old pod becomes unavailable for any reason - (Ready transitions to false, is evicted, or is drained) - an updated pod is immediatedly created on that node - without considering surge limits. Allowing surge - implies the possibility that the resources consumed - by the daemonset on any given node can double if - the readiness check fails, and so resource intensive - daemonsets should take into account that they may - cause evictions during disruption.' + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediatedly created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of DaemonSet pods - that can be unavailable during the update. Value - can be an absolute number (ex: 5) or a percentage - of total number of DaemonSet pods at the start of - the update (ex: 10%). Absolute number is calculated - from percentage by rounding up. This cannot be 0 - if MaxSurge is 0 Default value is 1. Example: when - this is set to 30%, at most 30% of the total number - of nodes that should be running the daemon pod (i.e. - status.desiredNumberScheduled) can have their pods - stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet - pods and then brings up new DaemonSet pods in their - place. Once the new pods are available, it then - proceeds onto other DaemonSet pods, thus ensuring - that at least 70% of original number of DaemonSet - pods are available at all times during the update.' + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. x-kubernetes-int-or-string: true type: object type: @@ -1873,9 +1929,9 @@ spec: type: object type: object deployment: - description: Deployment describes the settings for running envoy - as a `Deployment`. if `WorkloadType` is `DaemonSet`,it's must - be nil + description: |- + Deployment describes the settings for running envoy as a `Deployment`. + if `WorkloadType` is `DaemonSet`,it's must be nil properties: replicas: description: Replicas is the desired number of replicas. @@ -1887,47 +1943,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1944,33 +1998,36 @@ spec: a container. properties: mountPath: - description: Path within the container at which the volume - should be mounted. Must not contain ':'. + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are - propagated from the host to container and the other way - around. When not set, MountPropagationNone is used. This - field is beta in 1.10. + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. type: boolean subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which - the container's volume should be mounted. Behaves similarly - to SubPath but environment variable references $(VAR_NAME) - are expanded using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath are mutually - exclusive. + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. type: string required: - mountPath @@ -1984,36 +2041,36 @@ spec: may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'awsElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty).' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). format: int32 type: integer readOnly: - description: 'readOnly value true will force the readOnly - setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: boolean volumeID: - description: 'volumeID is unique ID of the persistent - disk resource in AWS (Amazon EBS volume). More info: - https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: string required: - volumeID @@ -2035,10 +2092,10 @@ spec: blob storage type: string fsType: - description: fsType is Filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: description: 'kind expected values are Shared: multiple @@ -2048,8 +2105,9 @@ spec: to shared' type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean required: - diskName @@ -2060,8 +2118,9 @@ spec: mount on the host and bind mount to the pod. properties: readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretName: description: secretName is the name of secret that @@ -2079,8 +2138,9 @@ spec: that shares a pod's lifetime properties: monitors: - description: 'monitors is Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it items: type: string type: array @@ -2089,63 +2149,72 @@ spec: root, rather than the full Ceph tree, default is /' type: string readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: boolean secretFile: - description: 'secretFile is Optional: SecretFile is - the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string secretRef: - description: 'secretRef is Optional: SecretRef is reference - to the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is optional: User is the rados user - name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string required: - monitors type: object cinder: - description: 'cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string readOnly: - description: 'readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: boolean secretRef: - description: 'secretRef is optional: points to a secret - object containing parameters used to connect to OpenStack.' + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeID: - description: 'volumeID used to identify the volume in - cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string required: - volumeID @@ -2155,29 +2224,25 @@ spec: populate this volume properties: defaultMode: - description: 'defaultMode is optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items if unspecified, each key-value pair - in the Data field of the referenced ConfigMap will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. If a - key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -2186,22 +2251,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -2210,8 +2273,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the ConfigMap @@ -2225,42 +2290,43 @@ spec: CSI drivers (Beta feature). properties: driver: - description: driver is the name of the CSI driver that - handles this volume. Consult with your admin for the - correct name as registered in the cluster. + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the - associated CSI driver which will determine the default - filesystem to apply. + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. type: string nodePublishSecretRef: - description: nodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all secret - references are passed. + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic readOnly: - description: readOnly specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: volumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. type: object required: - driver @@ -2270,17 +2336,15 @@ spec: pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: @@ -2308,16 +2372,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used to set - permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -2328,10 +2389,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required for @@ -2358,116 +2418,111 @@ spec: type: array type: object emptyDir: - description: 'emptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir properties: medium: - description: 'medium represents what type of storage - medium should back this directory. The default is - "" which means to use the node''s default medium. - Must be an empty string (default) or Memory. More - info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir type: string sizeLimit: anyOf: - type: integer - type: string - description: 'sizeLimit is the total amount of local - storage required for this EmptyDir volume. The size - limit is also applicable for memory medium. The maximum - usage on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and the - sum of memory limits of all containers in a pod. The - default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is - tied to the pod that defines it - it will be created before - the pod starts, and deleted when the pod is removed. \n - Use this if: a) the volume is only needed while the pod - runs, b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the storage - driver is specified through a storage class, and d) the - storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for - more information on the connection between this volume - type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n - Use CSI for light-weight local ephemeral volumes if the - CSI driver is meant to be used that way - see the documentation - of the driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes at the - same time." + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC - to provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the - PVC will be deleted together with the pod. The name - of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` - array entry. Pod validation will reject the pod if - the concatenated name is not valid for a PVC (for - example, too long). \n An existing PVC with that name - that is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the unrelated - PVC is removed. If such a pre-created PVC is meant - to be used by the pod, the PVC has to updated with - an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may - be useful when manually reconstructing a broken cluster. - \n This field is read-only and no changes will be - made by Kubernetes to the PVC after it has been created. - \n Required, must not be nil." + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + Required, must not be nil. properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected - during validation. + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the - PVC that gets created from this template. The - same fields as in a PersistentVolumeClaim are - also valid here. + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. properties: accessModes: - description: 'accessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 items: type: string type: array dataSource: - description: 'dataSource field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, it - will create a new volume based on the contents - of the specified data source. When the AnyVolumeDataSource - feature gate is enabled, dataSource contents - will be copied to dataSourceRef, and dataSourceRef - contents will be copied to dataSource when - dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef - will not be copied to dataSource.' + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2483,47 +2538,36 @@ spec: type: object x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies the object - from which to populate the volume with data, - if a non-empty volume is desired. This may - be any object from a non-empty API group (non + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding - will only succeed if the type of the specified - object matches some installed volume populator - or dynamic provisioner. This field will replace - the functionality of the dataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, when namespace isn''t specified - in dataSourceRef, both fields (dataSource - and dataSourceRef) will be set to the same - value automatically if one of them is empty - and the other is non-empty. When namespace - is specified in dataSourceRef, dataSource - isn''t set to the same value and must be empty. - There are three important differences between - dataSource and dataSourceRef: * While dataSource - only allows two specific types of objects, - dataSourceRef allows any non-core object, - as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values - (dropping them), dataSourceRef preserves all - values, and generates an error if a disallowed - value is specified. * While dataSource only - allows local objects, dataSourceRef allows - objects in any namespaces. (Beta) Using this - field requires the AnyVolumeDataSource feature - gate to be enabled. (Alpha) Using the namespace - field of dataSourceRef requires the CrossNamespaceVolumeDataSource - feature gate to be enabled.' + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2534,28 +2578,22 @@ spec: being referenced type: string namespace: - description: Namespace is the namespace - of resource being referenced Note that - when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant - object is required in the referent namespace - to allow that namespace's owner to accept - the reference. See the ReferenceGrant - documentation for details. (Alpha) This - field requires the CrossNamespaceVolumeDataSource - feature gate to be enabled. + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. type: string required: - kind - name type: object resources: - description: 'resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than - previous value but must still be higher than - capacity recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources properties: limits: additionalProperties: @@ -2564,9 +2602,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -2575,13 +2613,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object selector: @@ -2593,30 +2629,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2628,48 +2659,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic storageClassName: - description: 'storageClassName is the name of - the StorageClass required by the claim. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 type: string volumeAttributesClassName: - description: 'volumeAttributesClassName may - be used to set the VolumeAttributesClass used - by this claim. If specified, the CSI driver - will create or update the volume with the - attributes defined in the corresponding VolumeAttributesClass. - This has a different purpose than storageClassName, - it can be changed after the claim is created. - An empty string value means that no VolumeAttributesClass - will be applied to the claim but it''s not - allowed to reset this field to empty string - once it is set. If unspecified and the PersistentVolumeClaim - is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller - if it exists. If the resource referred to - by volumeAttributesClass does not exist, this - PersistentVolumeClaim will be set to a Pending - state, as reflected by the modifyVolumeStatus - field, until such as a resource exists. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass - feature gate to be enabled.' + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. type: string volumeMode: - description: volumeMode defines what type of - volume is required by the claim. Value of - Filesystem is implied when not included in - claim spec. + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. type: string volumeName: description: volumeName is the binding reference @@ -2686,20 +2706,20 @@ spec: to the pod. properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. TODO: how do we prevent - errors in the filesystem from compromising the machine' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: description: 'targetWWNs is Optional: FC target worldwide @@ -2708,26 +2728,27 @@ spec: type: string type: array wwids: - description: 'wwids Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. items: type: string type: array type: object flexVolume: - description: flexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. properties: driver: description: driver is the name of the driver to use for this volume. type: string fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default filesystem - depends on FlexVolume script. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. type: string options: additionalProperties: @@ -2736,22 +2757,23 @@ spec: extra command options if any.' type: object readOnly: - description: 'readOnly is Optional: defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: 'secretRef is Optional: secretRef is reference - to the secret object containing sensitive information - to pass to the plugin scripts. This may be empty if - no secret object is specified. If the secret object - contains more than one secret, all secrets are passed - to the plugin scripts.' + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -2764,9 +2786,9 @@ spec: control service being running properties: datasetName: - description: datasetName is Name of the dataset stored - as metadata -> name on the dataset for Flocker should - be considered as deprecated + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated type: string datasetUUID: description: datasetUUID is the UUID of the dataset. @@ -2774,54 +2796,55 @@ spec: type: string type: object gcePersistentDisk: - description: 'gcePersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk properties: fsType: - description: 'fsType is filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk format: int32 type: integer pdName: - description: 'pdName is unique name of the PD resource - in GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: boolean required: - pdName type: object gitRepo: - description: 'gitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an - InitContainer that clones the repo using git, then mount - the EmptyDir into the Pod''s container.' + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. properties: directory: - description: directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. type: string repository: description: repository is the URL @@ -2834,53 +2857,61 @@ spec: - repository type: object glusterfs: - description: 'glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: 'endpoints is the endpoint name that details - Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string path: - description: 'path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string readOnly: - description: 'readOnly here will force the Glusterfs - volume to be mounted with read-only permissions. Defaults - to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: boolean required: - endpoints - path type: object hostPath: - description: 'hostPath represents a pre-existing file or - directory on the host machine that is directly exposed - to the container. This is generally used for system agents - or other privileged things that are allowed to see the - host machine. Most containers will NOT need this. More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. properties: path: - description: 'path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string type: - description: 'type for HostPath Volume Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string required: - path type: object iscsi: - description: 'iscsi represents an ISCSI Disk resource that - is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether support @@ -2891,59 +2922,59 @@ spec: iSCSI Session CHAP authentication type: boolean fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: - description: initiatorName is the custom iSCSI Initiator - Name. If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for the connection. + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. type: string iqn: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: - description: iscsiInterface is the interface Name that - uses an iSCSI transport. Defaults to 'default' (tcp). + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). type: string lun: description: lun represents iSCSI Target Lun number. format: int32 type: integer portals: - description: portals is the iSCSI Target Portal List. - The portal is either an IP or ip_addr:port if the - port is other than default (typically TCP ports 860 - and 3260). + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: readOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. type: boolean secretRef: description: secretRef is the CHAP Secret for iSCSI target and initiator authentication properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic targetPortal: - description: targetPortal is iSCSI Target Portal. The - Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and - 3260). + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -2951,43 +2982,51 @@ spec: - targetPortal type: object name: - description: 'name of the volume. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string nfs: - description: 'nfs represents an NFS mount on the host that - shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs properties: path: - description: 'path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string readOnly: - description: 'readOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: boolean server: - description: 'server is the hostname or IP address of - the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string required: - path - server type: object persistentVolumeClaim: - description: 'persistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims properties: claimName: - description: 'claimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims type: string readOnly: - description: readOnly Will force the ReadOnly setting - in VolumeMounts. Default false. + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. type: boolean required: - claimName @@ -2998,10 +3037,10 @@ spec: machine properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: description: pdID is the ID that identifies Photon Controller @@ -3015,14 +3054,15 @@ spec: attached and mounted on kubelets host machine properties: fsType: - description: fSType represents the filesystem type to - mount Must be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean volumeID: description: volumeID uniquely identifies a Portworx @@ -3036,15 +3076,13 @@ spec: configmaps, and downward API properties: defaultMode: - description: defaultMode are the mode bits used to set - permissions on created files by default. Must be an - octal value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this - setting. This might be in conflict with other options - that affect the file mode, like fsGroup, and the result - can be other mode bits set. + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer sources: @@ -3054,57 +3092,48 @@ spec: with other supported volume types properties: clusterTrustBundle: - description: "ClusterTrustBundle allows a pod - to access the `.spec.trustBundle` field of ClusterTrustBundle - objects in an auto-updating file. \n Alpha, - gated by the ClusterTrustBundleProjection feature - gate. \n ClusterTrustBundle objects can either - be selected by name, or by the combination of - signer name and a label selector. \n Kubelet - performs aggressive normalization of the PEM - contents written into the pod filesystem. Esoteric - PEM features such as inter-block comments and - block headers are stripped. Certificates are - deduplicated. The ordering of certificates within - the file is arbitrary, and Kubelet may change - the order over time." + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + Alpha, gated by the ClusterTrustBundleProjection feature gate. + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. properties: labelSelector: - description: Select all ClusterTrustBundles - that match this label selector. Only has - effect if signerName is set. Mutually-exclusive - with name. If unset, interpreted as "match - nothing". If set but empty, interpreted - as "match everything". + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3117,39 +3146,35 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic name: - description: Select a single ClusterTrustBundle - by object name. Mutually-exclusive with - signerName and labelSelector. + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. type: string optional: - description: If true, don't block pod startup - if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the - named ClusterTrustBundle is allowed not - to exist. If using signerName, then the - combination of signerName and labelSelector - is allowed to match zero ClusterTrustBundles. + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. type: boolean path: description: Relative path from the volume root to write the bundle. type: string signerName: - description: Select all ClusterTrustBundles - that match this signer name. Mutually-exclusive - with name. The contents of all selected - ClusterTrustBundles will be unified and - deduplicated. + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. type: string required: - path @@ -3159,18 +3184,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3179,26 +3200,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3206,10 +3222,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the @@ -3248,18 +3264,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -3271,11 +3282,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required @@ -3309,18 +3318,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3329,26 +3334,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3356,10 +3356,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional field specify whether @@ -3372,29 +3372,25 @@ spec: about the serviceAccountToken data to project properties: audience: - description: audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience defaults - to the identifier of the apiserver. + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. type: string expirationSeconds: - description: expirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The kubelet - will start trying to rotate the token if - the token is older than 80 percent of its - time to live or if the token is older than - 24 hours.Defaults to 1 hour and must be - at least 10 minutes. + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. format: int64 type: integer path: - description: path is the path relative to - the mount point of the file to project the + description: |- + path is the path relative to the mount point of the file to project the token into. type: string required: @@ -3408,28 +3404,30 @@ spec: that shares a pod's lifetime properties: group: - description: group to map volume access to Default is - no group + description: |- + group to map volume access to + Default is no group type: string readOnly: - description: readOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults - to false. + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. type: boolean registry: - description: registry represents a single or multiple - Quobyte Registry services specified as a string as - host:port pair (multiple entries are separated with - commas) which acts as the central registry for volumes + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes type: string tenant: - description: tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned Quobyte - volumes, value is set by the plugin + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: user to map volume access to Defaults to - serivceaccount user + description: |- + user to map volume access to + Defaults to serivceaccount user type: string volume: description: volume is a string that references an already @@ -3440,57 +3438,68 @@ spec: - volume type: object rbd: - description: 'rbd represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: - description: 'image is the rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: - description: 'keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string monitors: - description: 'monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it items: type: string type: array pool: - description: 'pool is the rados pool name. Default is - rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: boolean secretRef: - description: 'secretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is the rados user name. Default is - admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string required: - image @@ -3501,9 +3510,11 @@ spec: attached and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is "xfs". + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". type: string gateway: description: gateway is the host address of the ScaleIO @@ -3514,18 +3525,20 @@ spec: Protection Domain for the configured storage. type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef references to the secret for - ScaleIO user and other sensitive information. If this - is not provided, Login operation will fail. + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -3534,8 +3547,8 @@ spec: with Gateway, default false type: boolean storageMode: - description: storageMode indicates whether the storage - for a volume should be ThickProvisioned or ThinProvisioned. + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: @@ -3547,9 +3560,9 @@ spec: as configured in ScaleIO. type: string volumeName: - description: volumeName is the name of a volume already - created in the ScaleIO system that is associated with - this volume source. + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. type: string required: - gateway @@ -3557,33 +3570,30 @@ spec: - system type: object secret: - description: 'secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret properties: defaultMode: - description: 'defaultMode is Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items If unspecified, each key-value pair - in the Data field of the referenced Secret will be - projected into the volume as a file whose name is - the key and content is the value. If specified, the - listed keys will be projected into the specified paths, - and unlisted keys will not be present. If a key is - specified which is not present in the Secret, the - volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3592,22 +3602,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -3620,8 +3628,9 @@ spec: or its keys must be defined type: boolean secretName: - description: 'secretName is the name of the secret in - the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret type: string type: object storageos: @@ -3629,42 +3638,42 @@ spec: and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef specifies the secret to use for - obtaining the StorageOS API credentials. If not specified, - default values will be attempted. + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeName: - description: volumeName is the human-readable name of - the StorageOS volume. Volume names are only unique - within a namespace. + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. type: string volumeNamespace: - description: volumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows - the Kubernetes name scoping to be mirrored within - StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: @@ -3672,10 +3681,10 @@ spec: and mounted on kubelets host machine properties: fsType: - description: fsType is filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: description: storagePolicyID is the storage Policy Based @@ -3697,56 +3706,60 @@ spec: type: object type: array logLevel: - description: LogLevel sets the log level for Envoy. Allowed values - are "trace", "debug", "info", "warn", "error", "critical", "off". + description: |- + LogLevel sets the log level for Envoy. + Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". type: string networkPublishing: description: NetworkPublishing defines how to expose Envoy to a network. properties: externalTrafficPolicy: - description: "ExternalTrafficPolicy describes how nodes distribute - service traffic they receive on one of the Service's \"externally-facing\" - addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). - \n If unset, defaults to \"Local\"." + description: |- + ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + and LoadBalancer IPs). + If unset, defaults to "Local". type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there is no value - provided, then this field will be set to SingleStack. Services - can be "SingleStack" (a single IP family), "PreferDualStack" - (two IP families on dual-stack configured clusters or a - single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise - fail). + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). type: string serviceAnnotations: additionalProperties: type: string - description: ServiceAnnotations is the annotations to add - to the provisioned Envoy service. + description: |- + ServiceAnnotations is the annotations to add to + the provisioned Envoy service. type: object type: - description: "NetworkPublishingType is the type of publishing - strategy to use. Valid values are: \n * LoadBalancerService - \n In this configuration, network endpoints for Envoy use - container networking. A Kubernetes LoadBalancer Service - is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - \n * NodePortService \n Publishes Envoy network endpoints - using a Kubernetes NodePort Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + description: |- + NetworkPublishingType is the type of publishing strategy to use. Valid values are: + * LoadBalancerService + In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + * NodePortService + Publishes Envoy network endpoints using a Kubernetes NodePort Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes NodePort Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport - \n NOTE: When provisioning an Envoy `NodePortService`, use - Gateway Listeners' port numbers to populate the Service's - node port values, there's no way to auto-allocate them. - \n See: https://github.com/projectcontour/contour/issues/4499 - \n * ClusterIPService \n Publishes Envoy network endpoints - using a Kubernetes ClusterIP Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + NOTE: + When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + the Service's node port values, there's no way to auto-allocate them. + See: https://github.com/projectcontour/contour/issues/4499 + * ClusterIPService + Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes ClusterIP Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - \n If unset, defaults to LoadBalancerService." + See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + If unset, defaults to LoadBalancerService. type: string type: object nodePlacement: @@ -3756,104 +3769,107 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object overloadMaxHeapSize: - description: 'OverloadMaxHeapSize defines the maximum heap memory - of the envoy controlled by the overload manager. When the value - is greater than 0, the overload manager is enabled, and when - envoy reaches 95% of the maximum heap size, it performs a shrink - heap operation, When it reaches 98% of the maximum heap size, - Envoy Will stop accepting requests. More info: https://projectcontour.io/docs/main/config/overload-manager/' + description: |- + OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ format: int64 type: integer podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Envoy pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Envoy replicas. If WorkloadType - is not \"Deployment\", this field is ignored. Otherwise, if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Envoy replicas. If WorkloadType + is not "Deployment", this field is ignored. Otherwise, if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by envoy container. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -3869,8 +3885,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -3879,15 +3896,16 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object workloadType: - description: WorkloadType is the type of workload to install Envoy + description: |- + WorkloadType is the type of workload to install Envoy as. Choices are DaemonSet and Deployment. If unset, defaults to DaemonSet. type: string @@ -3895,41 +3913,49 @@ spec: resourceLabels: additionalProperties: type: string - description: "ResourceLabels is a set of labels to add to the provisioned - Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels - instead. This field will be removed in a future release." + description: |- + ResourceLabels is a set of labels to add to the provisioned Contour resources. + Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release. type: object runtimeSettings: - description: RuntimeSettings is a ContourConfiguration spec to be - used when provisioning a Contour instance that will influence aspects - of the Contour instance's runtime behavior. + description: |- + RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance's runtime behavior. properties: debug: - description: Debug contains parameters to enable debug logging + description: |- + Debug contains parameters to enable debug logging and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. - \n Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how - to optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name - of the Kubernetes secret containing the client certificate - and private key to be used when establishing TLS connection - to upstream cluster. + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. properties: name: type: string @@ -3940,13 +3966,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that @@ -3974,35 +4001,35 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names - are looked up When configured as V4, the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If V6 is configured, the DNS resolver will only - perform a lookup for addresses in the IPv6 family. If - AUTO is configured, the DNS resolver will first perform - a lookup for addresses in the IPv6 family and fallback - to a lookup for addresses in the IPv4 family. If ALL - is specified, the DNS resolver will perform a lookup - for both IPv4 and IPv6 families, and return all resolved - addresses. When this is used, Happy Eyeballs will be - enabled for upstream connections. Refer to Happy Eyeballs - Support for more information. Note: This only applies - to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 @@ -4013,64 +4040,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set - of HTTPS versions the proxy should accept. HTTP versions - are strings of the form \"HTTP/xx\". Supported versions - are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, - `HTTP/2` (default: both). \n Other values will produce an - error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -4081,9 +4117,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -4098,9 +4134,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -4119,111 +4155,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, - the listener will use the exact connection balancer + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use - the default ConnectionBalancer, `exact`: use the Exact - ConnectionBalancer. \n Other values will produce an - error." + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header - if \"Transfer-Encoding: chunked\" is also set. This - is an emergency off-switch to revert back to Envoy's - default behavior in case of failures. Please file an - issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips - duplicate slashes from request URL paths. \n Contour's - default is false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 - connections and the limit for concurrent streams allowed - for a peer on a single HTTP/2 connection. It is recommended - to not set this lower than 100 but this field can be - used to bound resource usage by HTTP/2 connections and - mitigate attacks like CVE-2023-44487. The default value - when this is not set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The - default value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in - a single I/O cycle. Requests over this limit are processed - in subsequent I/O cycles. Can be used as a mitigation - for CVE-2023-44487 when abusive traffic is detected. - Configures the http.max_requests_per_io_cycle Envoy - runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the - Server header on the response path. When configured - as overwrite, overwrites any Server header with \"envoy\". - When configured as append_if_absent, if a Server header - is present, pass it through, otherwise set it to \"envoy\". - When configured as pass_through, pass through the value - of the Server header, and do not append a header if - none is present. \n Values: `overwrite` (default), `append_if_absent`, - `pass_through` \n Other values will produce an error. - Contour's default is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket - options for the listeners. Single set of options are - applied to all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field - (including 6 bit DSCP field) for IP packets originating - from Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv6-only - addresses, setting this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets - originating from the Envoy listeners. Single value - is applied to all listeners. If listeners are bound - to IPv4-only addresses, setting this option will - cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -4234,84 +4262,93 @@ spec: listener values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n - Contour's default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log - format. \n Values: `envoy` (default), `json`. \n Other - values will produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log - format when format is set to `envoy`. When empty, Envoy's - default format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that - JSON logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level - of the access log. \n Values: `info` (default, all requests - are logged), `error` (all non-success requests, i.e. - 300+ response code, are logged), `critical` (all 5xx - requests are logged) and `disabled`. \n Other values - will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -4322,9 +4359,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics - and health endpoints cannot have same port number when - metrics is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4342,24 +4379,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the - admin interface is disabled. \n Contour's default is - 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of - additional ingress proxy hops from the right side of - the x-forwarded-for HTTP header to trust when determining - the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -4370,95 +4409,100 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts - that can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy - should wait when establishing connection to upstream - service. If not set, a default value of 2 seconds will - be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the - proxy should wait while there are no active requests - (for HTTP/1.1) or streams (for HTTP/2) before terminating - an HTTP connection. Set to \"infinity\" to disable the - timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how - long the proxy will wait between sending an initial - GOAWAY frame and a second, final GOAWAY frame when terminating - an HTTP/2 connection. During this grace period, the - proxy will continue to respond to new streams. After - the final GOAWAY frame has been sent, the proxy will - refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy - will wait, once connection close processing has been - initiated, for the downstream peer to close the connection - before Envoy closes the socket associated with the connection. - \n Setting this timeout to 'infinity' will disable it, - equivalent to setting it to '0' in Envoy. Leaving it - unset will result in the Envoy default value being used. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum - period of time after an HTTP connection has been established - from the client to the proxy before it is closed by - the proxy, regardless of whether there has been activity - or not. Omit or set to \"infinity\" for no max duration. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for - the entire request, not an idle timeout. Omit or set - to \"infinity\" to disable the timeout entirely. \n + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for - HTTP/1.1) or stream activity (for HTTP/2) before terminating - the HTTP request or stream. Set to \"infinity\" to disable - the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour - features. Available toggles are: useEndpointSlices - configures - contour to fetch endpoint data from k8s endpoint slices. defaults - to false and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form - of "projectcontour.io//contour". If unset, the - gatewayclass controller will not be started. Exactly one - of ControllerName or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this - Contour instance corresponds to. If set, Contour will reconcile - only this gateway, and will not reconcile any gateway classes. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. Exactly one of ControllerName or GatewayRef must be set. properties: name: @@ -4471,26 +4515,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external - authorization filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -4498,36 +4545,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -4552,9 +4601,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8000 }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -4568,14 +4617,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. \n Contour's default - is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name - of the Kubernetes secret to use as fallback when a non-SNI - request is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -4605,9 +4655,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -4618,9 +4668,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4638,8 +4688,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will - apply to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -4669,18 +4720,20 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the - Rate Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a - default global rate limit policy for every HTTPProxy. HTTPProxy - can overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -4689,18 +4742,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -4709,17 +4762,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -4733,42 +4784,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -4776,61 +4821,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -4850,25 +4883,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating - error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled - it's translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit - Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -4883,10 +4917,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to - proceed when the Rate Limit Service fails to respond with - a valid rate limit decision within the timeout defined on - the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -4899,17 +4933,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag - name to create tags for the active span. + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request - header the label value is obtained from. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom @@ -4932,24 +4969,27 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span - of the trace. the default is true. Note: The Envoy pods - MUST have the HOSTNAME and CONTOUR_NAMESPACE environment - variables set for this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the - request path to extract and include in the HttpUrl tag. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of - trace data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. + description: |- + ServiceName defines the name for the service. contour's default is contour. type: string required: @@ -4959,18 +4999,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour - will serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour - will serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -4986,9 +5028,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values - will produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -5002,42 +5045,42 @@ spec: resource. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5051,11 +5094,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5081,7 +5125,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: extensionservices.projectcontour.io spec: preserveUnknownFields: false @@ -5099,19 +5143,26 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ExtensionService is the schema for the Contour extension services - API. An ExtensionService resource binds a network service to the Contour - API so that Contour API features can be implemented by collaborating components. + description: |- + ExtensionService is the schema for the Contour extension services API. + An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5120,101 +5171,111 @@ spec: resource. properties: loadBalancerPolicy: - description: The policy for load balancing GRPC service requests. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The policy for load balancing GRPC service requests. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy is chosen. - If an element of the supplied list of hash policies is invalid, - it will be ignored. If the list of hash policies is empty after - validation, the load balancing strategy will fall back to the - default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for an - individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when request - source IP hash based load balancing is desired. It must - be the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must be - the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP request - header that will be used to calculate the hash key. - If the header specified is not present on a request, - no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set when - request query parameter hash based load balancing is desired. - It must be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP request - query parameter that will be used to calculate the - hash key. If the query parameter specified is not - present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to true, - and the request attribute specified in the attribute hash - options is present, no further hash policies will be used - to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance requests - across the pool of backend pods. Valid policy names are `Random`, - `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. - If an unknown strategy name is specified or no policy is supplied, - the default `RoundRobin` policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object protocol: - description: Protocol may be used to specify (or override) the protocol - used to reach this Service. Values may be h2 or h2c. If omitted, - protocol-selection falls back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c type: string protocolVersion: - description: This field sets the version of the GRPC protocol that - Envoy uses to send requests to the extension service. Since Contour - always uses the v3 Envoy API, this is currently fixed at "v3". However, - other protocol options will be available in future. + description: |- + This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at "v3". However, other + protocol options will be available in future. enum: - v3 type: string services: - description: Services specifies the set of Kubernetes Service resources - that receive GRPC extension API requests. If no weights are specified - for any of the entries in this array, traffic will be spread evenly - across all the services. Otherwise, traffic is balanced proportionally - to the Weight field in each entry. + description: |- + Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry. items: - description: ExtensionServiceTarget defines an Kubernetes Service - to target with extension service traffic. + description: |- + ExtensionServiceTarget defines an Kubernetes Service to target with + extension service traffic. properties: name: - description: Name is the name of Kubernetes service that will - accept service traffic. + description: |- + Name is the name of Kubernetes service that will accept service + traffic. type: string port: description: Port (defined as Integer) to proxy traffic to since @@ -5238,24 +5299,23 @@ spec: description: The timeout policy for requests to the services. properties: idle: - description: Timeout for how long the proxy should wait while - there is no activity during single request/response (for HTTP/1.1) - or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 - connection is idle between two consecutive requests. If not - specified, there is no per-route idle timeout, though a connection - manager-wide stream_idle_timeout default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy to - the upstream service is kept when there are no active requests. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, Envoy's - default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -5264,27 +5324,26 @@ spec: service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes secret - used to validate the certificate presented by the backend. The - secret must contain key named ca.crt. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max length should - be the actual max possible length of a namespaced name (63 + - 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in the ''subjectAltName'' - of the presented certificate. Deprecated: migrate to using the - plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is expected to - be present in the 'subjectAltName of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -5302,75 +5361,67 @@ spec: - services type: object status: - description: ExtensionServiceStatus defines the observed state of an ExtensionService - resource. + description: |- + ExtensionServiceStatus defines the observed state of an + ExtensionService resource. properties: conditions: - description: "Conditions contains the current status of the ExtensionService - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the ExtensionService resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5384,10 +5435,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5399,32 +5450,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5438,43 +5488,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5488,10 +5537,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5524,7 +5573,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: httpproxies.projectcontour.io spec: preserveUnknownFields: false @@ -5562,14 +5611,19 @@ spec: description: HTTPProxy is an Ingress CRD specification. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5577,28 +5631,31 @@ spec: description: HTTPProxySpec defines the spec of the CRD. properties: includes: - description: Includes allow for specific routing configuration to - be included from another HTTPProxy, possibly in another namespace. + description: |- + Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace. items: description: Include describes a set of policies that can be applied to an HTTPProxy in a namespace. properties: conditions: - description: 'Conditions are a set of rules that are applied - to included HTTPProxies. In effect, they are added onto the - Conditions of included HTTPProxy Route structs. When applied, - they are merged using AND, with one exception: There can be - only one Prefix MatchCondition per Conditions slice. More - than one Prefix, or contradictory Conditions, will make the - include invalid. Exact and Regex match conditions are not - allowed on includes.' + description: |- + Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5606,56 +5663,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5668,37 +5727,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5708,7 +5769,8 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object @@ -5725,10 +5787,11 @@ spec: type: object type: array ingressClassName: - description: IngressClassName optionally specifies the ingress class - to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is - set, it is given precedence over this field. + description: |- + IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field. type: string routes: description: Routes are the ingress routes. If TCPProxy is present, @@ -5737,38 +5800,42 @@ spec: description: Route contains the set of routes for a virtual host. properties: authPolicy: - description: AuthPolicy updates the authorization policy that - was set on the root HTTPProxy object for client requests that + description: |- + AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that match this route. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object conditions: - description: 'Conditions are a set of rules that are applied - to a Route. When applied, they are merged using AND, with - one exception: There can be only one Prefix, Exact or Regex - MatchCondition per Conditions slice. More than one of these - condition types, or contradictory Conditions, will make the - route invalid.' + description: |- + Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5776,56 +5843,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5838,37 +5907,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5878,24 +5949,28 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object type: array cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header attributes. - Note that rewritten cookie names must be unique in this list. - Order rewrite policies are specified in does not matter. + description: |- + The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter. items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the Domain - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -5911,12 +5986,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the Path - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -5925,17 +6002,18 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute will - not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie Secure - element. If not set, Secure attribute will not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name @@ -5946,11 +6024,11 @@ spec: response directly. properties: body: - description: "Body is the content of the response body. - If this setting is omitted, no body is included in the - generated response. \n Note: Body is not recommended to - set too long otherwise it can have significant resource - usage impacts." + description: |- + Body is the content of the response body. + If this setting is omitted, no body is included in the generated response. + Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts. type: string statusCode: description: StatusCode is the HTTP response status to be @@ -5968,11 +6046,11 @@ spec: description: The health check policy for this route. properties: expectedStatuses: - description: The ranges of HTTP response statuses considered - healthy. Follow half-open semantics, i.e. for each range - the start is inclusive and the end is exclusive. Must - be within the range [100,600). If not specified, only - a 200 response status is considered healthy. + description: |- + The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy. items: properties: end: @@ -6001,9 +6079,10 @@ spec: minimum: 0 type: integer host: - description: The value of the host header in the HTTP health - check request. If left empty (default value), the name - "contour-envoy-healthcheck" will be used. + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the name "contour-envoy-healthcheck" + will be used. type: string intervalSeconds: description: The interval (seconds) between health checks @@ -6033,35 +6112,32 @@ spec: properties: allowCrossSchemeRedirect: default: Never - description: AllowCrossSchemeRedirect Allow internal redirect - to follow a target URI with a different scheme than the - value of x-forwarded-proto. SafeOnly allows same scheme - redirect and safe cross scheme redirect, which means if - the downstream scheme is HTTPS, both HTTPS and HTTP redirect - targets are allowed, but if the downstream scheme is HTTP, - only HTTP redirect targets are allowed. + description: |- + AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed. enum: - Always - Never - SafeOnly type: string denyRepeatedRouteRedirect: - description: If DenyRepeatedRouteRedirect is true, rejects - redirect targets that are pointing to a route that has - been followed by a previous redirect from the current - route. + description: |- + If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route. type: boolean maxInternalRedirects: - description: MaxInternalRedirects An internal redirect is - not handled, unless the number of previous internal redirects - that a downstream request has encountered is lower than - this value. + description: |- + MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value. format: int32 type: integer redirectResponseCodes: - description: RedirectResponseCodes If unspecified, only - 302 will be treated as internal redirect. Only 301, 302, - 303, 307 and 308 are valid values. + description: |- + RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values. items: description: RedirectResponseCode is a uint32 type alias with validation to ensure that the value is valid. @@ -6076,25 +6152,26 @@ spec: type: array type: object ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter - rules for which matching requests should be allowed. All other - requests will be denied. Only one of IPAllowFilterPolicy and - IPDenyFilterPolicy can be defined. The rules defined here - override any rules set on the root HTTPProxy. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -6105,25 +6182,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here override any rules - set on the root HTTPProxy. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -6138,93 +6216,93 @@ spec: route. properties: disabled: - description: Disabled defines whether to disable all JWT - verification for this route. This can be used to opt specific - routes out of the default JWT provider for the HTTPProxy. - At most one of this field or the "require" field can be - specified. + description: |- + Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + "require" field can be specified. type: boolean require: - description: Require names a specific JWT provider (defined - in the virtual host) to require for the route. If specified, - this field overrides the default provider if one exists. - If this field is not specified, the default provider will - be required if one exists. At most one of this field or - the "disabled" field can be specified. + description: |- + Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the "disabled" field can be specified. type: string type: object loadBalancerPolicy: description: The load balancing policy for this route. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash - policies to apply when the `RequestHash` load balancing - strategy is chosen. If an element of the supplied list - of hash policies is invalid, it will be ignored. If the - list of hash policies is empty after validation, the load - balancing strategy will fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration - for an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when - request header hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not - present on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the - HTTP request query parameter that will be used - to calculate the hash key. If the query parameter - specified is not present on a request, no hash - will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set - to true, and the request attribute specified in - the attribute hash options is present, no further - hash policies will be used to calculate a hash for - the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy - names are `Random`, `RoundRobin`, `WeightedLeastRequest`, - `Cookie`, and `RequestHash`. If an unknown strategy name - is specified or no policy is supplied, the default `RoundRobin` - policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object pathRewritePolicy: - description: The policy for rewriting the path of the request - URL after the request has been routed to a Service. + description: |- + The policy for rewriting the path of the request URL + after the request has been routed to a Service. properties: replacePrefix: description: ReplacePrefix describes how the path prefix @@ -6233,22 +6311,22 @@ spec: description: ReplacePrefix describes a path prefix replacement. properties: prefix: - description: "Prefix specifies the URL path prefix - to be replaced. \n If Prefix is specified, it must - exactly match the MatchCondition prefix that is - rendered by the chain of including HTTPProxies and - only that path prefix will be replaced by Replacement. - This allows HTTPProxies that are included through - multiple roots to only replace specific path prefixes, - leaving others unmodified. \n If Prefix is not specified, - all routing prefixes rendered by the include chain - will be replaced." + description: |- + Prefix specifies the URL path prefix to be replaced. + If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified. + If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced. minLength: 1 type: string replacement: - description: Replacement is the string that the routing - path prefix will be replaced with. This must not - be empty. + description: |- + Replacement is the string that the routing path prefix + will be replaced with. This must not be empty. minLength: 1 type: string required: @@ -6257,24 +6335,24 @@ spec: type: array type: object permitInsecure: - description: Allow this path to respond to insecure requests - over HTTP which are normally not permitted when a `virtualhost.tls` - block is present. + description: |- + Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a `virtualhost.tls` block is present. type: boolean rateLimitPolicy: description: The policy for rate limiting on the route. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to - an external rate limit service (RLS) for a rate limit - decision on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit - service. Each descriptor contains 1+ key-value pair - entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -6283,18 +6361,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this - struct must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of - the descriptor entry. If not set, - the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value @@ -6303,17 +6381,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given - header is present on the request. The - descriptor key is static, and the descriptor - value is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -6328,44 +6404,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if - the request's headers match a set of 1+ - match criteria. The descriptor key is - "header_match", and the descriptor value - is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match - the match criteria in order to generate - a descriptor entry (i.e. true), or - not match the match criteria in order - to generate a descriptor entry (i.e. - false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ - match criteria to apply against the - request to determine whether to populate - the descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition - specifies how to conditionally match - against HTTP headers. The Name field - is required, only one of Present, - NotPresent, Contains, NotContains, - Exact, NotExact and Regex can be - set. For negative matching rules - only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a @@ -6373,64 +6441,49 @@ spec: must be equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should - be case insensitive. Note that - this has no effect on the Regex - parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name - of the header to match against. - Name is required. Header names - are case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be - present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies - a string that the header value - must not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when - the named header is not present. - Note that setting NotPresent - to false does not make the condition - true if the named header is - present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies - that condition is true when - the named header is present, - regardless of its value. Note - that setting Present to false - does not make the condition - true if the named header is - absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a - regular expression pattern that - must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is - **only** supported for negative - matches (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -6450,32 +6503,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per - unit of time should be allowed before rate limiting - occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -6495,18 +6550,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within - which requests over the limit will be rate limited. - Valid values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -6518,15 +6575,16 @@ spec: type: object type: object requestHeadersPolicy: - description: "The policy for managing request headers during - proxying. \n You may dynamically rewrite the Host header to - be forwarded upstream to the content of a request header using - the below format \"%REQ(X-Header-Name)%\". If the value of - the header is empty, it is ignored. \n *NOTE: Pay attention - to the potential security implications of using this option. - Provided header must come from trusted source. \n **NOTE: - The header rewrite is only done while forwarding and has no - bearing on the routing decision." + description: |- + The policy for managing request headers during proxying. + You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format "%REQ(X-Header-Name)%". If the value of the header + is empty, it is ignored. + *NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source. + **NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision. properties: remove: description: Remove specifies a list of HTTP header names @@ -6535,10 +6593,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6562,39 +6619,44 @@ spec: description: RequestRedirectPolicy defines an HTTP redirection. properties: hostname: - description: Hostname is the precise hostname to be used - in the value of the `Location` header in the response. - When empty, the hostname of the request is used. No wildcards - are allowed. + description: |- + Hostname is the precise hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string path: - description: "Path allows for redirection to a different - path from the original on the request. The path must start - with a leading slash. \n Note: Only one of Path or Prefix - can be defined." + description: |- + Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string port: - description: Port is the port to be used in the value of - the `Location` header in the response. When empty, port - (if specified) of the request is used. + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. format: int32 maximum: 65535 minimum: 1 type: integer prefix: - description: "Prefix defines the value to swap the matched - prefix or path with. The prefix must start with a leading - slash. \n Note: Only one of Path or Prefix can be defined." + description: |- + Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string scheme: - description: Scheme is the scheme to be used in the value - of the `Location` header in the response. When empty, - the scheme of the request is used. + description: |- + Scheme is the scheme to be used in the value of the `Location` + header in the response. + When empty, the scheme of the request is used. enum: - http - https @@ -6609,8 +6671,9 @@ spec: type: integer type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header names @@ -6619,10 +6682,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6647,35 +6709,46 @@ spec: properties: count: default: 1 - description: NumRetries is maximum allowed number of retries. - If set to -1, then retries are disabled. If set to 0 or - not supplied, the value is set to the Envoy default of - 1. + description: |- + NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1. format: int64 minimum: -1 type: integer perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. + description: |- + PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string retriableStatusCodes: - description: "RetriableStatusCodes specifies the HTTP status - codes that should be retried. \n This field is only respected - when you include `retriable-status-codes` in the `RetryOn` - field." + description: |- + RetriableStatusCodes specifies the HTTP status codes that should be retried. + This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. items: format: int32 type: integer type: array retryOn: - description: "RetryOn specifies the conditions on which - to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): - \n - `5xx` - `gateway-error` - `reset` - `connect-failure` - - `retriable-4xx` - `refused-stream` - `retriable-status-codes` - - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): - \n - `cancelled` - `deadline-exceeded` - `internal` - - `resource-exhausted` - `unavailable`" + description: |- + RetryOn specifies the conditions on which to retry a request. + Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + - `5xx` + - `gateway-error` + - `reset` + - `connect-failure` + - `retriable-4xx` + - `refused-stream` + - `retriable-status-codes` + - `retriable-headers` + Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + - `cancelled` + - `deadline-exceeded` + - `internal` + - `resource-exhausted` + - `unavailable` items: description: RetryOn is a string type alias with validation to ensure that the value is valid. @@ -6708,13 +6781,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the - Set-Cookie Domain element. If not set, Domain - will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6730,12 +6804,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -6744,45 +6820,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If - Mirror is true, then fractional mirroring can be enabled - by optionally setting the Weight field. Legal values - for Weight are 1-100. Omitting the Weight field will - result in 100% mirroring. NOTE: Setting Weight explicitly - to 0 will unexpectedly result in 100% traffic mirroring. - This occurs since we cannot distinguish omitted fields - from those explicitly set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to - proxy traffic. Names defined here will be used to look - up corresponding endpoints which contain the ips to - route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -6792,10 +6866,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may - be tls, h2, h2c. If omitted, protocol-selection falls - back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -6812,10 +6885,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6836,9 +6908,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers - during proxying. Rewriting the 'Host' header is not - supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -6847,10 +6919,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6876,32 +6947,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. - When increasing the value for this parameter, the - speed of traffic ramp-up increases non-linearly. - The value of aggression parameter should be greater - than 0.0. \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of - traffic to send to new endpoints. A non-zero value - helps avoid a too small initial weight, which may - cause endpoints in slow start mode to receive no - traffic in the beginning of the slow start window. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", - "s", "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -6912,29 +6980,26 @@ spec: the backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to the - secret. Max length should be the actual max possible - length of a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of - the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -6963,26 +7028,23 @@ spec: description: The timeout policy for this route. properties: idle: - description: Timeout for how long the proxy should wait - while there is no activity during single request/response - (for HTTP/1.1) or stream (for HTTP/2). Timeout will not - trigger while HTTP/1.1 connection is idle between two - consecutive requests. If not specified, there is no per-route - idle timeout, though a connection manager-wide stream_idle_timeout - default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy - to the upstream service is kept when there are no active - requests. If not supplied, Envoy's default value of 1h - applies. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, - Envoy's default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -7029,11 +7091,10 @@ spec: - name type: object includes: - description: "IncludesDeprecated allow for specific routing configuration - to be appended to another HTTPProxy in another namespace. \n - Exists due to a mistake when developing HTTPProxy and the field - was marked plural when it should have been singular. This field - should stay to not break backwards compatibility to v1 users." + description: |- + IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 users. properties: name: description: Name of the child HTTPProxy @@ -7046,69 +7107,71 @@ spec: - name type: object loadBalancerPolicy: - description: The load balancing policy for the backend services. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The load balancing policy for the backend services. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy - is chosen. If an element of the supplied list of hash policies - is invalid, it will be ignored. If the list of hash policies - is empty after validation, the load balancing strategy will - fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for - an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must - be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not present - on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP - request query parameter that will be used to calculate - the hash key. If the query parameter specified - is not present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to - true, and the request attribute specified in the attribute - hash options is present, no further hash policies - will be used to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy names - are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. If an unknown strategy name is specified or no policy is supplied, the default `RoundRobin` policy is used. @@ -7126,12 +7189,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -7147,12 +7212,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -7161,44 +7228,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If Mirror - is true, then fractional mirroring can be enabled by optionally - setting the Weight field. Legal values for Weight are - 1-100. Omitting the Weight field will result in 100% mirroring. - NOTE: Setting Weight explicitly to 0 will unexpectedly - result in 100% traffic mirroring. This occurs since we - cannot distinguish omitted fields from those explicitly - set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -7208,10 +7274,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be - tls, h2, h2c. If omitted, protocol-selection falls back - on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -7228,10 +7293,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7252,8 +7316,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -7262,10 +7327,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7291,32 +7355,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. When - increasing the value for this parameter, the speed - of traffic ramp-up increases non-linearly. The value - of aggression parameter should be greater than 0.0. - \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of traffic - to send to new endpoints. A non-zero value helps avoid - a too small initial weight, which may cause endpoints - in slow start mode to receive no traffic in the beginning - of the slow start window. If not specified, the default - is 10%. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", - "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -7327,28 +7388,25 @@ spec: backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with namespace - "namespace/name". When cross-namespace reference is - used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max - length should be the actual max possible length of - a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in - the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of the + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the presented certificate. items: type: string @@ -7376,34 +7434,38 @@ spec: type: array type: object virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root" HTTPProxy. + description: |- + Virtualhost appears at most once. If it is present, the object is considered + to be a "root" HTTPProxy. properties: authorization: - description: This field configures an extension service to perform - authorization for this virtual host. Authorization can only - be configured on virtual hosts that have TLS enabled. If the - TLS configuration requires client certificate validation, the - client certificate is always included in the authentication - check request. + description: |- + This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -7411,36 +7473,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -7492,20 +7556,21 @@ spec: minItems: 1 type: array allowOrigin: - description: AllowOrigin specifies the origins that will be - allowed to do CORS requests. Allowed values include "*" - which signifies any origin is allowed, an exact origin of - the form "scheme://host[:port]" (where port is optional), - or a valid regex pattern. Note that regex patterns are validated - and a simple "glob" pattern (e.g. *.foo.com) will be rejected - or produce unexpected matches when applied as a regex. + description: |- + AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include "*" which signifies any origin is allowed, an exact + origin of the form "scheme://host[:port]" (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex. items: type: string minItems: 1 type: array allowPrivateNetwork: - description: AllowPrivateNetwork specifies whether to allow - private network requests. See https://developer.chrome.com/blog/private-network-access-preflight. + description: |- + AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. type: boolean exposeHeaders: description: ExposeHeaders Specifies the content for the *access-control-expose-headers* @@ -7518,13 +7583,12 @@ spec: minItems: 1 type: array maxAge: - description: MaxAge indicates for how long the results of - a preflight request can be cached. MaxAge durations are - expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". Only positive values are allowed while 0 disables the - cache requiring a preflight OPTIONS check for all cross-origin - requests. + description: |- + MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$ type: string required: @@ -7532,30 +7596,32 @@ spec: - allowOrigin type: object fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn. + description: |- + The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn. pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be allowed. All other requests - will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7566,24 +7632,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7600,27 +7668,31 @@ spec: description: JWTProvider defines how to verify JWTs on requests. properties: audiences: - description: Audiences that JWTs are allowed to have in - the "aud" field. If not provided, JWT audiences are not - checked. + description: |- + Audiences that JWTs are allowed to have in the "aud" field. + If not provided, JWT audiences are not checked. items: type: string type: array default: - description: Whether the provider should apply to all routes - in the HTTPProxy/its includes by default. At most one - provider can be marked as the default. If no provider - is marked as the default, individual routes must explicitly + description: |- + Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly identify the provider they require. type: boolean forwardJWT: - description: Whether the JWT should be forwarded to the - backend service after successful verification. By default, + description: |- + Whether the JWT should be forwarded to the backend + service after successful verification. By default, the JWT is not forwarded. type: boolean issuer: - description: Issuer that JWTs are required to have in the - "iss" field. If not provided, JWT issuers are not checked. + description: |- + Issuer that JWTs are required to have in the "iss" field. + If not provided, JWT issuers are not checked. type: string name: description: Unique name for the provider. @@ -7630,33 +7702,34 @@ spec: description: Remote JWKS to use for verifying JWT signatures. properties: cacheDuration: - description: How long to cache the JWKS locally. If - not specified, Envoy's default of 5m applies. + description: |- + How long to cache the JWKS locally. If not specified, + Envoy's default of 5m applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string dnsLookupFamily: - description: "The DNS IP address resolution policy for - the JWKS URI. When configured as \"v4\", the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If \"v6\" is configured, the DNS resolver - will only perform a lookup for addresses in the IPv6 - family. If \"all\" is configured, the DNS resolver - will perform a lookup for addresses in both the IPv4 - and IPv6 family. If \"auto\" is configured, the DNS - resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If not specified, the Contour-wide - setting defined in the config file or ContourConfiguration - applies (defaults to \"auto\"). \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information." + description: |- + The DNS IP address resolution policy for the JWKS URI. + When configured as "v4", the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If "all" is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If "auto" is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to "auto"). + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. enum: - auto - v4 - v6 type: string timeout: - description: How long to wait for a response from the - URI. If not specified, a default of 1s applies. + description: |- + How long to wait for a response from the URI. + If not specified, a default of 1s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string uri: @@ -7668,31 +7741,26 @@ spec: the JWKS's TLS certificate. properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to - the secret. Max length should be the actual max - possible length of a namespaced name (63 + 253 - + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field - subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one - is expected to be present in the 'subjectAltName - of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -7719,15 +7787,16 @@ spec: description: The policy for rate limiting on the virtual host. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to an - external rate limit service (RLS) for a rate limit decision - on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -7736,18 +7805,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -7756,17 +7825,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -7780,42 +7847,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -7823,61 +7884,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -7897,31 +7946,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per unit - of time should be allowed before rate limiting occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -7941,18 +7993,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within which - requests over the limit will be rate limited. Valid - values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -7964,57 +8018,56 @@ spec: type: object type: object tls: - description: If present the fields describes TLS properties of - the virtual host. The SNI names that will be matched on are - described in fqdn, the tls.secretName secret must contain a - certificate that itself contains a name that matches the FQDN. + description: |- + If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN. properties: clientValidation: - description: "ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. \n This setting: \n 1. Enables TLS client certificate - validation. 2. Specifies how the client certificate will - be validated (i.e. validation required or skipped). \n Note: - Setting client certificate validation to be skipped should - be only used in conjunction with an external authorization - server that performs client validation as Contour will ensure - client certificates are passed along." + description: |- + ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy. + This setting: + 1. Enables TLS client certificate validation. + 2. Specifies how the client certificate will be validated (i.e. + validation required or skipped). + Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along. properties: caSecret: - description: Name of a Kubernetes secret that contains - a CA certificate bundle. The secret must contain key - named ca.crt. The client certificate must validate against - the certificates in the bundle. If specified and SkipClientCertValidation - is true, client certificates will be required on requests. + description: |- + Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. The name can be optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string crlOnlyVerifyLeafCert: - description: If this option is set to true, only the certificate - at the end of the certificate chain will be subject - to validation by CRL. + description: |- + If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL. type: boolean crlSecret: - description: Name of a Kubernetes opaque secret that contains - a concatenated list of PEM encoded CRLs. The secret - must contain key named crl.pem. This field will be used - to verify that a client certificate has not been revoked. - CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert - is true. Large CRL lists are not supported since individual - secrets are limited to 1MiB in size. The name can be - optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + description: |- + Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string forwardClientCertificate: - description: ForwardClientCertificate adds the selected - data from the passed client TLS certificate to the x-forwarded-client-cert - header. + description: |- + ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header. properties: cert: description: Client cert in URL encoded PEM format. @@ -8036,55 +8089,56 @@ spec: type: boolean type: object optionalClientCertificate: - description: OptionalClientCertificate when set to true - will request a client certificate but allow the connection - to continue if the client does not provide one. If a - client certificate is sent, it will be verified according - to the other properties, which includes disabling validation - if SkipClientCertValidation is set. Defaults to false. + description: |- + OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false. type: boolean skipClientCertValidation: - description: SkipClientCertValidation disables downstream - client certificate validation. Defaults to false. This - field is intended to be used in conjunction with external - authorization in order to enable the external authorization - server to validate client certificates. When this field - is set to true, client certificates are requested but - not verified by Envoy. If CACertificate is specified, - client certificates are required on requests, but not - verified. If external authorization is in use, they - are presented to the external authorization server. + description: |- + SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server. type: boolean type: object enableFallbackCertificate: - description: EnableFallbackCertificate defines if the vhost - should allow a default certificate to be applied which handles - all requests which don't match the SNI defined in this vhost. + description: |- + EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don't match the SNI defined in this vhost. type: boolean maximumProtocolVersion: - description: MaximumProtocolVersion is the maximum TLS version - this vhost should negotiate. Valid options are `1.2` and - `1.3` (default). Any other value defaults to TLS 1.3. + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are `1.2` and `1.3` (default). Any other value + defaults to TLS 1.3. type: string minimumProtocolVersion: - description: MinimumProtocolVersion is the minimum TLS version - this vhost should negotiate. Valid options are `1.2` (default) - and `1.3`. Any other value defaults to TLS 1.2. + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + defaults to TLS 1.2. type: string passthrough: - description: Passthrough defines whether the encrypted TLS - handshake will be passed through to the backing cluster. - Either Passthrough or SecretName must be specified, but - not both. + description: |- + Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both. type: boolean secretName: - description: SecretName is the name of a TLS secret. Either - SecretName or Passthrough must be specified, but not both. + description: |- + SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate - for the virtual host's FQDN. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must - exist in the namespace to grant access to the secret. + for the virtual host's FQDN. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. type: string type: object required: @@ -8099,75 +8153,67 @@ spec: HTTPProxy. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com/ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com/ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8181,10 +8227,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8196,32 +8242,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8235,43 +8280,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8285,10 +8329,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8319,48 +8363,49 @@ spec: balancer. properties: ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. properties: hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) type: string ipMode: - description: IPMode specifies how the load-balancer IP behaves, - and may only be specified when the ip field is specified. - Setting this to "VIP" indicates that traffic is delivered - to the node with the destination set to the load-balancer's - IP and port. Setting this to "Proxy" indicates that traffic - is delivered to the node or pod with the destination set - to the node's IP and node port or the pod's IP and port. - Service implementations may use this information to adjust - traffic routing. + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it items: properties: error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific error - values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8371,9 +8416,9 @@ spec: type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" type: string required: - port @@ -8398,7 +8443,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: tlscertificatedelegations.projectcontour.io spec: preserveUnknownFields: false @@ -8415,18 +8460,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD - specification. See design/tls-certificate-delegation.md for details. + description: |- + TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. + See design/tls-certificate-delegation.md for details. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -8435,18 +8486,20 @@ spec: properties: delegations: items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. + description: |- + CertificateDelegation maps the authority to reference a secret + in the current namespace to a set of namespaces. properties: secretName: description: required, the name of a secret in the current namespace. type: string targetNamespaces: - description: required, the namespaces the authority to reference - the secret will be delegated to. If TargetNamespaces is nil - or empty, the CertificateDelegation' is ignored. If the TargetNamespace - list contains the character, "*" the secret will be delegated - to all namespaces. + description: |- + required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation' + is ignored. If the TargetNamespace list contains the character, "*" + the secret will be delegated to all namespaces. items: type: string type: array @@ -8459,79 +8512,72 @@ spec: - delegations type: object status: - description: TLSCertificateDelegationStatus allows for the status of the - delegation to be presented to the user. + description: |- + TLSCertificateDelegationStatus allows for the status of the delegation + to be presented to the user. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com\\ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com\ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8545,10 +8591,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8560,32 +8606,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8599,43 +8644,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8649,10 +8693,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index e3eee51b01f..49970d39bdd 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -222,7 +222,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourconfigurations.projectcontour.io spec: preserveUnknownFields: false @@ -242,47 +242,59 @@ spec: description: ContourConfiguration is the schema for a Contour instance. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourConfigurationSpec represents a configuration of a - Contour controller. It contains most of all the options that can be - customized, the other remaining options being command line flags. + description: |- + ContourConfigurationSpec represents a configuration of a Contour controller. + It contains most of all the options that can be customized, the + other remaining options being command line flags. properties: debug: - description: Debug contains parameters to enable debug logging and - debug interfaces inside Contour. + description: |- + Debug contains parameters to enable debug logging + and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. \n - Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how to - optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name of the - Kubernetes secret containing the client certificate and private - key to be used when establishing TLS connection to upstream + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream cluster. properties: name: @@ -294,13 +306,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that a @@ -328,34 +341,36 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names are - looked up When configured as V4, the DNS resolver will only - perform a lookup for addresses in the IPv4 family. If V6 - is configured, the DNS resolver will only perform a lookup - for addresses in the IPv6 family. If AUTO is configured, - the DNS resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If ALL is specified, the DNS resolver - will perform a lookup for both IPv4 and IPv6 families, and - return all resolved addresses. When this is used, Happy - Eyeballs will be enabled for upstream connections. Refer - to Happy Eyeballs Support for more information. Note: This - only applies to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 @@ -365,59 +380,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set of HTTPS - versions the proxy should accept. HTTP versions are strings - of the form \"HTTP/xx\". Supported versions are \"HTTP/1.1\" - and \"HTTP/2\". \n Values: `HTTP/1.1`, `HTTP/2` (default: both). - \n Other values will produce an error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -428,9 +457,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -445,9 +474,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: \"/dev/stdout\" - }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -466,106 +495,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, the - listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use the - default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. - \n Other values will produce an error." + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer + See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header if - \"Transfer-Encoding: chunked\" is also set. This is an emergency - off-switch to revert back to Envoy's default behavior in - case of failures. Please file an issue if failures are encountered. + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips duplicate - slashes from request URL paths. \n Contour's default is - false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 connections - and the limit for concurrent streams allowed for a peer - on a single HTTP/2 connection. It is recommended to not - set this lower than 100 but this field can be used to bound - resource usage by HTTP/2 connections and mitigate attacks - like CVE-2023-44487. The default value when this is not - set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The default - value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream connections. - If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in a single - I/O cycle. Requests over this limit are processed in subsequent - I/O cycles. Can be used as a mitigation for CVE-2023-44487 - when abusive traffic is detected. Configures the http.max_requests_per_io_cycle - Envoy runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the Server - header on the response path. When configured as overwrite, - overwrites any Server header with \"envoy\". When configured - as append_if_absent, if a Server header is present, pass - it through, otherwise set it to \"envoy\". When configured - as pass_through, pass through the value of the Server header, - and do not append a header if none is present. \n Values: - `overwrite` (default), `append_if_absent`, `pass_through` - \n Other values will produce an error. Contour's default - is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket options - for the listeners. Single set of options are applied to - all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field (including - 6 bit DSCP field) for IP packets originating from Envoy - listeners. Single value is applied to all listeners. - If listeners are bound to IPv6-only addresses, setting - this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets originating - from the Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv4-only addresses, - setting this option will cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -576,79 +602,93 @@ spec: values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers to - be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should only - be used by advanced users. Note that these will be ignored - when TLS 1.3 is in use. \n This field is optional; when - it is undefined, a Contour-managed ciphersuite list + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list will be used, which may be updated to keep it secure. - \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this undefined - unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for stock - Envoy builds and those using BoringSSL FIPS." + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum TLS - version this vhost should negotiate. \n Values: `1.2`, - `1.3`(default). \n Other values will produce an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum TLS - version this vhost should negotiate. \n Values: `1.2` - (default), `1.3`. \n Other values will produce an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n Contour's - default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log format. - \n Values: `envoy` (default), `json`. \n Other values will - produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log format - when format is set to `envoy`. When empty, Envoy's default - format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that JSON - logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level of the - access log. \n Values: `info` (default, all requests are - logged), `error` (all non-success requests, i.e. 300+ response - code, are logged), `critical` (all 5xx requests are logged) - and `disabled`. \n Other values will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -659,9 +699,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -679,23 +719,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the admin - interface is disabled. \n Contour's default is 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of additional - ingress proxy hops from the right side of the x-forwarded-for - HTTP header to trust when determining the origin client’s - IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -706,93 +749,101 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts that - can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy should - wait when establishing connection to upstream service. If - not set, a default value of 2 seconds will be used. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the proxy - should wait while there are no active requests (for HTTP/1.1) - or streams (for HTTP/2) before terminating an HTTP connection. - Set to \"infinity\" to disable the timeout entirely. \n + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how long - the proxy will wait between sending an initial GOAWAY frame - and a second, final GOAWAY frame when terminating an HTTP/2 - connection. During this grace period, the proxy will continue - to respond to new streams. After the final GOAWAY frame - has been sent, the proxy will refuse new streams. \n See - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy will - wait, once connection close processing has been initiated, - for the downstream peer to close the connection before Envoy - closes the socket associated with the connection. \n Setting - this timeout to 'infinity' will disable it, equivalent to - setting it to '0' in Envoy. Leaving it unset will result - in the Envoy default value being used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum period - of time after an HTTP connection has been established from - the client to the proxy before it is closed by the proxy, - regardless of whether there has been activity or not. Omit - or set to \"infinity\" for no max duration. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for the - entire request, not an idle timeout. Omit or set to \"infinity\" - to disable the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for HTTP/1.1) - or stream activity (for HTTP/2) before terminating the HTTP - request or stream. Set to \"infinity\" to disable the timeout - entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour features. - Available toggles are: useEndpointSlices - configures contour to - fetch endpoint data from k8s endpoint slices. defaults to false - and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form of - "projectcontour.io//contour". If unset, the gatewayclass - controller will not be started. Exactly one of ControllerName - or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this Contour - instance corresponds to. If set, Contour will reconcile only - this gateway, and will not reconcile any gateway classes. Exactly - one of ControllerName or GatewayRef must be set. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. + Exactly one of ControllerName or GatewayRef must be set. properties: name: type: string @@ -804,26 +855,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external authorization - filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy for - client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -831,36 +885,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field is - not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field is - not specifies, the namespace of the resource that targets - the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server fails - to respond. This field should not be set in most cases. It is - intended for use only while migrating applications from internal - authorization to Contour external authorization. + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications + from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait for - a check response from the authorization server. Timeout durations - are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - The string "infinity" is also a valid input and specifies no - timeout. + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -885,9 +941,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve health - checks. \n Contour's default is { address: \"0.0.0.0\", port: 8000 - }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -901,13 +957,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the permitInsecure - field in HTTPProxy. \n Contour's default is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name of - the Kubernetes secret to use as fallback when a non-SNI request - is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -937,8 +995,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve metrics. - \n Contour's default is { address: \"0.0.0.0\", port: 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -949,9 +1008,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and health - endpoints cannot have same port number when metrics is served - over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -969,8 +1028,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will apply - to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -1000,17 +1060,19 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the Rate - Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a default - global rate limit policy for every HTTPProxy. HTTPProxy can - overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors that - will be generated and sent to the rate limit service. Each + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value @@ -1019,17 +1081,18 @@ spec: entries: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the descriptor - entry. If not set, the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of the @@ -1038,16 +1101,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and a value - equal to the client's IP address (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor key - is static, and the descriptor value is equal - to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the key @@ -1061,41 +1123,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines a - descriptor entry that's populated if the request's - headers match a set of 1+ match criteria. The - descriptor key is "header_match", and the descriptor - value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether the - request must positively match the match - criteria in order to generate a descriptor - entry (i.e. true), or not match the match - criteria in order to generate a descriptor - entry (i.e. false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request to - determine whether to populate the descriptor - entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against HTTP - headers. The Name field is required, only - one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching rules - only (e.g. NotContains or NotExact) you - can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies a substring - that must be present in the header - value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -1103,57 +1160,49 @@ spec: to. type: string ignoreCase: - description: IgnoreCase specifies that - string matching should be case insensitive. - Note that this has no effect on the - Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the - header to match against. Name is required. + description: |- + Name is the name of the header to match against. Name is required. Header names are case insensitive. type: string notcontains: - description: NotContains specifies a - substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a string - that the header value must not be - equal to. The condition is true if - the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that - condition is true when the named header - is not present. Note that setting - NotPresent to false does not make - the condition true if the named header - is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named header - is present, regardless of its value. - Note that setting Present to false - does not make the condition true if - the named header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies - if the header match rule specified - header does not exist, this header - value will be treated as empty. Defaults - to false. Unlike the underlying Envoy - implementation this is **only** supported - for negative matches (e.g. NotContains, - NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -1173,25 +1222,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not use - the default global rate limit policy defined by the Contour - configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating error - code 429 to grpc code RESOURCE_EXHAUSTED. When disabled it's - translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit Service - is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -1206,9 +1256,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to proceed - when the Rate Limit Service fails to respond with a valid rate - limit decision within the timeout defined on the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -1221,17 +1272,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag name + description: |- + CustomTag defines custom tags with unique tag name to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request header - the label value is obtained from. Precisely one of Literal, - RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom tag. @@ -1253,25 +1307,28 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span of the - trace. the default is true. Note: The Envoy pods MUST have the - HOSTNAME and CONTOUR_NAMESPACE environment variables set for - this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the request - path to extract and include in the HttpUrl tag. contour's default - is 256. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. + contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of trace - data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. contour's - default is contour. + description: |- + ServiceName defines the name for the service. + contour's default is contour. type: string required: - extensionService @@ -1280,18 +1337,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour will - serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour will - serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -1307,9 +1366,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values will - produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -1318,71 +1378,62 @@ spec: a ContourConfiguration resource. properties: conditions: - description: "Conditions contains the current status of the Contour - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the Contour resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1396,10 +1447,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1411,32 +1462,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1450,43 +1500,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -1500,10 +1549,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1538,7 +1587,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: contourdeployments.projectcontour.io spec: preserveUnknownFields: false @@ -1558,26 +1607,33 @@ spec: description: ContourDeployment is the schema for a Contour Deployment. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: ContourDeploymentSpec specifies options for how a Contour + description: |- + ContourDeploymentSpec specifies options for how a Contour instance should be provisioned. properties: contour: - description: Contour specifies deployment-time settings for the Contour - part of the installation, i.e. the xDS server/control plane and - associated resources, including things like replica count for the - Deployment, and node placement constraints for the pods. + description: |- + Contour specifies deployment-time settings for the Contour + part of the installation, i.e. the xDS server/control plane + and associated resources, including things like replica count + for the Deployment, and node placement constraints for the pods. properties: deployment: description: Deployment describes the settings for running contour @@ -1593,47 +1649,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1643,14 +1697,16 @@ spec: type: object type: object kubernetesLogLevel: - description: KubernetesLogLevel Enable Kubernetes client debug - logging with log level. If unset, defaults to 0. + description: |- + KubernetesLogLevel Enable Kubernetes client debug logging with log level. If unset, + defaults to 0. maximum: 9 minimum: 0 type: integer logLevel: - description: LogLevel sets the log level for Contour Allowed values - are "info", "debug". + description: |- + LogLevel sets the log level for Contour + Allowed values are "info", "debug". type: string nodePlacement: description: NodePlacement describes node scheduling configuration @@ -1659,57 +1715,56 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1717,36 +1772,40 @@ spec: podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Contour pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Contour pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Contour replicas. If if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Contour replicas. If if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by contour container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by contour container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -1762,8 +1821,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1772,95 +1832,91 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object type: object envoy: - description: Envoy specifies deployment-time settings for the Envoy - part of the installation, i.e. the xDS client/data plane and associated - resources, including things like the workload type to use (DaemonSet - or Deployment), node placement constraints for the pods, and various - options for the Envoy service. + description: |- + Envoy specifies deployment-time settings for the Envoy + part of the installation, i.e. the xDS client/data plane + and associated resources, including things like the workload + type to use (DaemonSet or Deployment), node placement constraints + for the pods, and various options for the Envoy service. properties: baseID: - description: The base ID to use when allocating shared memory - regions. if Envoy needs to be run multiple times on the same - machine, each running Envoy will need a unique base ID so that - the shared memory regions do not conflict. defaults to 0. + description: |- + The base ID to use when allocating shared memory regions. + if Envoy needs to be run multiple times on the same machine, each running Envoy will need a unique base ID + so that the shared memory regions do not conflict. + defaults to 0. format: int32 minimum: 0 type: integer daemonSet: - description: DaemonSet describes the settings for running envoy - as a `DaemonSet`. if `WorkloadType` is `Deployment`,it's must - be nil + description: |- + DaemonSet describes the settings for running envoy as a `DaemonSet`. + if `WorkloadType` is `Deployment`,it's must be nil properties: updateStrategy: description: Strategy describes the deployment strategy to use to replace existing DaemonSet pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if type = "RollingUpdate". --- TODO: Update this to - follow our convention for oneOf, whatever we decide - it to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345' + description: |- + Rolling update config params. Present only if type = "RollingUpdate". + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345 properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of nodes with an - existing available DaemonSet pod that can have an - updated DaemonSet pod during during an update. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up to a minimum of 1. - Default value is 0. Example: when this is set to - 30%, at most 30% of the total number of nodes that - should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old - pod is marked as deleted. The update starts by launching - new pods on 30% of nodes. Once an updated pod is - available (Ready for at least minReadySeconds) the - old DaemonSet pod on that node is marked deleted. - If the old pod becomes unavailable for any reason - (Ready transitions to false, is evicted, or is drained) - an updated pod is immediatedly created on that node - without considering surge limits. Allowing surge - implies the possibility that the resources consumed - by the daemonset on any given node can double if - the readiness check fails, and so resource intensive - daemonsets should take into account that they may - cause evictions during disruption.' + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediatedly created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of DaemonSet pods - that can be unavailable during the update. Value - can be an absolute number (ex: 5) or a percentage - of total number of DaemonSet pods at the start of - the update (ex: 10%). Absolute number is calculated - from percentage by rounding up. This cannot be 0 - if MaxSurge is 0 Default value is 1. Example: when - this is set to 30%, at most 30% of the total number - of nodes that should be running the daemon pod (i.e. - status.desiredNumberScheduled) can have their pods - stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet - pods and then brings up new DaemonSet pods in their - place. Once the new pods are available, it then - proceeds onto other DaemonSet pods, thus ensuring - that at least 70% of original number of DaemonSet - pods are available at all times during the update.' + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. x-kubernetes-int-or-string: true type: object type: @@ -1870,9 +1926,9 @@ spec: type: object type: object deployment: - description: Deployment describes the settings for running envoy - as a `Deployment`. if `WorkloadType` is `DaemonSet`,it's must - be nil + description: |- + Deployment describes the settings for running envoy as a `Deployment`. + if `WorkloadType` is `DaemonSet`,it's must be nil properties: replicas: description: Replicas is the desired number of replicas. @@ -1884,47 +1940,45 @@ spec: use to replace existing pods with new pods. properties: rollingUpdate: - description: 'Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. --- TODO: - Update this to follow our convention for oneOf, whatever - we decide it to be.' + description: |- + Rolling update config params. Present only if DeploymentStrategyType = + RollingUpdate. + --- + TODO: Update this to follow our convention for oneOf, whatever we decide it + to be. properties: maxSurge: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods.' + description: |- + The maximum number of pods that can be scheduled above the desired number of + pods. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up. + Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + the rolling update starts, such that the total number of old and new pods do not exceed + 130% of desired pods. Once old pods have been killed, + new ReplicaSet can be scaled up further, ensuring that total number of pods running + at any time during the update is at most 130% of desired pods. x-kubernetes-int-or-string: true maxUnavailable: anyOf: - type: integer - type: string - description: 'The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods.' + description: |- + The maximum number of pods that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + Absolute number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. + Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + that the total number of pods available at all times during the update is at + least 70% of desired pods. x-kubernetes-int-or-string: true type: object type: @@ -1941,33 +1995,36 @@ spec: a container. properties: mountPath: - description: Path within the container at which the volume - should be mounted. Must not contain ':'. + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are - propagated from the host to container and the other way - around. When not set, MountPropagationNone is used. This - field is beta in 1.10. + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. type: boolean subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which - the container's volume should be mounted. Behaves similarly - to SubPath but environment variable references $(VAR_NAME) - are expanded using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath are mutually - exclusive. + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. type: string required: - mountPath @@ -1981,36 +2038,36 @@ spec: may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'awsElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty).' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). format: int32 type: integer readOnly: - description: 'readOnly value true will force the readOnly - setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: boolean volumeID: - description: 'volumeID is unique ID of the persistent - disk resource in AWS (Amazon EBS volume). More info: - https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore type: string required: - volumeID @@ -2032,10 +2089,10 @@ spec: blob storage type: string fsType: - description: fsType is Filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: description: 'kind expected values are Shared: multiple @@ -2045,8 +2102,9 @@ spec: to shared' type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean required: - diskName @@ -2057,8 +2115,9 @@ spec: mount on the host and bind mount to the pod. properties: readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretName: description: secretName is the name of secret that @@ -2076,8 +2135,9 @@ spec: that shares a pod's lifetime properties: monitors: - description: 'monitors is Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it items: type: string type: array @@ -2086,63 +2146,72 @@ spec: root, rather than the full Ceph tree, default is /' type: string readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: boolean secretFile: - description: 'secretFile is Optional: SecretFile is - the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string secretRef: - description: 'secretRef is Optional: SecretRef is reference - to the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is optional: User is the rados user - name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it type: string required: - monitors type: object cinder: - description: 'cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string readOnly: - description: 'readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: boolean secretRef: - description: 'secretRef is optional: points to a secret - object containing parameters used to connect to OpenStack.' + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeID: - description: 'volumeID used to identify the volume in - cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md type: string required: - volumeID @@ -2152,29 +2221,25 @@ spec: populate this volume properties: defaultMode: - description: 'defaultMode is optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items if unspecified, each key-value pair - in the Data field of the referenced ConfigMap will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. If a - key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -2183,22 +2248,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -2207,8 +2270,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the ConfigMap @@ -2222,42 +2287,43 @@ spec: CSI drivers (Beta feature). properties: driver: - description: driver is the name of the CSI driver that - handles this volume. Consult with your admin for the - correct name as registered in the cluster. + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the - associated CSI driver which will determine the default - filesystem to apply. + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. type: string nodePublishSecretRef: - description: nodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all secret - references are passed. + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic readOnly: - description: readOnly specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: volumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. type: object required: - driver @@ -2267,17 +2333,15 @@ spec: pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: @@ -2305,16 +2369,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used to set - permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -2325,10 +2386,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required for @@ -2355,116 +2415,111 @@ spec: type: array type: object emptyDir: - description: 'emptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir properties: medium: - description: 'medium represents what type of storage - medium should back this directory. The default is - "" which means to use the node''s default medium. - Must be an empty string (default) or Memory. More - info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir type: string sizeLimit: anyOf: - type: integer - type: string - description: 'sizeLimit is the total amount of local - storage required for this EmptyDir volume. The size - limit is also applicable for memory medium. The maximum - usage on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and the - sum of memory limits of all containers in a pod. The - default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is - tied to the pod that defines it - it will be created before - the pod starts, and deleted when the pod is removed. \n - Use this if: a) the volume is only needed while the pod - runs, b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the storage - driver is specified through a storage class, and d) the - storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for - more information on the connection between this volume - type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n - Use CSI for light-weight local ephemeral volumes if the - CSI driver is meant to be used that way - see the documentation - of the driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes at the - same time." + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC - to provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the - PVC will be deleted together with the pod. The name - of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` - array entry. Pod validation will reject the pod if - the concatenated name is not valid for a PVC (for - example, too long). \n An existing PVC with that name - that is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the unrelated - PVC is removed. If such a pre-created PVC is meant - to be used by the pod, the PVC has to updated with - an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may - be useful when manually reconstructing a broken cluster. - \n This field is read-only and no changes will be - made by Kubernetes to the PVC after it has been created. - \n Required, must not be nil." + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + Required, must not be nil. properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected - during validation. + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the - PVC that gets created from this template. The - same fields as in a PersistentVolumeClaim are - also valid here. + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. properties: accessModes: - description: 'accessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 items: type: string type: array dataSource: - description: 'dataSource field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, it - will create a new volume based on the contents - of the specified data source. When the AnyVolumeDataSource - feature gate is enabled, dataSource contents - will be copied to dataSourceRef, and dataSourceRef - contents will be copied to dataSource when - dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef - will not be copied to dataSource.' + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2480,47 +2535,36 @@ spec: type: object x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies the object - from which to populate the volume with data, - if a non-empty volume is desired. This may - be any object from a non-empty API group (non + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding - will only succeed if the type of the specified - object matches some installed volume populator - or dynamic provisioner. This field will replace - the functionality of the dataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, when namespace isn''t specified - in dataSourceRef, both fields (dataSource - and dataSourceRef) will be set to the same - value automatically if one of them is empty - and the other is non-empty. When namespace - is specified in dataSourceRef, dataSource - isn''t set to the same value and must be empty. - There are three important differences between - dataSource and dataSourceRef: * While dataSource - only allows two specific types of objects, - dataSourceRef allows any non-core object, - as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values - (dropping them), dataSourceRef preserves all - values, and generates an error if a disallowed - value is specified. * While dataSource only - allows local objects, dataSourceRef allows - objects in any namespaces. (Beta) Using this - field requires the AnyVolumeDataSource feature - gate to be enabled. (Alpha) Using the namespace - field of dataSourceRef requires the CrossNamespaceVolumeDataSource - feature gate to be enabled.' + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. properties: apiGroup: - description: APIGroup is the group for the - resource being referenced. If APIGroup - is not specified, the specified Kind must - be in the core API group. For any other - third-party types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource @@ -2531,28 +2575,22 @@ spec: being referenced type: string namespace: - description: Namespace is the namespace - of resource being referenced Note that - when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant - object is required in the referent namespace - to allow that namespace's owner to accept - the reference. See the ReferenceGrant - documentation for details. (Alpha) This - field requires the CrossNamespaceVolumeDataSource - feature gate to be enabled. + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. type: string required: - kind - name type: object resources: - description: 'resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than - previous value but must still be higher than - capacity recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources properties: limits: additionalProperties: @@ -2561,9 +2599,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -2572,13 +2610,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object selector: @@ -2590,30 +2626,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2625,48 +2656,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic storageClassName: - description: 'storageClassName is the name of - the StorageClass required by the claim. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 type: string volumeAttributesClassName: - description: 'volumeAttributesClassName may - be used to set the VolumeAttributesClass used - by this claim. If specified, the CSI driver - will create or update the volume with the - attributes defined in the corresponding VolumeAttributesClass. - This has a different purpose than storageClassName, - it can be changed after the claim is created. - An empty string value means that no VolumeAttributesClass - will be applied to the claim but it''s not - allowed to reset this field to empty string - once it is set. If unspecified and the PersistentVolumeClaim - is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller - if it exists. If the resource referred to - by volumeAttributesClass does not exist, this - PersistentVolumeClaim will be set to a Pending - state, as reflected by the modifyVolumeStatus - field, until such as a resource exists. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass - feature gate to be enabled.' + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. type: string volumeMode: - description: volumeMode defines what type of - volume is required by the claim. Value of - Filesystem is implied when not included in - claim spec. + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. type: string volumeName: description: volumeName is the binding reference @@ -2683,20 +2703,20 @@ spec: to the pod. properties: fsType: - description: 'fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. TODO: how do we prevent - errors in the filesystem from compromising the machine' + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'readOnly is Optional: Defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: description: 'targetWWNs is Optional: FC target worldwide @@ -2705,26 +2725,27 @@ spec: type: string type: array wwids: - description: 'wwids Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. items: type: string type: array type: object flexVolume: - description: flexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. properties: driver: description: driver is the name of the driver to use for this volume. type: string fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default filesystem - depends on FlexVolume script. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. type: string options: additionalProperties: @@ -2733,22 +2754,23 @@ spec: extra command options if any.' type: object readOnly: - description: 'readOnly is Optional: defaults to false - (read/write). ReadOnly here will force the ReadOnly - setting in VolumeMounts.' + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: 'secretRef is Optional: secretRef is reference - to the secret object containing sensitive information - to pass to the plugin scripts. This may be empty if - no secret object is specified. If the secret object - contains more than one secret, all secrets are passed - to the plugin scripts.' + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -2761,9 +2783,9 @@ spec: control service being running properties: datasetName: - description: datasetName is Name of the dataset stored - as metadata -> name on the dataset for Flocker should - be considered as deprecated + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated type: string datasetUUID: description: datasetUUID is the UUID of the dataset. @@ -2771,54 +2793,55 @@ spec: type: string type: object gcePersistentDisk: - description: 'gcePersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk properties: fsType: - description: 'fsType is filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: - description: 'partition is the partition in the volume - that you want to mount. If omitted, the default is - to mount by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the volume - partition for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk format: int32 type: integer pdName: - description: 'pdName is unique name of the PD resource - in GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk type: boolean required: - pdName type: object gitRepo: - description: 'gitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an - InitContainer that clones the repo using git, then mount - the EmptyDir into the Pod''s container.' + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. properties: directory: - description: directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. type: string repository: description: repository is the URL @@ -2831,53 +2854,61 @@ spec: - repository type: object glusterfs: - description: 'glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: - description: 'endpoints is the endpoint name that details - Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string path: - description: 'path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: string readOnly: - description: 'readOnly here will force the Glusterfs - volume to be mounted with read-only permissions. Defaults - to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod type: boolean required: - endpoints - path type: object hostPath: - description: 'hostPath represents a pre-existing file or - directory on the host machine that is directly exposed - to the container. This is generally used for system agents - or other privileged things that are allowed to see the - host machine. Most containers will NOT need this. More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. properties: path: - description: 'path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string type: - description: 'type for HostPath Volume Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath type: string required: - path type: object iscsi: - description: 'iscsi represents an ISCSI Disk resource that - is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: description: chapAuthDiscovery defines whether support @@ -2888,59 +2919,59 @@ spec: iSCSI Session CHAP authentication type: boolean fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: - description: initiatorName is the custom iSCSI Initiator - Name. If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for the connection. + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. type: string iqn: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: - description: iscsiInterface is the interface Name that - uses an iSCSI transport. Defaults to 'default' (tcp). + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). type: string lun: description: lun represents iSCSI Target Lun number. format: int32 type: integer portals: - description: portals is the iSCSI Target Portal List. - The portal is either an IP or ip_addr:port if the - port is other than default (typically TCP ports 860 - and 3260). + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: readOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. type: boolean secretRef: description: secretRef is the CHAP Secret for iSCSI target and initiator authentication properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic targetPortal: - description: targetPortal is iSCSI Target Portal. The - Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and - 3260). + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -2948,43 +2979,51 @@ spec: - targetPortal type: object name: - description: 'name of the volume. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string nfs: - description: 'nfs represents an NFS mount on the host that - shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs properties: path: - description: 'path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string readOnly: - description: 'readOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: boolean server: - description: 'server is the hostname or IP address of - the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs type: string required: - path - server type: object persistentVolumeClaim: - description: 'persistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims properties: claimName: - description: 'claimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims type: string readOnly: - description: readOnly Will force the ReadOnly setting - in VolumeMounts. Default false. + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. type: boolean required: - claimName @@ -2995,10 +3034,10 @@ spec: machine properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: description: pdID is the ID that identifies Photon Controller @@ -3012,14 +3051,15 @@ spec: attached and mounted on kubelets host machine properties: fsType: - description: fSType represents the filesystem type to - mount Must be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean volumeID: description: volumeID uniquely identifies a Portworx @@ -3033,15 +3073,13 @@ spec: configmaps, and downward API properties: defaultMode: - description: defaultMode are the mode bits used to set - permissions on created files by default. Must be an - octal value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this - setting. This might be in conflict with other options - that affect the file mode, like fsGroup, and the result - can be other mode bits set. + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer sources: @@ -3051,57 +3089,48 @@ spec: with other supported volume types properties: clusterTrustBundle: - description: "ClusterTrustBundle allows a pod - to access the `.spec.trustBundle` field of ClusterTrustBundle - objects in an auto-updating file. \n Alpha, - gated by the ClusterTrustBundleProjection feature - gate. \n ClusterTrustBundle objects can either - be selected by name, or by the combination of - signer name and a label selector. \n Kubelet - performs aggressive normalization of the PEM - contents written into the pod filesystem. Esoteric - PEM features such as inter-block comments and - block headers are stripped. Certificates are - deduplicated. The ordering of certificates within - the file is arbitrary, and Kubelet may change - the order over time." + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + Alpha, gated by the ClusterTrustBundleProjection feature gate. + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. properties: labelSelector: - description: Select all ClusterTrustBundles - that match this label selector. Only has - effect if signerName is set. Mutually-exclusive - with name. If unset, interpreted as "match - nothing". If set but empty, interpreted - as "match everything". + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3114,39 +3143,35 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic name: - description: Select a single ClusterTrustBundle - by object name. Mutually-exclusive with - signerName and labelSelector. + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. type: string optional: - description: If true, don't block pod startup - if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the - named ClusterTrustBundle is allowed not - to exist. If using signerName, then the - combination of signerName and labelSelector - is allowed to match zero ClusterTrustBundles. + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. type: boolean path: description: Relative path from the volume root to write the bundle. type: string signerName: - description: Select all ClusterTrustBundles - that match this signer name. Mutually-exclusive - with name. The contents of all selected - ClusterTrustBundles will be unified and - deduplicated. + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. type: string required: - path @@ -3156,18 +3181,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3176,26 +3197,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3203,10 +3219,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional specify whether the @@ -3245,18 +3261,13 @@ spec: type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: @@ -3268,11 +3279,9 @@ spec: path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: description: 'Container name: required @@ -3306,18 +3315,14 @@ spec: data to project properties: items: - description: items if unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed keys - will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3326,26 +3331,21 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode - bits used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal - and decimal values, JSON requires - decimal values for mode bits. If not - specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the - file mode, like fsGroup, and the result - can be other mode bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path - of the file to map the key to. May - not be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. type: string required: - key @@ -3353,10 +3353,10 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: optional field specify whether @@ -3369,29 +3369,25 @@ spec: about the serviceAccountToken data to project properties: audience: - description: audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience defaults - to the identifier of the apiserver. + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. type: string expirationSeconds: - description: expirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The kubelet - will start trying to rotate the token if - the token is older than 80 percent of its - time to live or if the token is older than - 24 hours.Defaults to 1 hour and must be - at least 10 minutes. + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. format: int64 type: integer path: - description: path is the path relative to - the mount point of the file to project the + description: |- + path is the path relative to the mount point of the file to project the token into. type: string required: @@ -3405,28 +3401,30 @@ spec: that shares a pod's lifetime properties: group: - description: group to map volume access to Default is - no group + description: |- + group to map volume access to + Default is no group type: string readOnly: - description: readOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults - to false. + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. type: boolean registry: - description: registry represents a single or multiple - Quobyte Registry services specified as a string as - host:port pair (multiple entries are separated with - commas) which acts as the central registry for volumes + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes type: string tenant: - description: tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned Quobyte - volumes, value is set by the plugin + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: user to map volume access to Defaults to - serivceaccount user + description: |- + user to map volume access to + Defaults to serivceaccount user type: string volume: description: volume is a string that references an already @@ -3437,57 +3435,68 @@ spec: - volume type: object rbd: - description: 'rbd represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: - description: 'fsType is the filesystem type of the volume - that you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: - description: 'image is the rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: - description: 'keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string monitors: - description: 'monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it items: type: string type: array pool: - description: 'pool is the rados pool name. Default is - rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: boolean secretRef: - description: 'secretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is the rados user name. Default is - admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string required: - image @@ -3498,9 +3507,11 @@ spec: attached and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is "xfs". + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". type: string gateway: description: gateway is the host address of the ScaleIO @@ -3511,18 +3522,20 @@ spec: Protection Domain for the configured storage. type: string readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef references to the secret for - ScaleIO user and other sensitive information. If this - is not provided, Login operation will fail. + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -3531,8 +3544,8 @@ spec: with Gateway, default false type: boolean storageMode: - description: storageMode indicates whether the storage - for a volume should be ThickProvisioned or ThinProvisioned. + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: @@ -3544,9 +3557,9 @@ spec: as configured in ScaleIO. type: string volumeName: - description: volumeName is the name of a volume already - created in the ScaleIO system that is associated with - this volume source. + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. type: string required: - gateway @@ -3554,33 +3567,30 @@ spec: - system type: object secret: - description: 'secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret properties: defaultMode: - description: 'defaultMode is Optional: mode bits used - to set permissions on created files by default. Must - be an octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within the path - are not affected by this setting. This might be in - conflict with other options that affect the file mode, - like fsGroup, and the result can be other mode bits - set.' + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer items: - description: items If unspecified, each key-value pair - in the Data field of the referenced Secret will be - projected into the volume as a file whose name is - the key and content is the value. If specified, the - listed keys will be projected into the specified paths, - and unlisted keys will not be present. If a key is - specified which is not present in the Secret, the - volume setup will error unless it is marked optional. - Paths must be relative and may not contain the '..' - path or start with '..'. + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. @@ -3589,22 +3599,20 @@ spec: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used - to set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both octal - and decimal values, JSON requires decimal values - for mode bits. If not specified, the volume - defaultMode will be used. This might be in conflict - with other options that affect the file mode, - like fsGroup, and the result can be other mode - bits set.' + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. format: int32 type: integer path: - description: path is the relative path of the - file to map the key to. May not be an absolute - path. May not contain the path element '..'. + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. May not start with the string '..'. type: string required: @@ -3617,8 +3625,9 @@ spec: or its keys must be defined type: boolean secretName: - description: 'secretName is the name of the secret in - the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret type: string type: object storageos: @@ -3626,42 +3635,42 @@ spec: and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: secretRef specifies the secret to use for - obtaining the StorageOS API credentials. If not specified, - default values will be attempted. + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic volumeName: - description: volumeName is the human-readable name of - the StorageOS volume. Volume names are only unique - within a namespace. + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. type: string volumeNamespace: - description: volumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows - the Kubernetes name scoping to be mirrored within - StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: @@ -3669,10 +3678,10 @@ spec: and mounted on kubelets host machine properties: fsType: - description: fsType is filesystem type to mount. Must - be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: description: storagePolicyID is the storage Policy Based @@ -3694,56 +3703,60 @@ spec: type: object type: array logLevel: - description: LogLevel sets the log level for Envoy. Allowed values - are "trace", "debug", "info", "warn", "error", "critical", "off". + description: |- + LogLevel sets the log level for Envoy. + Allowed values are "trace", "debug", "info", "warn", "error", "critical", "off". type: string networkPublishing: description: NetworkPublishing defines how to expose Envoy to a network. properties: externalTrafficPolicy: - description: "ExternalTrafficPolicy describes how nodes distribute - service traffic they receive on one of the Service's \"externally-facing\" - addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). - \n If unset, defaults to \"Local\"." + description: |- + ExternalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, + and LoadBalancer IPs). + If unset, defaults to "Local". type: string ipFamilyPolicy: - description: IPFamilyPolicy represents the dual-stack-ness - requested or required by this Service. If there is no value - provided, then this field will be set to SingleStack. Services - can be "SingleStack" (a single IP family), "PreferDualStack" - (two IP families on dual-stack configured clusters or a - single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise - fail). + description: |- + IPFamilyPolicy represents the dual-stack-ness requested or required by + this Service. If there is no value provided, then this field will be set + to SingleStack. Services can be "SingleStack" (a single IP family), + "PreferDualStack" (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise fail). type: string serviceAnnotations: additionalProperties: type: string - description: ServiceAnnotations is the annotations to add - to the provisioned Envoy service. + description: |- + ServiceAnnotations is the annotations to add to + the provisioned Envoy service. type: object type: - description: "NetworkPublishingType is the type of publishing - strategy to use. Valid values are: \n * LoadBalancerService - \n In this configuration, network endpoints for Envoy use - container networking. A Kubernetes LoadBalancer Service - is created to publish Envoy network endpoints. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer - \n * NodePortService \n Publishes Envoy network endpoints - using a Kubernetes NodePort Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + description: |- + NetworkPublishingType is the type of publishing strategy to use. Valid values are: + * LoadBalancerService + In this configuration, network endpoints for Envoy use container networking. + A Kubernetes LoadBalancer Service is created to publish Envoy network + endpoints. + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + * NodePortService + Publishes Envoy network endpoints using a Kubernetes NodePort Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes NodePort Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport - \n NOTE: When provisioning an Envoy `NodePortService`, use - Gateway Listeners' port numbers to populate the Service's - node port values, there's no way to auto-allocate them. - \n See: https://github.com/projectcontour/contour/issues/4499 - \n * ClusterIPService \n Publishes Envoy network endpoints - using a Kubernetes ClusterIP Service. \n In this configuration, - Envoy network endpoints use container networking. A Kubernetes + See: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + NOTE: + When provisioning an Envoy `NodePortService`, use Gateway Listeners' port numbers to populate + the Service's node port values, there's no way to auto-allocate them. + See: https://github.com/projectcontour/contour/issues/4499 + * ClusterIPService + Publishes Envoy network endpoints using a Kubernetes ClusterIP Service. + In this configuration, Envoy network endpoints use container networking. A Kubernetes ClusterIP Service is created to publish the network endpoints. - \n See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - \n If unset, defaults to LoadBalancerService." + See: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + If unset, defaults to LoadBalancerService. type: string type: object nodePlacement: @@ -3753,104 +3766,107 @@ spec: nodeSelector: additionalProperties: type: string - description: "NodeSelector is the simplest recommended form - of node selection constraint and specifies a map of key-value - pairs. For the pod to be eligible to run on a node, the - node must have each of the indicated key-value pairs as - labels (it can have additional labels as well). \n If unset, - the pod(s) will be scheduled to any available node." + description: |- + NodeSelector is the simplest recommended form of node selection constraint + and specifies a map of key-value pairs. For the pod to be eligible + to run on a node, the node must have each of the indicated key-value pairs + as labels (it can have additional labels as well). + If unset, the pod(s) will be scheduled to any available node. type: object tolerations: - description: "Tolerations work with taints to ensure that - pods are not scheduled onto inappropriate nodes. One or - more taints are applied to a node; this marks that the node - should not accept any pods that do not tolerate the taints. - \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for additional details." + description: |- + Tolerations work with taints to ensure that pods are not scheduled + onto inappropriate nodes. One or more taints are applied to a node; this + marks that the node should not accept any pods that do not tolerate the + taints. + The default is an empty list. + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for additional details. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object overloadMaxHeapSize: - description: 'OverloadMaxHeapSize defines the maximum heap memory - of the envoy controlled by the overload manager. When the value - is greater than 0, the overload manager is enabled, and when - envoy reaches 95% of the maximum heap size, it performs a shrink - heap operation, When it reaches 98% of the maximum heap size, - Envoy Will stop accepting requests. More info: https://projectcontour.io/docs/main/config/overload-manager/' + description: |- + OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager. + When the value is greater than 0, the overload manager is enabled, + and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation, + When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests. + More info: https://projectcontour.io/docs/main/config/overload-manager/ format: int64 type: integer podAnnotations: additionalProperties: type: string - description: PodAnnotations defines annotations to add to the - Envoy pods. the annotations for Prometheus will be appended - or overwritten with predefined value. + description: |- + PodAnnotations defines annotations to add to the Envoy pods. + the annotations for Prometheus will be appended or overwritten with predefined value. type: object replicas: - description: "Deprecated: Use `DeploymentSettings.Replicas` instead. - \n Replicas is the desired number of Envoy replicas. If WorkloadType - is not \"Deployment\", this field is ignored. Otherwise, if - unset, defaults to 2. \n if both `DeploymentSettings.Replicas` - and this one is set, use `DeploymentSettings.Replicas`." + description: |- + Deprecated: Use `DeploymentSettings.Replicas` instead. + Replicas is the desired number of Envoy replicas. If WorkloadType + is not "Deployment", this field is ignored. Otherwise, if unset, + defaults to 2. + if both `DeploymentSettings.Replicas` and this one is set, use `DeploymentSettings.Replicas`. format: int32 minimum: 0 type: integer resources: - description: 'Compute Resources required by envoy container. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Compute Resources required by envoy container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -3866,8 +3882,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -3876,15 +3893,16 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object workloadType: - description: WorkloadType is the type of workload to install Envoy + description: |- + WorkloadType is the type of workload to install Envoy as. Choices are DaemonSet and Deployment. If unset, defaults to DaemonSet. type: string @@ -3892,41 +3910,49 @@ spec: resourceLabels: additionalProperties: type: string - description: "ResourceLabels is a set of labels to add to the provisioned - Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels - instead. This field will be removed in a future release." + description: |- + ResourceLabels is a set of labels to add to the provisioned Contour resources. + Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + removed in a future release. type: object runtimeSettings: - description: RuntimeSettings is a ContourConfiguration spec to be - used when provisioning a Contour instance that will influence aspects - of the Contour instance's runtime behavior. + description: |- + RuntimeSettings is a ContourConfiguration spec to be used when + provisioning a Contour instance that will influence aspects of + the Contour instance's runtime behavior. properties: debug: - description: Debug contains parameters to enable debug logging + description: |- + Debug contains parameters to enable debug logging and debug interfaces inside Contour. properties: address: - description: "Defines the Contour debug address interface. - \n Contour's default is \"127.0.0.1\"." + description: |- + Defines the Contour debug address interface. + Contour's default is "127.0.0.1". type: string port: - description: "Defines the Contour debug address port. \n Contour's - default is 6060." + description: |- + Defines the Contour debug address port. + Contour's default is 6060. type: integer type: object enableExternalNameService: - description: "EnableExternalNameService allows processing of ExternalNameServices - \n Contour's default is false for security reasons." + description: |- + EnableExternalNameService allows processing of ExternalNameServices + Contour's default is false for security reasons. type: boolean envoy: - description: Envoy contains parameters for Envoy as well as how - to optionally configure a managed Envoy fleet. + description: |- + Envoy contains parameters for Envoy as well + as how to optionally configure a managed Envoy fleet. properties: clientCertificate: - description: ClientCertificate defines the namespace/name - of the Kubernetes secret containing the client certificate - and private key to be used when establishing TLS connection - to upstream cluster. + description: |- + ClientCertificate defines the namespace/name of the Kubernetes + secret containing the client certificate and private key + to be used when establishing TLS connection to upstream + cluster. properties: name: type: string @@ -3937,13 +3963,14 @@ spec: - namespace type: object cluster: - description: Cluster holds various configurable Envoy cluster - values that can be set in the config file. + description: |- + Cluster holds various configurable Envoy cluster values that can + be set in the config file. properties: circuitBreakers: - description: GlobalCircuitBreakerDefaults specifies default - circuit breaker budget across all services. If defined, - this will be used as the default for all services. + description: |- + GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + If defined, this will be used as the default for all services. properties: maxConnections: description: The maximum number of connections that @@ -3971,35 +3998,35 @@ spec: type: integer type: object dnsLookupFamily: - description: "DNSLookupFamily defines how external names - are looked up When configured as V4, the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If V6 is configured, the DNS resolver will only - perform a lookup for addresses in the IPv6 family. If - AUTO is configured, the DNS resolver will first perform - a lookup for addresses in the IPv6 family and fallback - to a lookup for addresses in the IPv4 family. If ALL - is specified, the DNS resolver will perform a lookup - for both IPv4 and IPv6 families, and return all resolved - addresses. When this is used, Happy Eyeballs will be - enabled for upstream connections. Refer to Happy Eyeballs - Support for more information. Note: This only applies - to externalName clusters. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information. \n Values: `auto` (default), `v4`, - `v6`, `all`. \n Other values will produce an error." + description: |- + DNSLookupFamily defines how external names are looked up + When configured as V4, the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If V6 is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If AUTO is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If ALL is specified, the DNS resolver will perform a lookup for + both IPv4 and IPv6 families, and return all resolved addresses. + When this is used, Happy Eyeballs will be enabled for upstream connections. + Refer to Happy Eyeballs Support for more information. + Note: This only applies to externalName clusters. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. + Values: `auto` (default), `v4`, `v6`, `all`. + Other values will produce an error. type: string maxRequestsPerConnection: - description: Defines the maximum requests for upstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for upstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the cluster’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the cluster’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes for more information. format: int32 @@ -4010,64 +4037,73 @@ spec: for upstream connections properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object type: object defaultHTTPVersions: - description: "DefaultHTTPVersions defines the default set - of HTTPS versions the proxy should accept. HTTP versions - are strings of the form \"HTTP/xx\". Supported versions - are \"HTTP/1.1\" and \"HTTP/2\". \n Values: `HTTP/1.1`, - `HTTP/2` (default: both). \n Other values will produce an - error." + description: |- + DefaultHTTPVersions defines the default set of HTTPS + versions the proxy should accept. HTTP versions are + strings of the form "HTTP/xx". Supported versions are + "HTTP/1.1" and "HTTP/2". + Values: `HTTP/1.1`, `HTTP/2` (default: both). + Other values will produce an error. items: description: HTTPVersionType is the name of a supported HTTP version. type: string type: array health: - description: "Health defines the endpoint Envoy uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Health defines the endpoint Envoy uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the health address interface. @@ -4078,9 +4114,9 @@ spec: type: integer type: object http: - description: "Defines the HTTP Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8080, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTP Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8080, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -4095,9 +4131,9 @@ spec: type: integer type: object https: - description: "Defines the HTTPS Listener for Envoy. \n Contour's - default is { address: \"0.0.0.0\", port: 8443, accessLog: - \"/dev/stdout\" }." + description: |- + Defines the HTTPS Listener for Envoy. + Contour's default is { address: "0.0.0.0", port: 8443, accessLog: "/dev/stdout" }. properties: accessLog: description: AccessLog defines where Envoy logs are outputted @@ -4116,111 +4152,103 @@ spec: values. properties: connectionBalancer: - description: "ConnectionBalancer. If the value is exact, - the listener will use the exact connection balancer + description: |- + ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig - for more information. \n Values: (empty string): use - the default ConnectionBalancer, `exact`: use the Exact - ConnectionBalancer. \n Other values will produce an - error." + for more information. + Values: (empty string): use the default ConnectionBalancer, `exact`: use the Exact ConnectionBalancer. + Other values will produce an error. type: string disableAllowChunkedLength: - description: "DisableAllowChunkedLength disables the RFC-compliant - Envoy behavior to strip the \"Content-Length\" header - if \"Transfer-Encoding: chunked\" is also set. This - is an emergency off-switch to revert back to Envoy's - default behavior in case of failures. Please file an - issue if failures are encountered. See: https://github.com/projectcontour/contour/issues/3221 - \n Contour's default is false." + description: |- + DisableAllowChunkedLength disables the RFC-compliant Envoy behavior to + strip the "Content-Length" header if "Transfer-Encoding: chunked" is + also set. This is an emergency off-switch to revert back to Envoy's + default behavior in case of failures. Please file an issue if failures + are encountered. + See: https://github.com/projectcontour/contour/issues/3221 + Contour's default is false. type: boolean disableMergeSlashes: - description: "DisableMergeSlashes disables Envoy's non-standard - merge_slashes path transformation option which strips - duplicate slashes from request URL paths. \n Contour's - default is false." + description: |- + DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option + which strips duplicate slashes from request URL paths. + Contour's default is false. type: boolean httpMaxConcurrentStreams: - description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS - Envoy will advertise in the SETTINGS frame in HTTP/2 - connections and the limit for concurrent streams allowed - for a peer on a single HTTP/2 connection. It is recommended - to not set this lower than 100 but this field can be - used to bound resource usage by HTTP/2 connections and - mitigate attacks like CVE-2023-44487. The default value - when this is not set is unlimited. + description: |- + Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the + SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed + for a peer on a single HTTP/2 connection. It is recommended to not set this lower + than 100 but this field can be used to bound resource usage by HTTP/2 connections + and mitigate attacks like CVE-2023-44487. The default value when this is not set is + unlimited. format: int32 minimum: 1 type: integer maxConnectionsPerListener: - description: Defines the limit on number of active connections - to a listener. The limit is applied per listener. The - default value when this is not set is unlimited. + description: |- + Defines the limit on number of active connections to a listener. The limit is applied + per listener. The default value when this is not set is unlimited. format: int32 minimum: 1 type: integer maxRequestsPerConnection: - description: Defines the maximum requests for downstream - connections. If not specified, there is no limit. see - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions + description: |- + Defines the maximum requests for downstream connections. If not specified, there is no limit. + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions for more information. format: int32 minimum: 1 type: integer maxRequestsPerIOCycle: - description: Defines the limit on number of HTTP requests - that Envoy will process from a single connection in - a single I/O cycle. Requests over this limit are processed - in subsequent I/O cycles. Can be used as a mitigation - for CVE-2023-44487 when abusive traffic is detected. - Configures the http.max_requests_per_io_cycle Envoy - runtime setting. The default value when this is not - set is no limit. + description: |- + Defines the limit on number of HTTP requests that Envoy will process from a single + connection in a single I/O cycle. Requests over this limit are processed in subsequent + I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is + detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default + value when this is not set is no limit. format: int32 minimum: 1 type: integer per-connection-buffer-limit-bytes: - description: Defines the soft limit on size of the listener’s - new connection read and write buffers in bytes. If unspecified, - an implementation defined default is applied (1MiB). + description: |- + Defines the soft limit on size of the listener’s new connection read and write buffers in bytes. + If unspecified, an implementation defined default is applied (1MiB). see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes for more information. format: int32 minimum: 1 type: integer serverHeaderTransformation: - description: "Defines the action to be applied to the - Server header on the response path. When configured - as overwrite, overwrites any Server header with \"envoy\". - When configured as append_if_absent, if a Server header - is present, pass it through, otherwise set it to \"envoy\". - When configured as pass_through, pass through the value - of the Server header, and do not append a header if - none is present. \n Values: `overwrite` (default), `append_if_absent`, - `pass_through` \n Other values will produce an error. - Contour's default is overwrite." + description: |- + Defines the action to be applied to the Server header on the response path. + When configured as overwrite, overwrites any Server header with "envoy". + When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy". + When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. + Values: `overwrite` (default), `append_if_absent`, `pass_through` + Other values will produce an error. + Contour's default is overwrite. type: string socketOptions: - description: SocketOptions defines configurable socket - options for the listeners. Single set of options are - applied to all listeners. + description: |- + SocketOptions defines configurable socket options for the listeners. + Single set of options are applied to all listeners. properties: tos: - description: Defines the value for IPv4 TOS field - (including 6 bit DSCP field) for IP packets originating - from Envoy listeners. Single value is applied to - all listeners. If listeners are bound to IPv6-only - addresses, setting this option will cause an error. + description: |- + Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv6-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 type: integer trafficClass: - description: Defines the value for IPv6 Traffic Class - field (including 6 bit DSCP field) for IP packets - originating from the Envoy listeners. Single value - is applied to all listeners. If listeners are bound - to IPv4-only addresses, setting this option will - cause an error. + description: |- + Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. + Single value is applied to all listeners. + If listeners are bound to IPv4-only addresses, setting this option will cause an error. format: int32 maximum: 255 minimum: 0 @@ -4231,84 +4259,93 @@ spec: listener values. properties: cipherSuites: - description: "CipherSuites defines the TLS ciphers - to be supported by Envoy TLS listeners when negotiating - TLS 1.2. Ciphers are validated against the set that - Envoy supports by default. This parameter should - only be used by advanced users. Note that these - will be ignored when TLS 1.3 is in use. \n This - field is optional; when it is undefined, a Contour-managed - ciphersuite list will be used, which may be updated - to keep it secure. \n Contour's default list is: - - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" - \n Ciphers provided are validated against the following - list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" - - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" - - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" - - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" - - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" - - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - - \"AES256-SHA\" \n Contour recommends leaving this - undefined unless you are sure you must. \n See: - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters - Note: This list is a superset of what is valid for - stock Envoy builds and those using BoringSSL FIPS." + description: |- + CipherSuites defines the TLS ciphers to be supported by Envoy TLS + listeners when negotiating TLS 1.2. Ciphers are validated against the + set that Envoy supports by default. This parameter should only be used + by advanced users. Note that these will be ignored when TLS 1.3 is in + use. + This field is optional; when it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + Contour's default list is: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + Ciphers provided are validated against the following list: + - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]" + - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]" + - "ECDHE-ECDSA-AES128-GCM-SHA256" + - "ECDHE-RSA-AES128-GCM-SHA256" + - "ECDHE-ECDSA-AES128-SHA" + - "ECDHE-RSA-AES128-SHA" + - "AES128-GCM-SHA256" + - "AES128-SHA" + - "ECDHE-ECDSA-AES256-GCM-SHA384" + - "ECDHE-RSA-AES256-GCM-SHA384" + - "ECDHE-ECDSA-AES256-SHA" + - "ECDHE-RSA-AES256-SHA" + - "AES256-GCM-SHA384" + - "AES256-SHA" + Contour recommends leaving this undefined unless you are sure you must. + See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS. items: type: string type: array maximumProtocolVersion: - description: "MaximumProtocolVersion is the maximum - TLS version this vhost should negotiate. \n Values: - `1.2`, `1.3`(default). \n Other values will produce - an error." + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. + Values: `1.2`, `1.3`(default). + Other values will produce an error. type: string minimumProtocolVersion: - description: "MinimumProtocolVersion is the minimum - TLS version this vhost should negotiate. \n Values: - `1.2` (default), `1.3`. \n Other values will produce - an error." + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. + Values: `1.2` (default), `1.3`. + Other values will produce an error. type: string type: object useProxyProtocol: - description: "Use PROXY protocol for all listeners. \n - Contour's default is false." + description: |- + Use PROXY protocol for all listeners. + Contour's default is false. type: boolean type: object logging: description: Logging defines how Envoy's logs can be configured. properties: accessLogFormat: - description: "AccessLogFormat sets the global access log - format. \n Values: `envoy` (default), `json`. \n Other - values will produce an error." + description: |- + AccessLogFormat sets the global access log format. + Values: `envoy` (default), `json`. + Other values will produce an error. type: string accessLogFormatString: - description: AccessLogFormatString sets the access log - format when format is set to `envoy`. When empty, Envoy's - default format is used. + description: |- + AccessLogFormatString sets the access log format when format is set to `envoy`. + When empty, Envoy's default format is used. type: string accessLogJSONFields: - description: AccessLogJSONFields sets the fields that - JSON logging will output when AccessLogFormat is json. + description: |- + AccessLogJSONFields sets the fields that JSON logging will + output when AccessLogFormat is json. items: type: string type: array accessLogLevel: - description: "AccessLogLevel sets the verbosity level - of the access log. \n Values: `info` (default, all requests - are logged), `error` (all non-success requests, i.e. - 300+ response code, are logged), `critical` (all 5xx - requests are logged) and `disabled`. \n Other values - will produce an error." + description: |- + AccessLogLevel sets the verbosity level of the access log. + Values: `info` (default, all requests are logged), `error` (all non-success requests, i.e. 300+ response code, are logged), `critical` (all 5xx requests are logged) and `disabled`. + Other values will produce an error. type: string type: object metrics: - description: "Metrics defines the endpoint Envoy uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", - port: 8002 }." + description: |- + Metrics defines the endpoint Envoy uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8002 }. properties: address: description: Defines the metrics address interface. @@ -4319,9 +4356,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics - and health endpoints cannot have same port number when - metrics is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4339,24 +4376,26 @@ spec: values. properties: adminPort: - description: "Configure the port used to access the Envoy - Admin interface. If configured to port \"0\" then the - admin interface is disabled. \n Contour's default is - 9001." + description: |- + Configure the port used to access the Envoy Admin interface. + If configured to port "0" then the admin interface is disabled. + Contour's default is 9001. type: integer numTrustedHops: - description: "XffNumTrustedHops defines the number of - additional ingress proxy hops from the right side of - the x-forwarded-for HTTP header to trust when determining - the origin client’s IP address. \n See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops - for more information. \n Contour's default is 0." + description: |- + XffNumTrustedHops defines the number of additional ingress proxy hops from the + right side of the x-forwarded-for HTTP header to trust when determining the origin + client’s IP address. + See https://www.envoyproxy.io/docs/envoy/v1.17.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=xff_num_trusted_hops + for more information. + Contour's default is 0. format: int32 type: integer type: object service: - description: "Service holds Envoy service parameters for setting - Ingress status. \n Contour's default is { namespace: \"projectcontour\", - name: \"envoy\" }." + description: |- + Service holds Envoy service parameters for setting Ingress status. + Contour's default is { namespace: "projectcontour", name: "envoy" }. properties: name: type: string @@ -4367,95 +4406,100 @@ spec: - namespace type: object timeouts: - description: Timeouts holds various configurable timeouts - that can be set in the config file. + description: |- + Timeouts holds various configurable timeouts that can + be set in the config file. properties: connectTimeout: - description: "ConnectTimeout defines how long the proxy - should wait when establishing connection to upstream - service. If not set, a default value of 2 seconds will - be used. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout - for more information." + description: |- + ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. + If not set, a default value of 2 seconds will be used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-connect-timeout + for more information. type: string connectionIdleTimeout: - description: "ConnectionIdleTimeout defines how long the - proxy should wait while there are no active requests - (for HTTP/1.1) or streams (for HTTP/2) before terminating - an HTTP connection. Set to \"infinity\" to disable the - timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout - for more information." + description: |- + ConnectionIdleTimeout defines how long the proxy should wait while there are + no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating + an HTTP connection. Set to "infinity" to disable the timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout + for more information. type: string connectionShutdownGracePeriod: - description: "ConnectionShutdownGracePeriod defines how - long the proxy will wait between sending an initial - GOAWAY frame and a second, final GOAWAY frame when terminating - an HTTP/2 connection. During this grace period, the - proxy will continue to respond to new streams. After - the final GOAWAY frame has been sent, the proxy will - refuse new streams. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout - for more information." + description: |- + ConnectionShutdownGracePeriod defines how long the proxy will wait between sending an + initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. + During this grace period, the proxy will continue to respond to new streams. After the final + GOAWAY frame has been sent, the proxy will refuse new streams. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-drain-timeout + for more information. type: string delayedCloseTimeout: - description: "DelayedCloseTimeout defines how long envoy - will wait, once connection close processing has been - initiated, for the downstream peer to close the connection - before Envoy closes the socket associated with the connection. - \n Setting this timeout to 'infinity' will disable it, - equivalent to setting it to '0' in Envoy. Leaving it - unset will result in the Envoy default value being used. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout - for more information." + description: |- + DelayedCloseTimeout defines how long envoy will wait, once connection + close processing has been initiated, for the downstream peer to close + the connection before Envoy closes the socket associated with the connection. + Setting this timeout to 'infinity' will disable it, equivalent to setting it to '0' + in Envoy. Leaving it unset will result in the Envoy default value being used. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-delayed-close-timeout + for more information. type: string maxConnectionDuration: - description: "MaxConnectionDuration defines the maximum - period of time after an HTTP connection has been established - from the client to the proxy before it is closed by - the proxy, regardless of whether there has been activity - or not. Omit or set to \"infinity\" for no max duration. - \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration - for more information." + description: |- + MaxConnectionDuration defines the maximum period of time after an HTTP connection + has been established from the client to the proxy before it is closed by the proxy, + regardless of whether there has been activity or not. Omit or set to "infinity" for + no max duration. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-max-connection-duration + for more information. type: string requestTimeout: - description: "RequestTimeout sets the client request timeout - globally for Contour. Note that this is a timeout for - the entire request, not an idle timeout. Omit or set - to \"infinity\" to disable the timeout entirely. \n + description: |- + RequestTimeout sets the client request timeout globally for Contour. Note that + this is a timeout for the entire request, not an idle timeout. Omit or set to + "infinity" to disable the timeout entirely. See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-request-timeout - for more information." + for more information. type: string streamIdleTimeout: - description: "StreamIdleTimeout defines how long the proxy - should wait while there is no request activity (for - HTTP/1.1) or stream activity (for HTTP/2) before terminating - the HTTP request or stream. Set to \"infinity\" to disable - the timeout entirely. \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout - for more information." + description: |- + StreamIdleTimeout defines how long the proxy should wait while there is no + request activity (for HTTP/1.1) or stream activity (for HTTP/2) before + terminating the HTTP request or stream. Set to "infinity" to disable the + timeout entirely. + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-stream-idle-timeout + for more information. type: string type: object type: object featureFlags: - description: 'FeatureFlags defines toggle to enable new contour - features. Available toggles are: useEndpointSlices - configures - contour to fetch endpoint data from k8s endpoint slices. defaults - to false and reading endpoint data from the k8s endpoints.' + description: |- + FeatureFlags defines toggle to enable new contour features. + Available toggles are: + useEndpointSlices - configures contour to fetch endpoint data + from k8s endpoint slices. defaults to false and reading endpoint + data from the k8s endpoints. items: type: string type: array gateway: - description: Gateway contains parameters for the gateway-api Gateway - that Contour is configured to serve traffic. + description: |- + Gateway contains parameters for the gateway-api Gateway that Contour + is configured to serve traffic. properties: controllerName: - description: ControllerName is used to determine whether Contour - should reconcile a GatewayClass. The string takes the form - of "projectcontour.io//contour". If unset, the - gatewayclass controller will not be started. Exactly one - of ControllerName or GatewayRef must be set. + description: |- + ControllerName is used to determine whether Contour should reconcile a + GatewayClass. The string takes the form of "projectcontour.io//contour". + If unset, the gatewayclass controller will not be started. + Exactly one of ControllerName or GatewayRef must be set. type: string gatewayRef: - description: GatewayRef defines a specific Gateway that this - Contour instance corresponds to. If set, Contour will reconcile - only this gateway, and will not reconcile any gateway classes. + description: |- + GatewayRef defines a specific Gateway that this Contour + instance corresponds to. If set, Contour will reconcile + only this gateway, and will not reconcile any gateway + classes. Exactly one of ControllerName or GatewayRef must be set. properties: name: @@ -4468,26 +4512,29 @@ spec: type: object type: object globalExtAuth: - description: GlobalExternalAuthorization allows envoys external - authorization filter to be enabled for all virtual hosts. + description: |- + GlobalExternalAuthorization allows envoys external authorization filter + to be enabled for all virtual hosts. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -4495,36 +4542,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -4549,9 +4598,9 @@ spec: type: object type: object health: - description: "Health defines the endpoints Contour uses to serve - health checks. \n Contour's default is { address: \"0.0.0.0\", - port: 8000 }." + description: |- + Health defines the endpoints Contour uses to serve health checks. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the health address interface. @@ -4565,14 +4614,15 @@ spec: description: HTTPProxy defines parameters on HTTPProxy. properties: disablePermitInsecure: - description: "DisablePermitInsecure disables the use of the - permitInsecure field in HTTPProxy. \n Contour's default - is false." + description: |- + DisablePermitInsecure disables the use of the + permitInsecure field in HTTPProxy. + Contour's default is false. type: boolean fallbackCertificate: - description: FallbackCertificate defines the namespace/name - of the Kubernetes secret to use as fallback when a non-SNI - request is received. + description: |- + FallbackCertificate defines the namespace/name of the Kubernetes secret to + use as fallback when a non-SNI request is received. properties: name: type: string @@ -4602,9 +4652,9 @@ spec: type: string type: object metrics: - description: "Metrics defines the endpoint Contour uses to serve - metrics. \n Contour's default is { address: \"0.0.0.0\", port: - 8000 }." + description: |- + Metrics defines the endpoint Contour uses to serve metrics. + Contour's default is { address: "0.0.0.0", port: 8000 }. properties: address: description: Defines the metrics address interface. @@ -4615,9 +4665,9 @@ spec: description: Defines the metrics port. type: integer tls: - description: TLS holds TLS file config details. Metrics and - health endpoints cannot have same port number when metrics - is served over HTTPS. + description: |- + TLS holds TLS file config details. + Metrics and health endpoints cannot have same port number when metrics is served over HTTPS. properties: caFile: description: CA filename. @@ -4635,8 +4685,9 @@ spec: by the user properties: applyToIngress: - description: "ApplyToIngress determines if the Policies will - apply to ingress objects \n Contour's default is false." + description: |- + ApplyToIngress determines if the Policies will apply to ingress objects + Contour's default is false. type: boolean requestHeaders: description: RequestHeadersPolicy defines the request headers @@ -4666,18 +4717,20 @@ spec: type: object type: object rateLimitService: - description: RateLimitService optionally holds properties of the - Rate Limit Service to be used for global rate limiting. + description: |- + RateLimitService optionally holds properties of the Rate Limit Service + to be used for global rate limiting. properties: defaultGlobalRateLimitPolicy: - description: DefaultGlobalRateLimitPolicy allows setting a - default global rate limit policy for every HTTPProxy. HTTPProxy - can overwrite this configuration. + description: |- + DefaultGlobalRateLimitPolicy allows setting a default global rate limit policy for every HTTPProxy. + HTTPProxy can overwrite this configuration. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -4686,18 +4739,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -4706,17 +4759,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -4730,42 +4781,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -4773,61 +4818,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -4847,25 +4880,26 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object domain: description: Domain is passed to the Rate Limit Service. type: string enableResourceExhaustedCode: - description: EnableResourceExhaustedCode enables translating - error code 429 to grpc code RESOURCE_EXHAUSTED. When disabled - it's translated to UNAVAILABLE + description: |- + EnableResourceExhaustedCode enables translating error code 429 to + grpc code RESOURCE_EXHAUSTED. When disabled it's translated to UNAVAILABLE type: boolean enableXRateLimitHeaders: - description: "EnableXRateLimitHeaders defines whether to include - the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, - and X-RateLimit-Reset (as defined by the IETF Internet-Draft - linked below), on responses to clients when the Rate Limit - Service is consulted for a request. \n ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html" + description: |- + EnableXRateLimitHeaders defines whether to include the X-RateLimit + headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset + (as defined by the IETF Internet-Draft linked below), on responses + to clients when the Rate Limit Service is consulted for a request. + ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html type: boolean extensionService: description: ExtensionService identifies the extension service @@ -4880,10 +4914,10 @@ spec: - namespace type: object failOpen: - description: FailOpen defines whether to allow requests to - proceed when the Rate Limit Service fails to respond with - a valid rate limit decision within the timeout defined on - the extension service. + description: |- + FailOpen defines whether to allow requests to proceed when the + Rate Limit Service fails to respond with a valid rate limit + decision within the timeout defined on the extension service. type: boolean required: - extensionService @@ -4896,17 +4930,20 @@ spec: description: CustomTags defines a list of custom tags with unique tag name. items: - description: CustomTag defines custom tags with unique tag - name to create tags for the active span. + description: |- + CustomTag defines custom tags with unique tag name + to create tags for the active span. properties: literal: - description: Literal is a static custom tag value. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + Literal is a static custom tag value. + Precisely one of Literal, RequestHeaderName must be set. type: string requestHeaderName: - description: RequestHeaderName indicates which request - header the label value is obtained from. Precisely - one of Literal, RequestHeaderName must be set. + description: |- + RequestHeaderName indicates which request header + the label value is obtained from. + Precisely one of Literal, RequestHeaderName must be set. type: string tagName: description: TagName is the unique name of the custom @@ -4929,24 +4966,27 @@ spec: - namespace type: object includePodDetail: - description: 'IncludePodDetail defines a flag. If it is true, - contour will add the pod name and namespace to the span - of the trace. the default is true. Note: The Envoy pods - MUST have the HOSTNAME and CONTOUR_NAMESPACE environment - variables set for this to work properly.' + description: |- + IncludePodDetail defines a flag. + If it is true, contour will add the pod name and namespace to the span of the trace. + the default is true. + Note: The Envoy pods MUST have the HOSTNAME and CONTOUR_NAMESPACE environment variables set for this to work properly. type: boolean maxPathTagLength: - description: MaxPathTagLength defines maximum length of the - request path to extract and include in the HttpUrl tag. + description: |- + MaxPathTagLength defines maximum length of the request path + to extract and include in the HttpUrl tag. contour's default is 256. format: int32 type: integer overallSampling: - description: OverallSampling defines the sampling rate of - trace data. contour's default is 100. + description: |- + OverallSampling defines the sampling rate of trace data. + contour's default is 100. type: string serviceName: - description: ServiceName defines the name for the service. + description: |- + ServiceName defines the name for the service. contour's default is contour. type: string required: @@ -4956,18 +4996,20 @@ spec: description: XDSServer contains parameters for the xDS server. properties: address: - description: "Defines the xDS gRPC API address which Contour - will serve. \n Contour's default is \"0.0.0.0\"." + description: |- + Defines the xDS gRPC API address which Contour will serve. + Contour's default is "0.0.0.0". minLength: 1 type: string port: - description: "Defines the xDS gRPC API port which Contour - will serve. \n Contour's default is 8001." + description: |- + Defines the xDS gRPC API port which Contour will serve. + Contour's default is 8001. type: integer tls: - description: "TLS holds TLS file config details. \n Contour's - default is { caFile: \"/certs/ca.crt\", certFile: \"/certs/tls.cert\", - keyFile: \"/certs/tls.key\", insecure: false }." + description: |- + TLS holds TLS file config details. + Contour's default is { caFile: "/certs/ca.crt", certFile: "/certs/tls.cert", keyFile: "/certs/tls.key", insecure: false }. properties: caFile: description: CA filename. @@ -4983,9 +5025,10 @@ spec: type: string type: object type: - description: "Defines the XDSServer to use for `contour serve`. - \n Values: `contour` (default), `envoy`. \n Other values - will produce an error." + description: |- + Defines the XDSServer to use for `contour serve`. + Values: `contour` (default), `envoy`. + Other values will produce an error. type: string type: object type: object @@ -4999,42 +5042,42 @@ spec: resource. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5048,11 +5091,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5078,7 +5122,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: extensionservices.projectcontour.io spec: preserveUnknownFields: false @@ -5096,19 +5140,26 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ExtensionService is the schema for the Contour extension services - API. An ExtensionService resource binds a network service to the Contour - API so that Contour API features can be implemented by collaborating components. + description: |- + ExtensionService is the schema for the Contour extension services API. + An ExtensionService resource binds a network service to the Contour + API so that Contour API features can be implemented by collaborating + components. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5117,101 +5168,111 @@ spec: resource. properties: loadBalancerPolicy: - description: The policy for load balancing GRPC service requests. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The policy for load balancing GRPC service requests. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy is chosen. - If an element of the supplied list of hash policies is invalid, - it will be ignored. If the list of hash policies is empty after - validation, the load balancing strategy will fall back to the - default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for an - individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when request - source IP hash based load balancing is desired. It must - be the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must be - the only hash option field set, otherwise this request - hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP request - header that will be used to calculate the hash key. - If the header specified is not present on a request, - no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set when - request query parameter hash based load balancing is desired. - It must be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP request - query parameter that will be used to calculate the - hash key. If the query parameter specified is not - present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to true, - and the request attribute specified in the attribute hash - options is present, no further hash policies will be used - to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance requests - across the pool of backend pods. Valid policy names are `Random`, - `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. - If an unknown strategy name is specified or no policy is supplied, - the default `RoundRobin` policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object protocol: - description: Protocol may be used to specify (or override) the protocol - used to reach this Service. Values may be h2 or h2c. If omitted, - protocol-selection falls back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c type: string protocolVersion: - description: This field sets the version of the GRPC protocol that - Envoy uses to send requests to the extension service. Since Contour - always uses the v3 Envoy API, this is currently fixed at "v3". However, - other protocol options will be available in future. + description: |- + This field sets the version of the GRPC protocol that Envoy uses to + send requests to the extension service. Since Contour always uses the + v3 Envoy API, this is currently fixed at "v3". However, other + protocol options will be available in future. enum: - v3 type: string services: - description: Services specifies the set of Kubernetes Service resources - that receive GRPC extension API requests. If no weights are specified - for any of the entries in this array, traffic will be spread evenly - across all the services. Otherwise, traffic is balanced proportionally - to the Weight field in each entry. + description: |- + Services specifies the set of Kubernetes Service resources that + receive GRPC extension API requests. + If no weights are specified for any of the entries in + this array, traffic will be spread evenly across all the + services. + Otherwise, traffic is balanced proportionally to the + Weight field in each entry. items: - description: ExtensionServiceTarget defines an Kubernetes Service - to target with extension service traffic. + description: |- + ExtensionServiceTarget defines an Kubernetes Service to target with + extension service traffic. properties: name: - description: Name is the name of Kubernetes service that will - accept service traffic. + description: |- + Name is the name of Kubernetes service that will accept service + traffic. type: string port: description: Port (defined as Integer) to proxy traffic to since @@ -5235,24 +5296,23 @@ spec: description: The timeout policy for requests to the services. properties: idle: - description: Timeout for how long the proxy should wait while - there is no activity during single request/response (for HTTP/1.1) - or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 - connection is idle between two consecutive requests. If not - specified, there is no per-route idle timeout, though a connection - manager-wide stream_idle_timeout default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy to - the upstream service is kept when there are no active requests. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, Envoy's - default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -5261,27 +5321,26 @@ spec: service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes secret - used to validate the certificate presented by the backend. The - secret must contain key named ca.crt. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max length should - be the actual max possible length of a namespaced name (63 + - 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in the ''subjectAltName'' - of the presented certificate. Deprecated: migrate to using the - plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is expected to - be present in the 'subjectAltName of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -5299,75 +5358,67 @@ spec: - services type: object status: - description: ExtensionServiceStatus defines the observed state of an ExtensionService - resource. + description: |- + ExtensionServiceStatus defines the observed state of an + ExtensionService resource. properties: conditions: - description: "Conditions contains the current status of the ExtensionService - resource. \n Contour will update a single condition, `Valid`, that - is in normal-true polarity. \n Contour will not modify any other - Conditions set in this block, in case some other controller wants - to add a Condition." + description: |- + Conditions contains the current status of the ExtensionService resource. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + Contour will not modify any other Conditions set in this block, + in case some other controller wants to add a Condition. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5381,10 +5432,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5396,32 +5447,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5435,43 +5485,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -5485,10 +5534,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5521,7 +5570,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: httpproxies.projectcontour.io spec: preserveUnknownFields: false @@ -5559,14 +5608,19 @@ spec: description: HTTPProxy is an Ingress CRD specification. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5574,28 +5628,31 @@ spec: description: HTTPProxySpec defines the spec of the CRD. properties: includes: - description: Includes allow for specific routing configuration to - be included from another HTTPProxy, possibly in another namespace. + description: |- + Includes allow for specific routing configuration to be included from another HTTPProxy, + possibly in another namespace. items: description: Include describes a set of policies that can be applied to an HTTPProxy in a namespace. properties: conditions: - description: 'Conditions are a set of rules that are applied - to included HTTPProxies. In effect, they are added onto the - Conditions of included HTTPProxy Route structs. When applied, - they are merged using AND, with one exception: There can be - only one Prefix MatchCondition per Conditions slice. More - than one Prefix, or contradictory Conditions, will make the - include invalid. Exact and Regex match conditions are not - allowed on includes.' + description: |- + Conditions are a set of rules that are applied to included HTTPProxies. + In effect, they are added onto the Conditions of included HTTPProxy Route + structs. + When applied, they are merged using AND, with one exception: + There can be only one Prefix MatchCondition per Conditions slice. + More than one Prefix, or contradictory Conditions, will make the + include invalid. Exact and Regex match conditions are not allowed + on includes. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5603,56 +5660,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5665,37 +5724,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5705,7 +5766,8 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object @@ -5722,10 +5784,11 @@ spec: type: object type: array ingressClassName: - description: IngressClassName optionally specifies the ingress class - to use for this HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is - set, it is given precedence over this field. + description: |- + IngressClassName optionally specifies the ingress class to use for this + HTTPProxy. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + is given precedence over this field. type: string routes: description: Routes are the ingress routes. If TCPProxy is present, @@ -5734,38 +5797,42 @@ spec: description: Route contains the set of routes for a virtual host. properties: authPolicy: - description: AuthPolicy updates the authorization policy that - was set on the root HTTPProxy object for client requests that + description: |- + AuthPolicy updates the authorization policy that was set + on the root HTTPProxy object for client requests that match this route. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that are - sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the entries - are merged such that the inner scope overrides matching - keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object conditions: - description: 'Conditions are a set of rules that are applied - to a Route. When applied, they are merged using AND, with - one exception: There can be only one Prefix, Exact or Regex - MatchCondition per Conditions slice. More than one of these - condition types, or contradictory Conditions, will make the - route invalid.' + description: |- + Conditions are a set of rules that are applied to a Route. + When applied, they are merged using AND, with one exception: + There can be only one Prefix, Exact or Regex MatchCondition + per Conditions slice. More than one of these condition types, + or contradictory Conditions, will make the route invalid. items: - description: MatchCondition are a general holder for matching - rules for HTTPProxies. One of Prefix, Exact, Regex, Header - or QueryParameter must be provided. + description: |- + MatchCondition are a general holder for matching rules for HTTPProxies. + One of Prefix, Exact, Regex, Header or QueryParameter must be provided. properties: exact: - description: Exact defines a exact match for a request. + description: |- + Exact defines a exact match for a request. This field is not allowed in include match conditions. type: string header: @@ -5773,56 +5840,58 @@ spec: match. properties: contains: - description: Contains specifies a substring that must - be present in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string that the header value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the header to match - against. Name is required. Header names are case - insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies a substring that - must not be present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies a string that the header - value must not be equal to. The condition is true - if the header has any other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies that condition is - true when the named header is not present. Note - that setting NotPresent to false does not make the - condition true if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that condition is true - when the named header is present, regardless of - its value. Note that setting Present to false does - not make the condition true if the named header + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty specifies if the - header match rule specified header does not exist, - this header value will be treated as empty. Defaults - to false. Unlike the underlying Envoy implementation - this is **only** supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -5835,37 +5904,39 @@ spec: condition to match. properties: contains: - description: Contains specifies a substring that must - be present in the query parameter value. + description: |- + Contains specifies a substring that must be present in + the query parameter value. type: string exact: description: Exact specifies a string that the query parameter value must be equal to. type: string ignoreCase: - description: IgnoreCase specifies that string matching - should be case insensitive. Note that this has no - effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of the query parameter - to match against. Name is required. Query parameter - names are case insensitive. + description: |- + Name is the name of the query parameter to match against. Name is required. + Query parameter names are case insensitive. type: string prefix: description: Prefix defines a prefix match for the query parameter value. type: string present: - description: Present specifies that condition is true - when the named query parameter is present, regardless - of its value. Note that setting Present to false - does not make the condition true if the named query - parameter is absent. + description: |- + Present specifies that condition is true when the named query parameter + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named query parameter + is absent. type: boolean regex: - description: Regex specifies a regular expression - pattern that must match the query parameter value. + description: |- + Regex specifies a regular expression pattern that must match the query + parameter value. type: string suffix: description: Suffix defines a suffix match for a query @@ -5875,24 +5946,28 @@ spec: - name type: object regex: - description: Regex defines a regex match for a request. + description: |- + Regex defines a regex match for a request. This field is not allowed in include match conditions. type: string type: object type: array cookieRewritePolicies: - description: The policies for rewriting Set-Cookie header attributes. - Note that rewritten cookie names must be unique in this list. - Order rewrite policies are specified in does not matter. + description: |- + The policies for rewriting Set-Cookie header attributes. Note that + rewritten cookie names must be unique in this list. Order rewrite + policies are specified in does not matter. items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the Domain - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -5908,12 +5983,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the Path - attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -5922,17 +5999,18 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute will - not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie Secure - element. If not set, Secure attribute will not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name @@ -5943,11 +6021,11 @@ spec: response directly. properties: body: - description: "Body is the content of the response body. - If this setting is omitted, no body is included in the - generated response. \n Note: Body is not recommended to - set too long otherwise it can have significant resource - usage impacts." + description: |- + Body is the content of the response body. + If this setting is omitted, no body is included in the generated response. + Note: Body is not recommended to set too long + otherwise it can have significant resource usage impacts. type: string statusCode: description: StatusCode is the HTTP response status to be @@ -5965,11 +6043,11 @@ spec: description: The health check policy for this route. properties: expectedStatuses: - description: The ranges of HTTP response statuses considered - healthy. Follow half-open semantics, i.e. for each range - the start is inclusive and the end is exclusive. Must - be within the range [100,600). If not specified, only - a 200 response status is considered healthy. + description: |- + The ranges of HTTP response statuses considered healthy. Follow half-open + semantics, i.e. for each range the start is inclusive and the end is exclusive. + Must be within the range [100,600). If not specified, only a 200 response status + is considered healthy. items: properties: end: @@ -5998,9 +6076,10 @@ spec: minimum: 0 type: integer host: - description: The value of the host header in the HTTP health - check request. If left empty (default value), the name - "contour-envoy-healthcheck" will be used. + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the name "contour-envoy-healthcheck" + will be used. type: string intervalSeconds: description: The interval (seconds) between health checks @@ -6030,35 +6109,32 @@ spec: properties: allowCrossSchemeRedirect: default: Never - description: AllowCrossSchemeRedirect Allow internal redirect - to follow a target URI with a different scheme than the - value of x-forwarded-proto. SafeOnly allows same scheme - redirect and safe cross scheme redirect, which means if - the downstream scheme is HTTPS, both HTTPS and HTTP redirect - targets are allowed, but if the downstream scheme is HTTP, - only HTTP redirect targets are allowed. + description: |- + AllowCrossSchemeRedirect Allow internal redirect to follow a target URI with a different scheme + than the value of x-forwarded-proto. + SafeOnly allows same scheme redirect and safe cross scheme redirect, which means if the downstream + scheme is HTTPS, both HTTPS and HTTP redirect targets are allowed, but if the downstream scheme + is HTTP, only HTTP redirect targets are allowed. enum: - Always - Never - SafeOnly type: string denyRepeatedRouteRedirect: - description: If DenyRepeatedRouteRedirect is true, rejects - redirect targets that are pointing to a route that has - been followed by a previous redirect from the current - route. + description: |- + If DenyRepeatedRouteRedirect is true, rejects redirect targets that are pointing to a route that has + been followed by a previous redirect from the current route. type: boolean maxInternalRedirects: - description: MaxInternalRedirects An internal redirect is - not handled, unless the number of previous internal redirects - that a downstream request has encountered is lower than - this value. + description: |- + MaxInternalRedirects An internal redirect is not handled, unless the number of previous internal + redirects that a downstream request has encountered is lower than this value. format: int32 type: integer redirectResponseCodes: - description: RedirectResponseCodes If unspecified, only - 302 will be treated as internal redirect. Only 301, 302, - 303, 307 and 308 are valid values. + description: |- + RedirectResponseCodes If unspecified, only 302 will be treated as internal redirect. + Only 301, 302, 303, 307 and 308 are valid values. items: description: RedirectResponseCode is a uint32 type alias with validation to ensure that the value is valid. @@ -6073,25 +6149,26 @@ spec: type: array type: object ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter - rules for which matching requests should be allowed. All other - requests will be denied. Only one of IPAllowFilterPolicy and - IPDenyFilterPolicy can be defined. The rules defined here - override any rules set on the root HTTPProxy. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -6102,25 +6179,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here override any rules - set on the root HTTPProxy. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here override any rules set on the root HTTPProxy. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip - address to filter on, and can be one of two values: - - `Remote` filters on the ip address of the client, - accounting for PROXY and X-Forwarded-For as needed. - - `Peer` filters on the ip of the network request, ignoring - PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -6135,93 +6213,93 @@ spec: route. properties: disabled: - description: Disabled defines whether to disable all JWT - verification for this route. This can be used to opt specific - routes out of the default JWT provider for the HTTPProxy. - At most one of this field or the "require" field can be - specified. + description: |- + Disabled defines whether to disable all JWT verification for this + route. This can be used to opt specific routes out of the default + JWT provider for the HTTPProxy. At most one of this field or the + "require" field can be specified. type: boolean require: - description: Require names a specific JWT provider (defined - in the virtual host) to require for the route. If specified, - this field overrides the default provider if one exists. - If this field is not specified, the default provider will - be required if one exists. At most one of this field or - the "disabled" field can be specified. + description: |- + Require names a specific JWT provider (defined in the virtual host) + to require for the route. If specified, this field overrides the + default provider if one exists. If this field is not specified, + the default provider will be required if one exists. At most one of + this field or the "disabled" field can be specified. type: string type: object loadBalancerPolicy: description: The load balancing policy for this route. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash - policies to apply when the `RequestHash` load balancing - strategy is chosen. If an element of the supplied list - of hash policies is invalid, it will be ignored. If the - list of hash policies is empty after validation, the load - balancing strategy will fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration - for an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when - request header hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not - present on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the - HTTP request query parameter that will be used - to calculate the hash key. If the query parameter - specified is not present on a request, no hash - will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set - to true, and the request attribute specified in - the attribute hash options is present, no further - hash policies will be used to calculate a hash for - the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy - names are `Random`, `RoundRobin`, `WeightedLeastRequest`, - `Cookie`, and `RequestHash`. If an unknown strategy name - is specified or no policy is supplied, the default `RoundRobin` - policy is used. + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + and `RequestHash`. If an unknown strategy name is specified + or no policy is supplied, the default `RoundRobin` policy + is used. type: string type: object pathRewritePolicy: - description: The policy for rewriting the path of the request - URL after the request has been routed to a Service. + description: |- + The policy for rewriting the path of the request URL + after the request has been routed to a Service. properties: replacePrefix: description: ReplacePrefix describes how the path prefix @@ -6230,22 +6308,22 @@ spec: description: ReplacePrefix describes a path prefix replacement. properties: prefix: - description: "Prefix specifies the URL path prefix - to be replaced. \n If Prefix is specified, it must - exactly match the MatchCondition prefix that is - rendered by the chain of including HTTPProxies and - only that path prefix will be replaced by Replacement. - This allows HTTPProxies that are included through - multiple roots to only replace specific path prefixes, - leaving others unmodified. \n If Prefix is not specified, - all routing prefixes rendered by the include chain - will be replaced." + description: |- + Prefix specifies the URL path prefix to be replaced. + If Prefix is specified, it must exactly match the MatchCondition + prefix that is rendered by the chain of including HTTPProxies + and only that path prefix will be replaced by Replacement. + This allows HTTPProxies that are included through multiple + roots to only replace specific path prefixes, leaving others + unmodified. + If Prefix is not specified, all routing prefixes rendered + by the include chain will be replaced. minLength: 1 type: string replacement: - description: Replacement is the string that the routing - path prefix will be replaced with. This must not - be empty. + description: |- + Replacement is the string that the routing path prefix + will be replaced with. This must not be empty. minLength: 1 type: string required: @@ -6254,24 +6332,24 @@ spec: type: array type: object permitInsecure: - description: Allow this path to respond to insecure requests - over HTTP which are normally not permitted when a `virtualhost.tls` - block is present. + description: |- + Allow this path to respond to insecure requests over HTTP which are normally + not permitted when a `virtualhost.tls` block is present. type: boolean rateLimitPolicy: description: The policy for rate limiting on the route. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to - an external rate limit service (RLS) for a rate limit - decision on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit - service. Each descriptor contains 1+ key-value pair - entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -6280,18 +6358,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this - struct must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of - the descriptor entry. If not set, - the key is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value @@ -6300,17 +6378,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given - header is present on the request. The - descriptor key is static, and the descriptor - value is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -6325,44 +6401,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if - the request's headers match a set of 1+ - match criteria. The descriptor key is - "header_match", and the descriptor value - is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match - the match criteria in order to generate - a descriptor entry (i.e. true), or - not match the match criteria in order - to generate a descriptor entry (i.e. - false). The default is true. + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). + The default is true. type: boolean headers: - description: Headers is a list of 1+ - match criteria to apply against the - request to determine whether to populate - the descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition - specifies how to conditionally match - against HTTP headers. The Name field - is required, only one of Present, - NotPresent, Contains, NotContains, - Exact, NotExact and Regex can be - set. For negative matching rules - only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a @@ -6370,64 +6438,49 @@ spec: must be equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should - be case insensitive. Note that - this has no effect on the Regex - parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name - of the header to match against. - Name is required. Header names - are case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be - present in the header value. + description: |- + NotContains specifies a substring that must not be present + in the header value. type: string notexact: - description: NoExact specifies - a string that the header value - must not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when - the named header is not present. - Note that setting NotPresent - to false does not make the condition - true if the named header is - present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies - that condition is true when - the named header is present, - regardless of its value. Note - that setting Present to false - does not make the condition - true if the named header is - absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a - regular expression pattern that - must match the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is - **only** supported for negative - matches (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -6447,32 +6500,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per - unit of time should be allowed before rate limiting - occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -6492,18 +6547,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within - which requests over the limit will be rate limited. - Valid values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -6515,15 +6572,16 @@ spec: type: object type: object requestHeadersPolicy: - description: "The policy for managing request headers during - proxying. \n You may dynamically rewrite the Host header to - be forwarded upstream to the content of a request header using - the below format \"%REQ(X-Header-Name)%\". If the value of - the header is empty, it is ignored. \n *NOTE: Pay attention - to the potential security implications of using this option. - Provided header must come from trusted source. \n **NOTE: - The header rewrite is only done while forwarding and has no - bearing on the routing decision." + description: |- + The policy for managing request headers during proxying. + You may dynamically rewrite the Host header to be forwarded + upstream to the content of a request header using + the below format "%REQ(X-Header-Name)%". If the value of the header + is empty, it is ignored. + *NOTE: Pay attention to the potential security implications of using this option. + Provided header must come from trusted source. + **NOTE: The header rewrite is only done while forwarding and has no bearing + on the routing decision. properties: remove: description: Remove specifies a list of HTTP header names @@ -6532,10 +6590,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6559,39 +6616,44 @@ spec: description: RequestRedirectPolicy defines an HTTP redirection. properties: hostname: - description: Hostname is the precise hostname to be used - in the value of the `Location` header in the response. - When empty, the hostname of the request is used. No wildcards - are allowed. + description: |- + Hostname is the precise hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname of the request is used. + No wildcards are allowed. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string path: - description: "Path allows for redirection to a different - path from the original on the request. The path must start - with a leading slash. \n Note: Only one of Path or Prefix - can be defined." + description: |- + Path allows for redirection to a different path from the + original on the request. The path must start with a + leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string port: - description: Port is the port to be used in the value of - the `Location` header in the response. When empty, port - (if specified) of the request is used. + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. format: int32 maximum: 65535 minimum: 1 type: integer prefix: - description: "Prefix defines the value to swap the matched - prefix or path with. The prefix must start with a leading - slash. \n Note: Only one of Path or Prefix can be defined." + description: |- + Prefix defines the value to swap the matched prefix or path with. + The prefix must start with a leading slash. + Note: Only one of Path or Prefix can be defined. pattern: ^\/.*$ type: string scheme: - description: Scheme is the scheme to be used in the value - of the `Location` header in the response. When empty, - the scheme of the request is used. + description: |- + Scheme is the scheme to be used in the value of the `Location` + header in the response. + When empty, the scheme of the request is used. enum: - http - https @@ -6606,8 +6668,9 @@ spec: type: integer type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header names @@ -6616,10 +6679,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header does - not exist it will be added, otherwise it will be overwritten - with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6644,35 +6706,46 @@ spec: properties: count: default: 1 - description: NumRetries is maximum allowed number of retries. - If set to -1, then retries are disabled. If set to 0 or - not supplied, the value is set to the Envoy default of - 1. + description: |- + NumRetries is maximum allowed number of retries. + If set to -1, then retries are disabled. + If set to 0 or not supplied, the value is set + to the Envoy default of 1. format: int64 minimum: -1 type: integer perTryTimeout: - description: PerTryTimeout specifies the timeout per retry - attempt. Ignored if NumRetries is not supplied. + description: |- + PerTryTimeout specifies the timeout per retry attempt. + Ignored if NumRetries is not supplied. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string retriableStatusCodes: - description: "RetriableStatusCodes specifies the HTTP status - codes that should be retried. \n This field is only respected - when you include `retriable-status-codes` in the `RetryOn` - field." + description: |- + RetriableStatusCodes specifies the HTTP status codes that should be retried. + This field is only respected when you include `retriable-status-codes` in the `RetryOn` field. items: format: int32 type: integer type: array retryOn: - description: "RetryOn specifies the conditions on which - to retry a request. \n Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): - \n - `5xx` - `gateway-error` - `reset` - `connect-failure` - - `retriable-4xx` - `refused-stream` - `retriable-status-codes` - - `retriable-headers` \n Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): - \n - `cancelled` - `deadline-exceeded` - `internal` - - `resource-exhausted` - `unavailable`" + description: |- + RetryOn specifies the conditions on which to retry a request. + Supported [HTTP conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on): + - `5xx` + - `gateway-error` + - `reset` + - `connect-failure` + - `retriable-4xx` + - `refused-stream` + - `retriable-status-codes` + - `retriable-headers` + Supported [gRPC conditions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on): + - `cancelled` + - `deadline-exceeded` + - `internal` + - `resource-exhausted` + - `unavailable` items: description: RetryOn is a string type alias with validation to ensure that the value is valid. @@ -6705,13 +6778,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the - Set-Cookie Domain element. If not set, Domain - will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6727,12 +6801,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -6741,45 +6817,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If - Mirror is true, then fractional mirroring can be enabled - by optionally setting the Weight field. Legal values - for Weight are 1-100. Omitting the Weight field will - result in 100% mirroring. NOTE: Setting Weight explicitly - to 0 will unexpectedly result in 100% traffic mirroring. - This occurs since we cannot distinguish omitted fields - from those explicitly set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to - proxy traffic. Names defined here will be used to look - up corresponding endpoints which contain the ips to - route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -6789,10 +6863,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may - be tls, h2, h2c. If omitted, protocol-selection falls - back on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -6809,10 +6882,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6833,9 +6905,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers - during proxying. Rewriting the 'Host' header is not - supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -6844,10 +6916,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -6873,32 +6944,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. - When increasing the value for this parameter, the - speed of traffic ramp-up increases non-linearly. - The value of aggression parameter should be greater - than 0.0. \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of - traffic to send to new endpoints. A non-zero value - helps avoid a too small initial weight, which may - cause endpoints in slow start mode to receive no - traffic in the beginning of the slow start window. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", - "s", "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -6909,29 +6977,26 @@ spec: the backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to the - secret. Max length should be the actual max possible - length of a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of - the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -6960,26 +7025,23 @@ spec: description: The timeout policy for this route. properties: idle: - description: Timeout for how long the proxy should wait - while there is no activity during single request/response - (for HTTP/1.1) or stream (for HTTP/2). Timeout will not - trigger while HTTP/1.1 connection is idle between two - consecutive requests. If not specified, there is no per-route - idle timeout, though a connection manager-wide stream_idle_timeout - default of 5m still applies. + description: |- + Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). + Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. + If not specified, there is no per-route idle timeout, though a connection manager-wide + stream_idle_timeout default of 5m still applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string idleConnection: - description: Timeout for how long connection from the proxy - to the upstream service is kept when there are no active - requests. If not supplied, Envoy's default value of 1h - applies. + description: |- + Timeout for how long connection from the proxy to the upstream service is kept when there are no active requests. + If not supplied, Envoy's default value of 1h applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string response: - description: Timeout for receiving a response from the server - after processing a request from client. If not supplied, - Envoy's default value of 15s applies. + description: |- + Timeout for receiving a response from the server after processing a request from client. + If not supplied, Envoy's default value of 15s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string type: object @@ -7026,11 +7088,10 @@ spec: - name type: object includes: - description: "IncludesDeprecated allow for specific routing configuration - to be appended to another HTTPProxy in another namespace. \n - Exists due to a mistake when developing HTTPProxy and the field - was marked plural when it should have been singular. This field - should stay to not break backwards compatibility to v1 users." + description: |- + IncludesDeprecated allow for specific routing configuration to be appended to another HTTPProxy in another namespace. + Exists due to a mistake when developing HTTPProxy and the field was marked plural + when it should have been singular. This field should stay to not break backwards compatibility to v1 users. properties: name: description: Name of the child HTTPProxy @@ -7043,69 +7104,71 @@ spec: - name type: object loadBalancerPolicy: - description: The load balancing policy for the backend services. - Note that the `Cookie` and `RequestHash` load balancing strategies - cannot be used here. + description: |- + The load balancing policy for the backend services. Note that the + `Cookie` and `RequestHash` load balancing strategies cannot be used + here. properties: requestHashPolicies: - description: RequestHashPolicies contains a list of hash policies - to apply when the `RequestHash` load balancing strategy - is chosen. If an element of the supplied list of hash policies - is invalid, it will be ignored. If the list of hash policies - is empty after validation, the load balancing strategy will - fall back to the default `RoundRobin`. + description: |- + RequestHashPolicies contains a list of hash policies to apply when the + `RequestHash` load balancing strategy is chosen. If an element of the + supplied list of hash policies is invalid, it will be ignored. If the + list of hash policies is empty after validation, the load balancing + strategy will fall back to the default `RoundRobin`. items: - description: RequestHashPolicy contains configuration for - an individual hash policy on a request attribute. + description: |- + RequestHashPolicy contains configuration for an individual hash policy + on a request attribute. properties: hashSourceIP: - description: HashSourceIP should be set to true when - request source IP hash based load balancing is desired. - It must be the only hash option field set, otherwise - this request hash policy object will be ignored. + description: |- + HashSourceIP should be set to true when request source IP hash based + load balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. type: boolean headerHashOptions: - description: HeaderHashOptions should be set when request - header hash based load balancing is desired. It must - be the only hash option field set, otherwise this - request hash policy object will be ignored. + description: |- + HeaderHashOptions should be set when request header hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: headerName: - description: HeaderName is the name of the HTTP - request header that will be used to calculate - the hash key. If the header specified is not present - on a request, no hash will be produced. + description: |- + HeaderName is the name of the HTTP request header that will be used to + calculate the hash key. If the header specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object queryParameterHashOptions: - description: QueryParameterHashOptions should be set - when request query parameter hash based load balancing - is desired. It must be the only hash option field - set, otherwise this request hash policy object will - be ignored. + description: |- + QueryParameterHashOptions should be set when request query parameter hash based load + balancing is desired. It must be the only hash option field set, + otherwise this request hash policy object will be ignored. properties: parameterName: - description: ParameterName is the name of the HTTP - request query parameter that will be used to calculate - the hash key. If the query parameter specified - is not present on a request, no hash will be produced. + description: |- + ParameterName is the name of the HTTP request query parameter that will be used to + calculate the hash key. If the query parameter specified is not present on a + request, no hash will be produced. minLength: 1 type: string type: object terminal: - description: Terminal is a flag that allows for short-circuiting - computing of a hash for a given request. If set to - true, and the request attribute specified in the attribute - hash options is present, no further hash policies - will be used to calculate a hash for the request. + description: |- + Terminal is a flag that allows for short-circuiting computing of a hash + for a given request. If set to true, and the request attribute specified + in the attribute hash options is present, no further hash policies will + be used to calculate a hash for the request. type: boolean type: object type: array strategy: - description: Strategy specifies the policy used to balance - requests across the pool of backend pods. Valid policy names - are `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, + description: |- + Strategy specifies the policy used to balance requests + across the pool of backend pods. Valid policy names are + `Random`, `RoundRobin`, `WeightedLeastRequest`, `Cookie`, and `RequestHash`. If an unknown strategy name is specified or no policy is supplied, the default `RoundRobin` policy is used. @@ -7123,12 +7186,14 @@ spec: items: properties: domainRewrite: - description: DomainRewrite enables rewriting the Set-Cookie - Domain element. If not set, Domain will not be rewritten. + description: |- + DomainRewrite enables rewriting the Set-Cookie Domain element. + If not set, Domain will not be rewritten. properties: value: - description: Value is the value to rewrite the - Domain attribute to. For now this is required. + description: |- + Value is the value to rewrite the Domain attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -7144,12 +7209,14 @@ spec: pattern: ^[^()<>@,;:\\"\/[\]?={} \t\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ type: string pathRewrite: - description: PathRewrite enables rewriting the Set-Cookie - Path element. If not set, Path will not be rewritten. + description: |- + PathRewrite enables rewriting the Set-Cookie Path element. + If not set, Path will not be rewritten. properties: value: - description: Value is the value to rewrite the - Path attribute to. For now this is required. + description: |- + Value is the value to rewrite the Path attribute to. + For now this is required. maxLength: 4096 minLength: 1 pattern: ^[^;\x7f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f]+$ @@ -7158,44 +7225,43 @@ spec: - value type: object sameSite: - description: SameSite enables rewriting the Set-Cookie - SameSite element. If not set, SameSite attribute - will not be rewritten. + description: |- + SameSite enables rewriting the Set-Cookie SameSite element. + If not set, SameSite attribute will not be rewritten. enum: - Strict - Lax - None type: string secure: - description: Secure enables rewriting the Set-Cookie - Secure element. If not set, Secure attribute will - not be rewritten. + description: |- + Secure enables rewriting the Set-Cookie Secure element. + If not set, Secure attribute will not be rewritten. type: boolean required: - name type: object type: array healthPort: - description: HealthPort is the port for this service healthcheck. + description: |- + HealthPort is the port for this service healthcheck. If not specified, Port is used for service healthchecks. maximum: 65535 minimum: 1 type: integer mirror: - description: 'If Mirror is true the Service will receive - a read only mirror of the traffic for this route. If Mirror - is true, then fractional mirroring can be enabled by optionally - setting the Weight field. Legal values for Weight are - 1-100. Omitting the Weight field will result in 100% mirroring. - NOTE: Setting Weight explicitly to 0 will unexpectedly - result in 100% traffic mirroring. This occurs since we - cannot distinguish omitted fields from those explicitly - set to their default values' + description: |- + If Mirror is true the Service will receive a read only mirror of the traffic for this route. + If Mirror is true, then fractional mirroring can be enabled by optionally setting the Weight + field. Legal values for Weight are 1-100. Omitting the Weight field will result in 100% mirroring. + NOTE: Setting Weight explicitly to 0 will unexpectedly result in 100% traffic mirroring. This + occurs since we cannot distinguish omitted fields from those explicitly set to their default + values type: boolean name: - description: Name is the name of Kubernetes service to proxy - traffic. Names defined here will be used to look up corresponding - endpoints which contain the ips to route. + description: |- + Name is the name of Kubernetes service to proxy traffic. + Names defined here will be used to look up corresponding endpoints which contain the ips to route. type: string port: description: Port (defined as Integer) to proxy traffic @@ -7205,10 +7271,9 @@ spec: minimum: 1 type: integer protocol: - description: Protocol may be used to specify (or override) - the protocol used to reach this Service. Values may be - tls, h2, h2c. If omitted, protocol-selection falls back - on Service annotations. + description: |- + Protocol may be used to specify (or override) the protocol used to reach this Service. + Values may be tls, h2, h2c. If omitted, protocol-selection falls back on Service annotations. enum: - h2 - h2c @@ -7225,10 +7290,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7249,8 +7313,9 @@ spec: type: array type: object responseHeadersPolicy: - description: The policy for managing response headers during - proxying. Rewriting the 'Host' header is not supported. + description: |- + The policy for managing response headers during proxying. + Rewriting the 'Host' header is not supported. properties: remove: description: Remove specifies a list of HTTP header @@ -7259,10 +7324,9 @@ spec: type: string type: array set: - description: Set specifies a list of HTTP header values - that will be set in the HTTP header. If the header - does not exist it will be added, otherwise it will - be overwritten with the new value. + description: |- + Set specifies a list of HTTP header values that will be set in the HTTP header. + If the header does not exist it will be added, otherwise it will be overwritten with the new value. items: description: HeaderValue represents a header name/value pair @@ -7288,32 +7352,29 @@ spec: properties: aggression: default: "1.0" - description: "The speed of traffic increase over the - slow start window. Defaults to 1.0, so that endpoint - would get linearly increasing amount of traffic. When - increasing the value for this parameter, the speed - of traffic ramp-up increases non-linearly. The value - of aggression parameter should be greater than 0.0. - \n More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start" + description: |- + The speed of traffic increase over the slow start window. + Defaults to 1.0, so that endpoint would get linearly increasing amount of traffic. + When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + The value of aggression parameter should be greater than 0.0. + More info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/slow_start pattern: ^([0-9]+([.][0-9]+)?|[.][0-9]+)$ type: string minWeightPercent: default: 10 - description: The minimum or starting percentage of traffic - to send to new endpoints. A non-zero value helps avoid - a too small initial weight, which may cause endpoints - in slow start mode to receive no traffic in the beginning - of the slow start window. If not specified, the default - is 10%. + description: |- + The minimum or starting percentage of traffic to send to new endpoints. + A non-zero value helps avoid a too small initial weight, which may cause endpoints in slow start mode to receive no traffic in the beginning of the slow start window. + If not specified, the default is 10%. format: int32 maximum: 100 minimum: 0 type: integer window: - description: The duration of slow start window. Duration - is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", - "m", "h". + description: |- + The duration of slow start window. + Duration is expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string required: @@ -7324,28 +7385,25 @@ spec: backend service's certificate properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with namespace - "namespace/name". When cross-namespace reference is - used, TLSCertificateDelegation resource must exist - in the namespace to grant access to the secret. Max - length should be the actual max possible length of - a namespaced name (63 + 253 + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present in - the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one is - expected to be present in the 'subjectAltName of the + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the presented certificate. items: type: string @@ -7373,34 +7431,38 @@ spec: type: array type: object virtualhost: - description: Virtualhost appears at most once. If it is present, the - object is considered to be a "root" HTTPProxy. + description: |- + Virtualhost appears at most once. If it is present, the object is considered + to be a "root" HTTPProxy. properties: authorization: - description: This field configures an extension service to perform - authorization for this virtual host. Authorization can only - be configured on virtual hosts that have TLS enabled. If the - TLS configuration requires client certificate validation, the - client certificate is always included in the authentication - check request. + description: |- + This field configures an extension service to perform + authorization for this virtual host. Authorization can + only be configured on virtual hosts that have TLS enabled. + If the TLS configuration requires client certificate + validation, the client certificate is always included in the + authentication check request. properties: authPolicy: - description: AuthPolicy sets a default authorization policy - for client requests. This policy will be used unless overridden - by individual routes. + description: |- + AuthPolicy sets a default authorization policy for client requests. + This policy will be used unless overridden by individual routes. properties: context: additionalProperties: type: string - description: Context is a set of key/value pairs that - are sent to the authentication server in the check request. - If a context is provided at an enclosing scope, the - entries are merged such that the inner scope overrides - matching keys from the outer scope. + description: |- + Context is a set of key/value pairs that are sent to the + authentication server in the check request. If a context + is provided at an enclosing scope, the entries are merged + such that the inner scope overrides matching keys from the + outer scope. type: object disabled: - description: When true, this field disables client request - authentication for the scope of the policy. + description: |- + When true, this field disables client request authentication + for the scope of the policy. type: boolean type: object extensionRef: @@ -7408,36 +7470,38 @@ spec: that will authorize client requests. properties: apiVersion: - description: API version of the referent. If this field - is not specified, the default "projectcontour.io/v1alpha1" - will be used + description: |- + API version of the referent. + If this field is not specified, the default "projectcontour.io/v1alpha1" will be used minLength: 1 type: string name: - description: "Name of the referent. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names minLength: 1 type: string namespace: - description: "Namespace of the referent. If this field - is not specifies, the namespace of the resource that - targets the referent will be used. \n More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + description: |- + Namespace of the referent. + If this field is not specifies, the namespace of the resource that targets the referent will be used. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ minLength: 1 type: string type: object failOpen: - description: If FailOpen is true, the client request is forwarded - to the upstream service even if the authorization server - fails to respond. This field should not be set in most cases. - It is intended for use only while migrating applications + description: |- + If FailOpen is true, the client request is forwarded to the upstream service + even if the authorization server fails to respond. This field should not be + set in most cases. It is intended for use only while migrating applications from internal authorization to Contour external authorization. type: boolean responseTimeout: - description: ResponseTimeout configures maximum time to wait - for a check response from the authorization server. Timeout - durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". The string "infinity" is also a valid input and specifies - no timeout. + description: |- + ResponseTimeout configures maximum time to wait for a check response from the authorization server. + Timeout durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + The string "infinity" is also a valid input and specifies no timeout. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$ type: string withRequestBody: @@ -7489,20 +7553,21 @@ spec: minItems: 1 type: array allowOrigin: - description: AllowOrigin specifies the origins that will be - allowed to do CORS requests. Allowed values include "*" - which signifies any origin is allowed, an exact origin of - the form "scheme://host[:port]" (where port is optional), - or a valid regex pattern. Note that regex patterns are validated - and a simple "glob" pattern (e.g. *.foo.com) will be rejected - or produce unexpected matches when applied as a regex. + description: |- + AllowOrigin specifies the origins that will be allowed to do CORS requests. + Allowed values include "*" which signifies any origin is allowed, an exact + origin of the form "scheme://host[:port]" (where port is optional), or a valid + regex pattern. + Note that regex patterns are validated and a simple "glob" pattern (e.g. *.foo.com) + will be rejected or produce unexpected matches when applied as a regex. items: type: string minItems: 1 type: array allowPrivateNetwork: - description: AllowPrivateNetwork specifies whether to allow - private network requests. See https://developer.chrome.com/blog/private-network-access-preflight. + description: |- + AllowPrivateNetwork specifies whether to allow private network requests. + See https://developer.chrome.com/blog/private-network-access-preflight. type: boolean exposeHeaders: description: ExposeHeaders Specifies the content for the *access-control-expose-headers* @@ -7515,13 +7580,12 @@ spec: minItems: 1 type: array maxAge: - description: MaxAge indicates for how long the results of - a preflight request can be cached. MaxAge durations are - expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", - "h". Only positive values are allowed while 0 disables the - cache requiring a preflight OPTIONS check for all cross-origin - requests. + description: |- + MaxAge indicates for how long the results of a preflight request can be cached. + MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS + check for all cross-origin requests. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|0)$ type: string required: @@ -7529,30 +7593,32 @@ spec: - allowOrigin type: object fqdn: - description: The fully qualified domain name of the root of the - ingress tree all leaves of the DAG rooted at this object relate - to the fqdn. + description: |- + The fully qualified domain name of the root of the ingress tree + all leaves of the DAG rooted at this object relate to the fqdn. pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string ipAllowPolicy: - description: IPAllowFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be allowed. All other requests - will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be allowed. All other requests will be denied. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7563,24 +7629,26 @@ spec: type: object type: array ipDenyPolicy: - description: IPDenyFilterPolicy is a list of ipv4/6 filter rules - for which matching requests should be denied. All other requests - will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy - can be defined. The rules defined here may be overridden in - a Route. + description: |- + IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching + requests should be denied. All other requests will be allowed. + Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined. + The rules defined here may be overridden in a Route. items: properties: cidr: - description: CIDR is a CIDR block of ipv4 or ipv6 addresses - to filter on. This can also be a bare IP address (without - a mask) to filter on exactly one address. + description: |- + CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be + a bare IP address (without a mask) to filter on exactly one address. type: string source: - description: 'Source indicates how to determine the ip address - to filter on, and can be one of two values: - `Remote` - filters on the ip address of the client, accounting for - PROXY and X-Forwarded-For as needed. - `Peer` filters - on the ip of the network request, ignoring PROXY and X-Forwarded-For.' + description: |- + Source indicates how to determine the ip address to filter on, and can be + one of two values: + - `Remote` filters on the ip address of the client, accounting for PROXY and + X-Forwarded-For as needed. + - `Peer` filters on the ip of the network request, ignoring PROXY and + X-Forwarded-For. enum: - Peer - Remote @@ -7597,27 +7665,31 @@ spec: description: JWTProvider defines how to verify JWTs on requests. properties: audiences: - description: Audiences that JWTs are allowed to have in - the "aud" field. If not provided, JWT audiences are not - checked. + description: |- + Audiences that JWTs are allowed to have in the "aud" field. + If not provided, JWT audiences are not checked. items: type: string type: array default: - description: Whether the provider should apply to all routes - in the HTTPProxy/its includes by default. At most one - provider can be marked as the default. If no provider - is marked as the default, individual routes must explicitly + description: |- + Whether the provider should apply to all + routes in the HTTPProxy/its includes by + default. At most one provider can be marked + as the default. If no provider is marked + as the default, individual routes must explicitly identify the provider they require. type: boolean forwardJWT: - description: Whether the JWT should be forwarded to the - backend service after successful verification. By default, + description: |- + Whether the JWT should be forwarded to the backend + service after successful verification. By default, the JWT is not forwarded. type: boolean issuer: - description: Issuer that JWTs are required to have in the - "iss" field. If not provided, JWT issuers are not checked. + description: |- + Issuer that JWTs are required to have in the "iss" field. + If not provided, JWT issuers are not checked. type: string name: description: Unique name for the provider. @@ -7627,33 +7699,34 @@ spec: description: Remote JWKS to use for verifying JWT signatures. properties: cacheDuration: - description: How long to cache the JWKS locally. If - not specified, Envoy's default of 5m applies. + description: |- + How long to cache the JWKS locally. If not specified, + Envoy's default of 5m applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string dnsLookupFamily: - description: "The DNS IP address resolution policy for - the JWKS URI. When configured as \"v4\", the DNS resolver - will only perform a lookup for addresses in the IPv4 - family. If \"v6\" is configured, the DNS resolver - will only perform a lookup for addresses in the IPv6 - family. If \"all\" is configured, the DNS resolver - will perform a lookup for addresses in both the IPv4 - and IPv6 family. If \"auto\" is configured, the DNS - resolver will first perform a lookup for addresses - in the IPv6 family and fallback to a lookup for addresses - in the IPv4 family. If not specified, the Contour-wide - setting defined in the config file or ContourConfiguration - applies (defaults to \"auto\"). \n See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily - for more information." + description: |- + The DNS IP address resolution policy for the JWKS URI. + When configured as "v4", the DNS resolver will only perform a lookup + for addresses in the IPv4 family. If "v6" is configured, the DNS resolver + will only perform a lookup for addresses in the IPv6 family. + If "all" is configured, the DNS resolver + will perform a lookup for addresses in both the IPv4 and IPv6 family. + If "auto" is configured, the DNS resolver will first perform a lookup + for addresses in the IPv6 family and fallback to a lookup for addresses + in the IPv4 family. If not specified, the Contour-wide setting defined + in the config file or ContourConfiguration applies (defaults to "auto"). + See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + for more information. enum: - auto - v4 - v6 type: string timeout: - description: How long to wait for a response from the - URI. If not specified, a default of 1s applies. + description: |- + How long to wait for a response from the URI. + If not specified, a default of 1s applies. pattern: ^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+)$ type: string uri: @@ -7665,31 +7738,26 @@ spec: the JWKS's TLS certificate. properties: caSecret: - description: Name or namespaced name of the Kubernetes - secret used to validate the certificate presented - by the backend. The secret must contain key named - ca.crt. The name can be optionally prefixed with - namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource - must exist in the namespace to grant access to - the secret. Max length should be the actual max - possible length of a namespaced name (63 + 253 - + 1 = 317) + description: |- + Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. + The secret must contain key named ca.crt. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. + Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317) maxLength: 317 minLength: 1 type: string subjectName: - description: 'Key which is expected to be present - in the ''subjectAltName'' of the presented certificate. - Deprecated: migrate to using the plural field - subjectNames.' + description: |- + Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated: migrate to using the plural field subjectNames. maxLength: 250 minLength: 1 type: string subjectNames: - description: List of keys, of which at least one - is expected to be present in the 'subjectAltName - of the presented certificate. + description: |- + List of keys, of which at least one is expected to be present in the 'subjectAltName of the + presented certificate. items: type: string maxItems: 8 @@ -7716,15 +7784,16 @@ spec: description: The policy for rate limiting on the virtual host. properties: global: - description: Global defines global rate limiting parameters, - i.e. parameters defining descriptors that are sent to an - external rate limit service (RLS) for a rate limit decision - on each request. + description: |- + Global defines global rate limiting parameters, i.e. parameters + defining descriptors that are sent to an external rate limit + service (RLS) for a rate limit decision on each request. properties: descriptors: - description: Descriptors defines the list of descriptors - that will be generated and sent to the rate limit service. - Each descriptor contains 1+ key-value pair entries. + description: |- + Descriptors defines the list of descriptors that will + be generated and sent to the rate limit service. Each + descriptor contains 1+ key-value pair entries. items: description: RateLimitDescriptor defines a list of key-value pair generators. @@ -7733,18 +7802,18 @@ spec: description: Entries is the list of key-value pair generators. items: - description: RateLimitDescriptorEntry is a key-value - pair generator. Exactly one field on this struct - must be non-nil. + description: |- + RateLimitDescriptorEntry is a key-value pair generator. Exactly + one field on this struct must be non-nil. properties: genericKey: description: GenericKey defines a descriptor entry with a static key and value. properties: key: - description: Key defines the key of the - descriptor entry. If not set, the key - is set to "generic_key". + description: |- + Key defines the key of the descriptor entry. If not set, the + key is set to "generic_key". type: string value: description: Value defines the value of @@ -7753,17 +7822,15 @@ spec: type: string type: object remoteAddress: - description: RemoteAddress defines a descriptor - entry with a key of "remote_address" and - a value equal to the client's IP address - (from x-forwarded-for). + description: |- + RemoteAddress defines a descriptor entry with a key of "remote_address" + and a value equal to the client's IP address (from x-forwarded-for). type: object requestHeader: - description: RequestHeader defines a descriptor - entry that's populated only if a given header - is present on the request. The descriptor - key is static, and the descriptor value - is equal to the value of the header. + description: |- + RequestHeader defines a descriptor entry that's populated only if + a given header is present on the request. The descriptor key is static, + and the descriptor value is equal to the value of the header. properties: descriptorKey: description: DescriptorKey defines the @@ -7777,42 +7844,36 @@ spec: type: string type: object requestHeaderValueMatch: - description: RequestHeaderValueMatch defines - a descriptor entry that's populated if the - request's headers match a set of 1+ match - criteria. The descriptor key is "header_match", - and the descriptor value is static. + description: |- + RequestHeaderValueMatch defines a descriptor entry that's populated + if the request's headers match a set of 1+ match criteria. The + descriptor key is "header_match", and the descriptor value is static. properties: expectMatch: default: true - description: ExpectMatch defines whether - the request must positively match the - match criteria in order to generate - a descriptor entry (i.e. true), or not - match the match criteria in order to - generate a descriptor entry (i.e. false). + description: |- + ExpectMatch defines whether the request must positively match the match + criteria in order to generate a descriptor entry (i.e. true), or not + match the match criteria in order to generate a descriptor entry (i.e. false). The default is true. type: boolean headers: - description: Headers is a list of 1+ match - criteria to apply against the request - to determine whether to populate the - descriptor entry or not. + description: |- + Headers is a list of 1+ match criteria to apply against the request + to determine whether to populate the descriptor entry or not. items: - description: HeaderMatchCondition specifies - how to conditionally match against - HTTP headers. The Name field is required, - only one of Present, NotPresent, Contains, - NotContains, Exact, NotExact and Regex - can be set. For negative matching - rules only (e.g. NotContains or NotExact) - you can set TreatMissingAsEmpty. IgnoreCase - has no effect for Regex. + description: |- + HeaderMatchCondition specifies how to conditionally match against HTTP + headers. The Name field is required, only one of Present, NotPresent, + Contains, NotContains, Exact, NotExact and Regex can be set. + For negative matching rules only (e.g. NotContains or NotExact) you can set + TreatMissingAsEmpty. + IgnoreCase has no effect for Regex. properties: contains: - description: Contains specifies - a substring that must be present - in the header value. + description: |- + Contains specifies a substring that must be present in + the header value. type: string exact: description: Exact specifies a string @@ -7820,61 +7881,49 @@ spec: equal to. type: string ignoreCase: - description: IgnoreCase specifies - that string matching should be - case insensitive. Note that this - has no effect on the Regex parameter. + description: |- + IgnoreCase specifies that string matching should be case insensitive. + Note that this has no effect on the Regex parameter. type: boolean name: - description: Name is the name of - the header to match against. Name - is required. Header names are - case insensitive. + description: |- + Name is the name of the header to match against. Name is required. + Header names are case insensitive. type: string notcontains: - description: NotContains specifies - a substring that must not be present + description: |- + NotContains specifies a substring that must not be present in the header value. type: string notexact: - description: NoExact specifies a - string that the header value must - not be equal to. The condition - is true if the header has any - other value. + description: |- + NoExact specifies a string that the header value must not be + equal to. The condition is true if the header has any other value. type: string notpresent: - description: NotPresent specifies - that condition is true when the - named header is not present. Note - that setting NotPresent to false - does not make the condition true - if the named header is present. + description: |- + NotPresent specifies that condition is true when the named header + is not present. Note that setting NotPresent to false does not + make the condition true if the named header is present. type: boolean present: - description: Present specifies that - condition is true when the named - header is present, regardless - of its value. Note that setting - Present to false does not make - the condition true if the named - header is absent. + description: |- + Present specifies that condition is true when the named header + is present, regardless of its value. Note that setting Present + to false does not make the condition true if the named header + is absent. type: boolean regex: - description: Regex specifies a regular - expression pattern that must match - the header value. + description: |- + Regex specifies a regular expression pattern that must match the header + value. type: string treatMissingAsEmpty: - description: TreatMissingAsEmpty - specifies if the header match - rule specified header does not - exist, this header value will - be treated as empty. Defaults - to false. Unlike the underlying - Envoy implementation this is **only** - supported for negative matches - (e.g. NotContains, NotExact). + description: |- + TreatMissingAsEmpty specifies if the header match rule specified header + does not exist, this header value will be treated as empty. Defaults to false. + Unlike the underlying Envoy implementation this is **only** supported for + negative matches (e.g. NotContains, NotExact). type: boolean required: - name @@ -7894,31 +7943,34 @@ spec: minItems: 1 type: array disabled: - description: Disabled configures the HTTPProxy to not - use the default global rate limit policy defined by - the Contour configuration. + description: |- + Disabled configures the HTTPProxy to not use + the default global rate limit policy defined by the Contour configuration. type: boolean type: object local: - description: Local defines local rate limiting parameters, - i.e. parameters for rate limiting that occurs within each - Envoy pod as requests are handled. + description: |- + Local defines local rate limiting parameters, i.e. parameters + for rate limiting that occurs within each Envoy pod as requests + are handled. properties: burst: - description: Burst defines the number of requests above - the requests per unit that should be allowed within - a short period of time. + description: |- + Burst defines the number of requests above the requests per + unit that should be allowed within a short period of time. format: int32 type: integer requests: - description: Requests defines how many requests per unit - of time should be allowed before rate limiting occurs. + description: |- + Requests defines how many requests per unit of time should + be allowed before rate limiting occurs. format: int32 minimum: 1 type: integer responseHeadersToAdd: - description: ResponseHeadersToAdd is an optional list - of response headers to set when a request is rate-limited. + description: |- + ResponseHeadersToAdd is an optional list of response headers to + set when a request is rate-limited. items: description: HeaderValue represents a header name/value pair @@ -7938,18 +7990,20 @@ spec: type: object type: array responseStatusCode: - description: ResponseStatusCode is the HTTP status code - to use for responses to rate-limited requests. Codes - must be in the 400-599 range (inclusive). If not specified, - the Envoy default of 429 (Too Many Requests) is used. + description: |- + ResponseStatusCode is the HTTP status code to use for responses + to rate-limited requests. Codes must be in the 400-599 range + (inclusive). If not specified, the Envoy default of 429 (Too + Many Requests) is used. format: int32 maximum: 599 minimum: 400 type: integer unit: - description: Unit defines the period of time within which - requests over the limit will be rate limited. Valid - values are "second", "minute" and "hour". + description: |- + Unit defines the period of time within which requests + over the limit will be rate limited. Valid values are + "second", "minute" and "hour". enum: - second - minute @@ -7961,57 +8015,56 @@ spec: type: object type: object tls: - description: If present the fields describes TLS properties of - the virtual host. The SNI names that will be matched on are - described in fqdn, the tls.secretName secret must contain a - certificate that itself contains a name that matches the FQDN. + description: |- + If present the fields describes TLS properties of the virtual + host. The SNI names that will be matched on are described in fqdn, + the tls.secretName secret must contain a certificate that itself + contains a name that matches the FQDN. properties: clientValidation: - description: "ClientValidation defines how to verify the client - certificate when an external client establishes a TLS connection - to Envoy. \n This setting: \n 1. Enables TLS client certificate - validation. 2. Specifies how the client certificate will - be validated (i.e. validation required or skipped). \n Note: - Setting client certificate validation to be skipped should - be only used in conjunction with an external authorization - server that performs client validation as Contour will ensure - client certificates are passed along." + description: |- + ClientValidation defines how to verify the client certificate + when an external client establishes a TLS connection to Envoy. + This setting: + 1. Enables TLS client certificate validation. + 2. Specifies how the client certificate will be validated (i.e. + validation required or skipped). + Note: Setting client certificate validation to be skipped should + be only used in conjunction with an external authorization server that + performs client validation as Contour will ensure client certificates + are passed along. properties: caSecret: - description: Name of a Kubernetes secret that contains - a CA certificate bundle. The secret must contain key - named ca.crt. The client certificate must validate against - the certificates in the bundle. If specified and SkipClientCertValidation - is true, client certificates will be required on requests. + description: |- + Name of a Kubernetes secret that contains a CA certificate bundle. + The secret must contain key named ca.crt. + The client certificate must validate against the certificates in the bundle. + If specified and SkipClientCertValidation is true, client certificates will + be required on requests. The name can be optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string crlOnlyVerifyLeafCert: - description: If this option is set to true, only the certificate - at the end of the certificate chain will be subject - to validation by CRL. + description: |- + If this option is set to true, only the certificate at the end of the + certificate chain will be subject to validation by CRL. type: boolean crlSecret: - description: Name of a Kubernetes opaque secret that contains - a concatenated list of PEM encoded CRLs. The secret - must contain key named crl.pem. This field will be used - to verify that a client certificate has not been revoked. - CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert - is true. Large CRL lists are not supported since individual - secrets are limited to 1MiB in size. The name can be - optionally prefixed with namespace "namespace/name". - When cross-namespace reference is used, TLSCertificateDelegation - resource must exist in the namespace to grant access - to the secret. + description: |- + Name of a Kubernetes opaque secret that contains a concatenated list of PEM encoded CRLs. + The secret must contain key named crl.pem. + This field will be used to verify that a client certificate has not been revoked. + CRLs must be available from all CAs, unless crlOnlyVerifyLeafCert is true. + Large CRL lists are not supported since individual secrets are limited to 1MiB in size. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. minLength: 1 type: string forwardClientCertificate: - description: ForwardClientCertificate adds the selected - data from the passed client TLS certificate to the x-forwarded-client-cert - header. + description: |- + ForwardClientCertificate adds the selected data from the passed client TLS certificate + to the x-forwarded-client-cert header. properties: cert: description: Client cert in URL encoded PEM format. @@ -8033,55 +8086,56 @@ spec: type: boolean type: object optionalClientCertificate: - description: OptionalClientCertificate when set to true - will request a client certificate but allow the connection - to continue if the client does not provide one. If a - client certificate is sent, it will be verified according - to the other properties, which includes disabling validation - if SkipClientCertValidation is set. Defaults to false. + description: |- + OptionalClientCertificate when set to true will request a client certificate + but allow the connection to continue if the client does not provide one. + If a client certificate is sent, it will be verified according to the + other properties, which includes disabling validation if + SkipClientCertValidation is set. Defaults to false. type: boolean skipClientCertValidation: - description: SkipClientCertValidation disables downstream - client certificate validation. Defaults to false. This - field is intended to be used in conjunction with external - authorization in order to enable the external authorization - server to validate client certificates. When this field - is set to true, client certificates are requested but - not verified by Envoy. If CACertificate is specified, - client certificates are required on requests, but not - verified. If external authorization is in use, they - are presented to the external authorization server. + description: |- + SkipClientCertValidation disables downstream client certificate + validation. Defaults to false. This field is intended to be used in + conjunction with external authorization in order to enable the external + authorization server to validate client certificates. When this field + is set to true, client certificates are requested but not verified by + Envoy. If CACertificate is specified, client certificates are required on + requests, but not verified. If external authorization is in use, they are + presented to the external authorization server. type: boolean type: object enableFallbackCertificate: - description: EnableFallbackCertificate defines if the vhost - should allow a default certificate to be applied which handles - all requests which don't match the SNI defined in this vhost. + description: |- + EnableFallbackCertificate defines if the vhost should allow a default certificate to + be applied which handles all requests which don't match the SNI defined in this vhost. type: boolean maximumProtocolVersion: - description: MaximumProtocolVersion is the maximum TLS version - this vhost should negotiate. Valid options are `1.2` and - `1.3` (default). Any other value defaults to TLS 1.3. + description: |- + MaximumProtocolVersion is the maximum TLS version this vhost should + negotiate. Valid options are `1.2` and `1.3` (default). Any other value + defaults to TLS 1.3. type: string minimumProtocolVersion: - description: MinimumProtocolVersion is the minimum TLS version - this vhost should negotiate. Valid options are `1.2` (default) - and `1.3`. Any other value defaults to TLS 1.2. + description: |- + MinimumProtocolVersion is the minimum TLS version this vhost should + negotiate. Valid options are `1.2` (default) and `1.3`. Any other value + defaults to TLS 1.2. type: string passthrough: - description: Passthrough defines whether the encrypted TLS - handshake will be passed through to the backing cluster. - Either Passthrough or SecretName must be specified, but - not both. + description: |- + Passthrough defines whether the encrypted TLS handshake will be + passed through to the backing cluster. Either Passthrough or + SecretName must be specified, but not both. type: boolean secretName: - description: SecretName is the name of a TLS secret. Either - SecretName or Passthrough must be specified, but not both. + description: |- + SecretName is the name of a TLS secret. + Either SecretName or Passthrough must be specified, but not both. If specified, the named secret must contain a matching certificate - for the virtual host's FQDN. The name can be optionally - prefixed with namespace "namespace/name". When cross-namespace - reference is used, TLSCertificateDelegation resource must - exist in the namespace to grant access to the secret. + for the virtual host's FQDN. + The name can be optionally prefixed with namespace "namespace/name". + When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. type: string type: object required: @@ -8096,75 +8150,67 @@ spec: HTTPProxy. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com/ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com/ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8178,10 +8224,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8193,32 +8239,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8232,43 +8277,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8282,10 +8326,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8316,48 +8360,49 @@ spec: balancer. properties: ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. properties: hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) type: string ipMode: - description: IPMode specifies how the load-balancer IP behaves, - and may only be specified when the ip field is specified. - Setting this to "VIP" indicates that traffic is delivered - to the node with the destination set to the load-balancer's - IP and port. Setting this to "Proxy" indicates that traffic - is delivered to the node or pod with the destination set - to the node's IP and node port or the pod's IP and port. - Service implementations may use this information to adjust - traffic routing. + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it items: properties: error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific error - values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8368,9 +8413,9 @@ spec: type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" type: string required: - port @@ -8395,7 +8440,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: tlscertificatedelegations.projectcontour.io spec: preserveUnknownFields: false @@ -8412,18 +8457,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: TLSCertificateDelegation is an TLS Certificate Delegation CRD - specification. See design/tls-certificate-delegation.md for details. + description: |- + TLSCertificateDelegation is an TLS Certificate Delegation CRD specification. + See design/tls-certificate-delegation.md for details. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -8432,18 +8483,20 @@ spec: properties: delegations: items: - description: CertificateDelegation maps the authority to reference - a secret in the current namespace to a set of namespaces. + description: |- + CertificateDelegation maps the authority to reference a secret + in the current namespace to a set of namespaces. properties: secretName: description: required, the name of a secret in the current namespace. type: string targetNamespaces: - description: required, the namespaces the authority to reference - the secret will be delegated to. If TargetNamespaces is nil - or empty, the CertificateDelegation' is ignored. If the TargetNamespace - list contains the character, "*" the secret will be delegated - to all namespaces. + description: |- + required, the namespaces the authority to reference the + secret will be delegated to. + If TargetNamespaces is nil or empty, the CertificateDelegation' + is ignored. If the TargetNamespace list contains the character, "*" + the secret will be delegated to all namespaces. items: type: string type: array @@ -8456,79 +8509,72 @@ spec: - delegations type: object status: - description: TLSCertificateDelegationStatus allows for the status of the - delegation to be presented to the user. + description: |- + TLSCertificateDelegationStatus allows for the status of the delegation + to be presented to the user. properties: conditions: - description: "Conditions contains information about the current status - of the HTTPProxy, in an upstream-friendly container. \n Contour - will update a single condition, `Valid`, that is in normal-true - polarity. That is, when `currentStatus` is `valid`, the `Valid` - condition will be `status: true`, and vice versa. \n Contour will - leave untouched any other Conditions set in this block, in case - some other controller wants to add a Condition. \n If you are another - controller owner and wish to add a condition, you *should* namespace - your condition with a label, like `controller.domain.com\\ConditionName`." + description: |- + Conditions contains information about the current status of the HTTPProxy, + in an upstream-friendly container. + Contour will update a single condition, `Valid`, that is in normal-true polarity. + That is, when `currentStatus` is `valid`, the `Valid` condition will be `status: true`, + and vice versa. + Contour will leave untouched any other Conditions set in this block, + in case some other controller wants to add a Condition. + If you are another controller owner and wish to add a condition, you *should* + namespace your condition with a label, like `controller.domain.com\ConditionName`. items: - description: "DetailedCondition is an extension of the normal Kubernetes - conditions, with two extra fields to hold sub-conditions, which - provide more detailed reasons for the state (True or False) of - the condition. \n `errors` holds information about sub-conditions - which are fatal to that condition and render its state False. - \n `warnings` holds information about sub-conditions which are - not fatal to that condition and do not force the state to be False. - \n Remember that Conditions have a type, a status, and a reason. - \n The type is the type of the condition, the most important one - in this CRD set is `Valid`. `Valid` is a positive-polarity condition: - when it is `status: true` there are no problems. \n In more detail, - `status: true` means that the object is has been ingested into - Contour with no errors. `warnings` may still be present, and will - be indicated in the Reason field. There must be zero entries in - the `errors` slice in this case. \n `Valid`, `status: false` means - that the object has had one or more fatal errors during processing - into Contour. The details of the errors will be present under - the `errors` field. There must be at least one error in the `errors` - slice if `status` is `false`. \n For DetailedConditions of types - other than `Valid`, the Condition must be in the negative polarity. - When they have `status` `true`, there is an error. There must - be at least one entry in the `errors` Subcondition slice. When - they have `status` `false`, there are no serious errors, and there - must be zero entries in the `errors` slice. In either case, there - may be entries in the `warnings` slice. \n Regardless of the polarity, - the `reason` and `message` fields must be updated with either - the detail of the reason (if there is one and only one entry in - total across both the `errors` and `warnings` slices), or `MultipleReasons` - if there is more than one entry." + description: |- + DetailedCondition is an extension of the normal Kubernetes conditions, with two extra + fields to hold sub-conditions, which provide more detailed reasons for the state (True or False) + of the condition. + `errors` holds information about sub-conditions which are fatal to that condition and render its state False. + `warnings` holds information about sub-conditions which are not fatal to that condition and do not force the state to be False. + Remember that Conditions have a type, a status, and a reason. + The type is the type of the condition, the most important one in this CRD set is `Valid`. + `Valid` is a positive-polarity condition: when it is `status: true` there are no problems. + In more detail, `status: true` means that the object is has been ingested into Contour with no errors. + `warnings` may still be present, and will be indicated in the Reason field. There must be zero entries in the `errors` + slice in this case. + `Valid`, `status: false` means that the object has had one or more fatal errors during processing into Contour. + The details of the errors will be present under the `errors` field. There must be at least one error in the `errors` + slice if `status` is `false`. + For DetailedConditions of types other than `Valid`, the Condition must be in the negative polarity. + When they have `status` `true`, there is an error. There must be at least one entry in the `errors` Subcondition slice. + When they have `status` `false`, there are no serious errors, and there must be zero entries in the `errors` slice. + In either case, there may be entries in the `warnings` slice. + Regardless of the polarity, the `reason` and `message` fields must be updated with either the detail of the reason + (if there is one and only one entry in total across both the `errors` and `warnings` slices), or + `MultipleReasons` if there is more than one entry. properties: errors: - description: "Errors contains a slice of relevant error subconditions - for this object. \n Subconditions are expected to appear when - relevant (when there is a error), and disappear when not relevant. - An empty slice here indicates no errors." + description: |- + Errors contains a slice of relevant error subconditions for this object. + Subconditions are expected to appear when relevant (when there is a error), and disappear when not relevant. + An empty slice here indicates no errors. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8542,10 +8588,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -8557,32 +8603,31 @@ spec: type: object type: array lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -8596,43 +8641,42 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string warnings: - description: "Warnings contains a slice of relevant warning - subconditions for this object. \n Subconditions are expected - to appear when relevant (when there is a warning), and disappear - when not relevant. An empty slice here indicates no warnings." + description: |- + Warnings contains a slice of relevant warning subconditions for this object. + Subconditions are expected to appear when relevant (when there is a warning), and disappear when not relevant. + An empty slice here indicates no warnings. items: - description: "SubCondition is a Condition-like type intended - for use as a subcondition inside a DetailedCondition. \n - It contains a subset of the Condition fields. \n It is intended - for warnings and errors, so `type` names should use abnormal-true - polarity, that is, they should be of the form \"ErrorPresent: - true\". \n The expected lifecycle for these errors is that - they should only be present when the error or warning is, - and should be removed when they are not relevant." + description: |- + SubCondition is a Condition-like type intended for use as a subcondition inside a DetailedCondition. + It contains a subset of the Condition fields. + It is intended for warnings and errors, so `type` names should use abnormal-true polarity, + that is, they should be of the form "ErrorPresent: true". + The expected lifecycle for these errors is that they should only be present when the error or warning is, + and should be removed when they are not relevant. properties: message: - description: "Message is a human readable message indicating - details about the transition. \n This may be an empty - string." + description: |- + Message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string reason: - description: "Reason contains a programmatic identifier - indicating the reason for the condition's last transition. - Producers of specific condition types may define expected - values and meanings for this field, and whether the - values are considered a guaranteed API. \n The value - should be a CamelCase string. \n This field may not - be empty." + description: |- + Reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -8646,10 +8690,10 @@ spec: - Unknown type: string type: - description: "Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. - \n This must be in abnormal-true polarity, that is, - `ErrorFound` or `controller.io/ErrorFound`. \n The regex - it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)" + description: |- + Type of condition in `CamelCase` or in `foo.example.com/CamelCase`. + This must be in abnormal-true polarity, that is, `ErrorFound` or `controller.io/ErrorFound`. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/go.mod b/go.mod index 308a1106a77..230d0e67fb4 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( k8s.io/client-go v0.29.0 k8s.io/klog/v2 v2.120.0 sigs.k8s.io/controller-runtime v0.17.0 - sigs.k8s.io/controller-tools v0.13.0 + sigs.k8s.io/controller-tools v0.14.0 sigs.k8s.io/gateway-api v1.0.0 sigs.k8s.io/kustomize/kyaml v0.16.0 sigs.k8s.io/yaml v1.4.0 @@ -61,7 +61,7 @@ require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.8.0 // indirect - github.com/fatih/color v1.15.0 // indirect + github.com/fatih/color v1.16.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect github.com/go-errors/errors v1.4.2 // indirect @@ -93,7 +93,7 @@ require ( github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/spdystream v0.2.0 // indirect @@ -110,7 +110,7 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/spf13/afero v1.9.3 // indirect github.com/spf13/cast v1.5.0 // indirect - github.com/spf13/cobra v1.7.0 // indirect + github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.15.0 // indirect diff --git a/go.sum b/go.sum index 6b1928650b9..4e3ca75e425 100644 --- a/go.sum +++ b/go.sum @@ -84,7 +84,7 @@ github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnht github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -108,8 +108,8 @@ github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= -github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= -github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= @@ -286,8 +286,8 @@ github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxec github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -353,8 +353,8 @@ github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk= github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -564,6 +564,7 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -814,8 +815,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= -sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI= -sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA= +sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A= +sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc= sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs= sigs.k8s.io/gateway-api v1.0.0/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= From 572515a8f336aae7577205a72511b5ac10511bea Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Tue, 16 Jan 2024 16:53:25 -0500 Subject: [PATCH 18/19] Enable gofumpt linter (#6093) A stricter form of gofmt, added rules can be found here: https://github.com/mvdan/gofumpt?tab=readme-ov-file#added-rules Signed-off-by: Sunjay Bhatia --- .golangci.yml | 8 +- CONTRIBUTING.md | 7 + Makefile | 5 + apis/projectcontour/v1/helpers.go | 2 - apis/projectcontour/v1/helpers_test.go | 9 +- apis/projectcontour/v1/register.go | 6 +- .../v1/tlscertificatedelegation.go | 1 - apis/projectcontour/v1alpha1/accesslog.go | 1 - .../v1alpha1/contourconfig_helpers_test.go | 1 - cmd/contour/certgen.go | 2 - cmd/contour/certgen_test.go | 2 +- cmd/contour/contour.go | 1 - cmd/contour/serve.go | 22 +- cmd/contour/servecontext_test.go | 3 +- cmd/contour/shutdownmanager.go | 3 - hack/actions/check-changefile-exists.go | 2 - hack/generate-metrics-doc.go | 2 +- hack/gofumpt | 3 + hack/release/prepare-release.go | 10 +- internal/annotation/annotations.go | 5 +- internal/certgen/certgen.go | 2 +- internal/certgen/output.go | 5 +- internal/contour/metrics.go | 2 +- internal/controller/gateway.go | 6 +- internal/controller/gatewayclass.go | 3 +- internal/controller/grpcroute.go | 1 - internal/controller/httproute.go | 1 - internal/controller/tcproute.go | 1 - internal/controller/tlsroute.go | 1 - internal/dag/accessors.go | 4 +- internal/dag/accessors_test.go | 2 +- internal/dag/builder.go | 1 - internal/dag/builder_test.go | 356 +++++------ internal/dag/cache_test.go | 47 +- internal/dag/conditions_test.go | 19 +- internal/dag/dag_test.go | 3 - internal/dag/gatewayapi_processor.go | 14 +- internal/dag/gatewayapi_processor_test.go | 3 - internal/dag/httpproxy_processor.go | 6 +- internal/dag/httpproxy_processor_test.go | 1 - internal/dag/ingress_processor.go | 2 +- internal/dag/policy.go | 3 +- internal/dag/policy_test.go | 1 - internal/dag/secret_test.go | 2 + internal/dag/status.go | 1 + internal/dag/status_test.go | 556 +++++++++++------- internal/debug/dot.go | 6 +- internal/envoy/bootstrap_test.go | 1 - internal/envoy/v3/accesslog.go | 5 +- internal/envoy/v3/accesslog_test.go | 68 +-- internal/envoy/v3/bootstrap.go | 2 +- internal/envoy/v3/bootstrap_test.go | 6 +- internal/envoy/v3/cluster.go | 1 - internal/envoy/v3/cluster_test.go | 3 +- internal/envoy/v3/healthcheck_test.go | 1 - internal/envoy/v3/listener.go | 6 +- internal/envoy/v3/listener_test.go | 2 - internal/envoy/v3/ratelimit_test.go | 1 - internal/envoy/v3/route_test.go | 41 +- internal/envoy/v3/stats.go | 6 +- internal/envoy/v3/stats_test.go | 22 +- .../featuretests/v3/authorization_test.go | 2 +- .../v3/backendcavalidation_test.go | 1 - .../featuretests/v3/backendclientauth_test.go | 4 +- internal/featuretests/v3/corspolicy_test.go | 12 +- internal/featuretests/v3/envoy.go | 8 +- internal/featuretests/v3/externalname_test.go | 1 - internal/featuretests/v3/featuretests.go | 2 +- .../v3/global_authorization_test.go | 12 +- .../featuretests/v3/globalratelimit_test.go | 4 +- .../featuretests/v3/headercondition_test.go | 20 +- internal/featuretests/v3/httpproxy.go | 2 +- .../v3/internalredirectpolicy_test.go | 1 - internal/featuretests/v3/listeners_test.go | 3 +- .../v3/queryparametercondition_test.go | 3 +- .../featuretests/v3/replaceprefix_test.go | 43 +- internal/featuretests/v3/route_test.go | 13 +- .../featuretests/v3/timeoutpolicy_test.go | 1 - .../v3/tlsprotocolversion_test.go | 1 - internal/featuretests/v3/upstreamtls_test.go | 2 - internal/featuretests/v3/websockets_test.go | 1 - internal/fixture/detailedcondition.go | 14 +- internal/fixture/httpproxy.go | 4 +- internal/fixture/service.go | 2 +- internal/gatewayapi/helpers.go | 5 +- internal/k8s/filter.go | 1 - internal/k8s/filter_test.go | 1 - internal/k8s/helpers.go | 1 - internal/k8s/kind_test.go | 24 +- internal/k8s/objectmeta_test.go | 2 +- internal/k8s/status.go | 2 - internal/k8s/statusaddress.go | 2 - internal/k8s/statuscache.go | 6 - internal/protobuf/helpers.go | 2 +- internal/provisioner/controller/gateway.go | 1 - .../provisioner/equality/equality_test.go | 6 +- .../objects/contourconfig/contourconfig.go | 1 - .../contourconfig/contourconfig_test.go | 1 - .../objects/dataplane/dataplane.go | 2 - .../objects/dataplane/dataplane_test.go | 3 +- .../objects/deployment/deployment_test.go | 2 - .../provisioner/objects/service/service.go | 39 +- internal/sorter/sorter.go | 5 +- internal/sorter/sorter_test.go | 17 +- internal/status/gatewaystatus.go | 1 - internal/status/proxystatus.go | 2 - internal/status/proxystatus_test.go | 1 - internal/xdscache/v3/endpointstranslator.go | 6 +- internal/xdscache/v3/listener.go | 3 +- internal/xdscache/v3/listener_test.go | 5 +- internal/xdscache/v3/route_test.go | 3 +- internal/xdscache/v3/server_test.go | 9 +- pkg/certs/certgen.go | 9 +- pkg/certs/certgen_test.go | 2 - pkg/config/parameters.go | 48 +- pkg/config/parameters_test.go | 4 - test/e2e/deployment.go | 5 +- test/e2e/framework.go | 10 +- test/e2e/gateway/tls_gateway_test.go | 1 - .../backend_tls_protocol_version_test.go | 1 - test/e2e/httpproxy/cel_validation_test.go | 1 - test/e2e/httpproxy/client_cert_auth_test.go | 5 - test/e2e/httpproxy/client_cert_crl_test.go | 1 - test/e2e/httpproxy/direct_response_test.go | 1 - test/e2e/httpproxy/fqdn_test.go | 2 - .../httpproxy/header_condition_match_test.go | 1 - test/e2e/httpproxy/httpproxy_test.go | 2 - test/e2e/httpproxy/internal_redirect_test.go | 4 +- test/e2e/httpproxy/request_redirect_test.go | 4 - test/e2e/infra/infra_test.go | 3 +- test/e2e/ingress/ingress_test.go | 1 - test/e2e/poller.go | 2 +- test/e2e/upgrade/upgrade_test.go | 2 +- test/e2e/waiter.go | 2 +- 134 files changed, 926 insertions(+), 803 deletions(-) create mode 100755 hack/gofumpt diff --git a/.golangci.yml b/.golangci.yml index 1b750174c13..123dfa64617 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -4,7 +4,7 @@ run: linters: enable: - bodyclose - - gofmt + - gofumpt - goimports - revive - gosec @@ -23,8 +23,6 @@ linters-settings: - clas - cancelled locale: US - gofmt: - simplify: true unparam: check-exported: false goheader: @@ -62,8 +60,12 @@ linters-settings: enable-all: true ginkgolinter: forbid-focus-container: true + gofumpt: + extra-rules: true issues: + max-issues-per-linter: 0 + max-same-issues: 0 exclude-rules: - linters: ["unparam"] text: "always receives" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2a70deab318..46d75d0be64 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -311,6 +311,13 @@ At a maintainer's discretion, pull requests with multiple commits can be merged Merging pull requests with multiple commits can make sense in cases where a change involves code generation or mechanical changes that can be cleanly separated from semantic changes. The maintainer should review commit messages for each commit and make sure that each commit builds and passes tests. +### Code formatting + +Contour utilizes [`gofumpt`](https://github.com/mvdan/gofumpt) for strict Golang formatting of the contour codebase. +The `lint` CI job checks this to ensure all commits are formatted as expected. + +The `make format` target can be used to run `gofumpt` locally before making a PR. + ### Import Aliases Naming is one of the most difficult things in software engineering. diff --git a/Makefile b/Makefile index faee470df42..58f23dfcd5a 100644 --- a/Makefile +++ b/Makefile @@ -223,6 +223,11 @@ lint-flags: exit 2; \ fi +.PHONY: format +format: ## Run gofumpt to format the codebase. + @echo Running gofumpt... + @./hack/gofumpt -l -w -extra . + .PHONY: generate generate: ## Re-generate generated code and documentation generate: generate-rbac generate-crd-deepcopy generate-crd-yaml generate-gateway-yaml generate-deployment generate-api-docs generate-metrics-docs generate-uml generate-go diff --git a/apis/projectcontour/v1/helpers.go b/apis/projectcontour/v1/helpers.go index 409e6beda18..21b17f02936 100644 --- a/apis/projectcontour/v1/helpers.go +++ b/apis/projectcontour/v1/helpers.go @@ -179,7 +179,6 @@ func (dc *DetailedCondition) IsPositivePolarity() bool { // getIndex checks if a SubCondition of type condType exists in the // slice, and returns its index if so. If not, returns -1. func getIndex(condType string, subconds []SubCondition) int { - for i, cond := range subconds { if cond.Type == condType { return i @@ -191,7 +190,6 @@ func getIndex(condType string, subconds []SubCondition) int { // GetConditionFor returns the a pointer to the condition for a given type, // or nil if there are none currently present. func (status *HTTPProxyStatus) GetConditionFor(condType string) *DetailedCondition { - for i, cond := range status.Conditions { if cond.Type == condType { return &status.Conditions[i] diff --git a/apis/projectcontour/v1/helpers_test.go b/apis/projectcontour/v1/helpers_test.go index 5b5a2919951..18b267c4c10 100644 --- a/apis/projectcontour/v1/helpers_test.go +++ b/apis/projectcontour/v1/helpers_test.go @@ -30,7 +30,6 @@ type subConditionDetails struct { } func TestAddErrorConditions(t *testing.T) { - tests := map[string]struct { dc *DetailedCondition subconditions []subConditionDetails @@ -274,7 +273,6 @@ func TestAddErrorConditions(t *testing.T) { } func TestAddWarningConditions(t *testing.T) { - tests := map[string]struct { dc *DetailedCondition subconditions []subConditionDetails @@ -544,7 +542,6 @@ func TestGetConditionFor(t *testing.T) { } func TestGetError(t *testing.T) { - dcWithErrors := &DetailedCondition{ Errors: []SubCondition{ { @@ -571,11 +568,9 @@ func TestGetError(t *testing.T) { emptySubCond, ok := dcEmpty.GetError(ConditionTypeServiceError) assert.False(t, ok) assert.Equal(t, SubCondition{}, emptySubCond) - } func TestGetWarning(t *testing.T) { - dcWithErrors := &DetailedCondition{ Warnings: []SubCondition{ { @@ -612,10 +607,9 @@ func TestGetWarning(t *testing.T) { emptySubCond, ok := dcEmpty.GetWarning("SimpleTest1") assert.False(t, ok) assert.Equal(t, SubCondition{}, emptySubCond) - } -func TestTruncateLongMessage(t *testing.T) { +func TestTruncateLongMessage(t *testing.T) { shortmessage := "This is a message shorter than the max length" assert.Equal(t, shortmessage, truncateLongMessage(shortmessage)) @@ -623,7 +617,6 @@ func TestTruncateLongMessage(t *testing.T) { truncatedLongMessage := longMessage[:LongMessageLength] assert.Equal(t, truncatedLongMessage, truncateLongMessage(longMessage)) - } // nolint:misspell diff --git a/apis/projectcontour/v1/register.go b/apis/projectcontour/v1/register.go index 673a1a89082..3014e9357e7 100644 --- a/apis/projectcontour/v1/register.go +++ b/apis/projectcontour/v1/register.go @@ -28,8 +28,10 @@ const ( // New code should use GroupVersion. var SchemeGroupVersion = GroupVersion -var HTTPProxyGVR = GroupVersion.WithResource("httpproxies") -var TLSCertificateDelegationGVR = GroupVersion.WithResource("tlscertificatedelegations") +var ( + HTTPProxyGVR = GroupVersion.WithResource("httpproxies") + TLSCertificateDelegationGVR = GroupVersion.WithResource("tlscertificatedelegations") +) // Resource gets an Contour GroupResource for a specified resource func Resource(resource string) schema.GroupResource { diff --git a/apis/projectcontour/v1/tlscertificatedelegation.go b/apis/projectcontour/v1/tlscertificatedelegation.go index 31e49813ce0..3623defbf79 100644 --- a/apis/projectcontour/v1/tlscertificatedelegation.go +++ b/apis/projectcontour/v1/tlscertificatedelegation.go @@ -25,7 +25,6 @@ type TLSCertificateDelegationSpec struct { // CertificateDelegation maps the authority to reference a secret // in the current namespace to a set of namespaces. type CertificateDelegation struct { - // required, the name of a secret in the current namespace. SecretName string `json:"secretName"` diff --git a/apis/projectcontour/v1alpha1/accesslog.go b/apis/projectcontour/v1alpha1/accesslog.go index 4bab149b1b3..9d1ece7e164 100644 --- a/apis/projectcontour/v1alpha1/accesslog.go +++ b/apis/projectcontour/v1alpha1/accesslog.go @@ -191,7 +191,6 @@ const ( type AccessLogJSONFields []string func (a AccessLogJSONFields) Validate() error { - for key, val := range a.AsFieldMap() { if val == "" { return fmt.Errorf("invalid JSON log field name %s", key) diff --git a/apis/projectcontour/v1alpha1/contourconfig_helpers_test.go b/apis/projectcontour/v1alpha1/contourconfig_helpers_test.go index 290256e4d6c..4dda74cf897 100644 --- a/apis/projectcontour/v1alpha1/contourconfig_helpers_test.go +++ b/apis/projectcontour/v1alpha1/contourconfig_helpers_test.go @@ -230,7 +230,6 @@ func TestContourConfigurationSpecValidate(t *testing.T) { } c.Tracing.CustomTags = customTags require.Error(t, c.Validate()) - }) } diff --git a/cmd/contour/certgen.go b/cmd/contour/certgen.go index fe31763f819..ef55f004f2e 100644 --- a/cmd/contour/certgen.go +++ b/cmd/contour/certgen.go @@ -53,7 +53,6 @@ func registerCertGen(app *kingpin.Application) (*kingpin.CmdClause, *certgenConf // certgenConfig holds the configuration for the certificate generation process. type certgenConfig struct { - // KubeConfig is the path to the Kubeconfig file if we're not running in a cluster KubeConfig string @@ -154,5 +153,4 @@ func doCertgen(config *certgenConfig, log logrus.FieldLogger) { if oerr := OutputCerts(config, coreClient, generatedCerts); oerr != nil { log.WithError(oerr).Fatalf("failed output certificates") } - } diff --git a/cmd/contour/certgen_test.go b/cmd/contour/certgen_test.go index b8d335631ba..6dcea53c9d4 100644 --- a/cmd/contour/certgen_test.go +++ b/cmd/contour/certgen_test.go @@ -276,7 +276,7 @@ func TestOutputFileMode(t *testing.T) { err = filepath.Walk(outputDir, func(path string, info os.FileInfo, err error) error { if !info.IsDir() { - assert.Equal(t, os.FileMode(0600), info.Mode(), "incorrect mode for file "+path) + assert.Equal(t, os.FileMode(0o600), info.Mode(), "incorrect mode for file "+path) } return nil }) diff --git a/cmd/contour/contour.go b/cmd/contour/contour.go index 16f01005dea..a2b92fd1865 100644 --- a/cmd/contour/contour.go +++ b/cmd/contour/contour.go @@ -187,5 +187,4 @@ func main() { app.Usage(args) os.Exit(2) } - } diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index a59295a715d..f4fb77abe05 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -91,7 +91,6 @@ func registerServe(app *kingpin.Application) (*kingpin.CmdClause, *serveContext) ctx := newServeContext() parseConfig := func(_ *kingpin.ParseContext) error { - if ctx.contourConfigurationName != "" && configFile != "" { return fmt.Errorf("cannot specify both %s and %s", "--contour-config", "-c/--config-path") } @@ -200,7 +199,6 @@ type EndpointsTranslator interface { // NewServer returns a Server object which contains the initial configuration // objects required to start an instance of Contour. func NewServer(log logrus.FieldLogger, ctx *serveContext) (*Server, error) { - var restConfigOpts []func(*rest.Config) if qps := ctx.Config.KubeClientQPS; qps > 0 { @@ -260,7 +258,8 @@ func NewServer(log logrus.FieldLogger, ctx *serveContext) (*Server, error) { secret.SetAnnotations(nil) return secret, nil - }}, + }, + }, }, // DefaultTransform is called for objects that do not have a TransformByObject function. DefaultTransform: func(obj any) (any, error) { @@ -742,7 +741,7 @@ func (s *Server) doServe() error { return s.mgr.Start(signals.SetupSignalHandler()) } -func (s *Server) getExtensionSvcConfig(name string, namespace string) (xdscache_v3.ExtensionServiceConfig, error) { +func (s *Server) getExtensionSvcConfig(name, namespace string) (xdscache_v3.ExtensionServiceConfig, error) { extensionSvc := &contour_api_v1alpha1.ExtensionService{} key := client.ObjectKey{ Namespace: namespace, @@ -822,7 +821,6 @@ func (s *Server) setupTracingService(tracingConfig *contour_api_v1alpha1.Tracing MaxPathTagLength: ref.Val(tracingConfig.MaxPathTagLength, 256), CustomTags: customTags, }, nil - } func (s *Server) setupRateLimitService(contourConfiguration contour_api_v1alpha1.ContourConfigurationSpec) (*xdscache_v3.RateLimitConfig, error) { @@ -954,8 +952,8 @@ func (x *xdsServer) Start(ctx context.Context) error { // setupMetrics creates metrics service for Contour. func (s *Server) setupMetrics(metricsConfig contour_api_v1alpha1.MetricsConfig, healthConfig contour_api_v1alpha1.HealthConfig, - registry *prometheus.Registry) error { - + registry *prometheus.Registry, +) error { // Create metrics service and register with mgr. metricsvc := &httpsvc.Service{ Addr: metricsConfig.Address, @@ -982,8 +980,8 @@ func (s *Server) setupMetrics(metricsConfig contour_api_v1alpha1.MetricsConfig, } func (s *Server) setupHealth(healthConfig contour_api_v1alpha1.HealthConfig, - metricsConfig contour_api_v1alpha1.MetricsConfig) error { - + metricsConfig contour_api_v1alpha1.MetricsConfig, +) error { if healthConfig.Address != metricsConfig.Address || healthConfig.Port != metricsConfig.Port { healthsvc := &httpsvc.Service{ Addr: healthConfig.Address, @@ -1002,8 +1000,8 @@ func (s *Server) setupHealth(healthConfig contour_api_v1alpha1.HealthConfig, } func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.ContourConfigurationSpec, - mgr manager.Manager, eventHandler *contour.EventRecorder, sh *k8s.StatusUpdateHandler) []leadership.NeedLeaderElectionNotification { - + mgr manager.Manager, eventHandler *contour.EventRecorder, sh *k8s.StatusUpdateHandler, +) []leadership.NeedLeaderElectionNotification { needLeadershipNotification := []leadership.NeedLeaderElectionNotification{} // Check if GatewayAPI is configured. @@ -1129,7 +1127,6 @@ type dagBuilderConfig struct { } func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { - var ( requestHeadersPolicy dag.HeadersPolicy responseHeadersPolicy dag.HeadersPolicy @@ -1273,7 +1270,6 @@ func (s *Server) informOnResource(obj client.Object, handler cache.ResourceEvent } registration, err := inf.AddEventHandler(handler) - if err != nil { return err } diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go index f9a2dbcfef8..395b4966d1c 100644 --- a/cmd/contour/servecontext_test.go +++ b/cmd/contour/servecontext_test.go @@ -340,7 +340,8 @@ func TestParseHTTPVersions(t *testing.T) { "http/1.1+http/2 duplicated": { versions: []contour_api_v1alpha1.HTTPVersionType{ contour_api_v1alpha1.HTTPVersion1, contour_api_v1alpha1.HTTPVersion2, - contour_api_v1alpha1.HTTPVersion1, contour_api_v1alpha1.HTTPVersion2}, + contour_api_v1alpha1.HTTPVersion1, contour_api_v1alpha1.HTTPVersion2, + }, parseVersions: []envoy_v3.HTTPVersionType{envoy_v3.HTTPVersion1, envoy_v3.HTTPVersion2}, }, } diff --git a/cmd/contour/shutdownmanager.go b/cmd/contour/shutdownmanager.go index b41f748ac81..4677523bd67 100644 --- a/cmd/contour/shutdownmanager.go +++ b/cmd/contour/shutdownmanager.go @@ -198,7 +198,6 @@ func (s *shutdownContext) shutdownHandler() { // shutdownEnvoy sends a POST request to /healthcheck/fail to tell Envoy to start draining connections func shutdownEnvoy(adminAddress string) error { - httpClient := http.Client{ Transport: &http.Transport{ DialContext: func(_ context.Context, _, _ string) (net.Conn, error) { @@ -221,7 +220,6 @@ func shutdownEnvoy(adminAddress string) error { // getOpenConnections parses a http request to a prometheus endpoint returning the sum of values found func getOpenConnections(adminAddress string) (int, error) { - httpClient := http.Client{ Transport: &http.Transport{ DialContext: func(_ context.Context, _, _ string) (net.Conn, error) { @@ -280,7 +278,6 @@ func parseOpenConnections(stats io.Reader) (int, error) { } func doShutdownManager(config *shutdownmanagerContext) { - config.Info("started envoy shutdown manager") http.HandleFunc("/healthz", config.healthzHandler) diff --git a/hack/actions/check-changefile-exists.go b/hack/actions/check-changefile-exists.go index 0b815b16837..ce31353b4a0 100644 --- a/hack/actions/check-changefile-exists.go +++ b/hack/actions/check-changefile-exists.go @@ -52,7 +52,6 @@ Error: %s Please see the "Commit message and PR guidelines" section of CONTRIBUTING.md, or https://github.com/projectcontour/contour/blob/main/design/changelog.md for background.`, errorMessage)) - } // We need a GITHUB_TOKEN and PR_NUMBER in the environment. @@ -62,7 +61,6 @@ or https://github.com/projectcontour/contour/blob/main/design/changelog.md for b token, ok := os.LookupEnv("GITHUB_TOKEN") if !ok { log.Fatal("No GITHUB_TOKEN set, check the Action config.") - } prEnv, ok := os.LookupEnv("PR_NUMBER") if !ok { diff --git a/hack/generate-metrics-doc.go b/hack/generate-metrics-doc.go index 2d6a4145b7a..9f13c243fe6 100644 --- a/hack/generate-metrics-doc.go +++ b/hack/generate-metrics-doc.go @@ -79,7 +79,7 @@ func main() { log.Fatalf("%s", err) } - f, err := os.OpenFile("table.md", os.O_CREATE|os.O_RDWR, 0644) + f, err := os.OpenFile("table.md", os.O_CREATE|os.O_RDWR, 0o644) if err != nil { log.Fatalf("%s", err) } diff --git a/hack/gofumpt b/hack/gofumpt new file mode 100755 index 00000000000..49d8e719f02 --- /dev/null +++ b/hack/gofumpt @@ -0,0 +1,3 @@ +#! /usr/bin/env bash + +go run mvdan.cc/gofumpt@v0.5.0 "$@" diff --git a/hack/release/prepare-release.go b/hack/release/prepare-release.go index 73b9cdc0955..a9d903c9714 100644 --- a/hack/release/prepare-release.go +++ b/hack/release/prepare-release.go @@ -66,7 +66,7 @@ func capture(cmd []string) string { return out.String() } -func updateMappingForTOC(filePath string, vers string, toc string) error { +func updateMappingForTOC(filePath, vers, toc string) error { data, err := os.ReadFile(filePath) if err != nil { return err @@ -86,7 +86,7 @@ func updateMappingForTOC(filePath string, vers string, toc string) error { }, ) - return os.WriteFile(filePath, []byte(rn.MustString()), 0600) + return os.WriteFile(filePath, []byte(rn.MustString()), 0o600) } // InsertAfter is like yaml.ElementAppender except it inserts after the named node. @@ -114,7 +114,7 @@ func (a InsertAfter) Filter(rn *yaml.RNode) (*yaml.RNode, error) { return rn, nil } -func updateConfigForSite(filePath string, vers string) error { +func updateConfigForSite(filePath, vers string) error { data, err := os.ReadFile(filePath) if err != nil { return err @@ -148,7 +148,7 @@ func updateConfigForSite(filePath string, vers string) error { log.Fatalf("%s", err) } - return os.WriteFile(filePath, []byte(rn.MustString()), 0600) + return os.WriteFile(filePath, []byte(rn.MustString()), 0o600) } func updateIndexFile(filePath, newVers string) error { @@ -160,7 +160,7 @@ func updateIndexFile(filePath, newVers string) error { upd := strings.ReplaceAll(string(data), "version: main", fmt.Sprintf("version: \"%s\"", newVers)) upd = strings.ReplaceAll(upd, "branch: main", "branch: release-"+newVers) - return os.WriteFile(filePath, []byte(upd), 0600) + return os.WriteFile(filePath, []byte(upd), 0o600) } func main() { diff --git a/internal/annotation/annotations.go b/internal/annotation/annotations.go index 5c39058a461..1a292ccfa8b 100644 --- a/internal/annotation/annotations.go +++ b/internal/annotation/annotations.go @@ -80,7 +80,7 @@ var annotationsByKind = map[string]map[string]struct{}{ } // ValidForKind checks if a particular annotation is valid for a given Kind. -func ValidForKind(kind string, key string) bool { +func ValidForKind(kind, key string) bool { if a, ok := annotationsByKind[kind]; ok { _, ok := a[key] return ok @@ -175,7 +175,6 @@ func WebsocketRoutes(i *networking_v1.Ingress) map[string]bool { // NumRetries returns the number of retries specified by the // "projectcontour.io/num-retries" annotation. func NumRetries(i *networking_v1.Ingress) uint32 { - val := parseInt32(ContourAnnotation(i, "num-retries")) // If set to -1, then retries set to 0. If set to 0 or @@ -213,7 +212,7 @@ func IngressClass(o metav1.Object) string { // TLSVersion returns the TLS protocol version specified by an ingress annotation // or default if non present. -func TLSVersion(version string, defaultVal string) string { +func TLSVersion(version, defaultVal string) string { switch version { case "1.2", "1.3": return version diff --git a/internal/certgen/certgen.go b/internal/certgen/certgen.go index ff2464886ce..df7544d4daf 100644 --- a/internal/certgen/certgen.go +++ b/internal/certgen/certgen.go @@ -52,7 +52,7 @@ const ( Overwrite OverwritePolicy = 1 ) -func newSecret(secretType corev1.SecretType, name string, namespace string, data map[string][]byte) *corev1.Secret { +func newSecret(secretType corev1.SecretType, name, namespace string, data map[string][]byte) *corev1.Secret { return &corev1.Secret{ Type: secretType, TypeMeta: metav1.TypeMeta{ diff --git a/internal/certgen/output.go b/internal/certgen/output.go index f4e7fc33f6d..8525304e5ea 100644 --- a/internal/certgen/output.go +++ b/internal/certgen/output.go @@ -30,8 +30,7 @@ func writeSecret(f *os.File, secret *corev1.Secret) error { } func createFile(filepath string, force bool) (*os.File, error) { - - err := os.MkdirAll(path.Dir(filepath), 0755) + err := os.MkdirAll(path.Dir(filepath), 0o755) if err != nil { return nil, fmt.Errorf("unable to create %s: %s", path.Dir(filepath), err) } @@ -46,7 +45,7 @@ func createFile(filepath string, force bool) (*os.File, error) { flags |= os.O_EXCL } - f, err := os.OpenFile(filepath, flags, 0600) + f, err := os.OpenFile(filepath, flags, 0o600) if err != nil { // File exists, and we don't want to create it. return nil, fmt.Errorf("can't create file %s: %s", filepath, err) diff --git a/internal/contour/metrics.go b/internal/contour/metrics.go index a2fe0db2818..e0f6ab6cfa4 100644 --- a/internal/contour/metrics.go +++ b/internal/contour/metrics.go @@ -122,7 +122,7 @@ func calculateRouteMetric(updates []*status.ProxyUpdate) metrics.RouteMetric { } } -func calcMetrics(u *status.ProxyUpdate, metricValid map[metrics.Meta]int, metricInvalid map[metrics.Meta]int, metricOrphaned map[metrics.Meta]int, metricTotal map[metrics.Meta]int) { +func calcMetrics(u *status.ProxyUpdate, metricValid, metricInvalid, metricOrphaned, metricTotal map[metrics.Meta]int) { validCond := u.ConditionFor(status.ValidCondition) switch validCond.Status { case contour_api_v1.ConditionTrue: diff --git a/internal/controller/gateway.go b/internal/controller/gateway.go index 69b5f1485c8..decbd9a5568 100644 --- a/internal/controller/gateway.go +++ b/internal/controller/gateway.go @@ -215,7 +215,8 @@ func (r *gatewayReconciler) Reconcile(ctx context.Context, request reconcile.Req ObjectMeta: metav1.ObjectMeta{ Namespace: request.Namespace, Name: request.Name, - }}) + }, + }) return reconcile.Result{}, nil } @@ -238,7 +239,8 @@ func (r *gatewayReconciler) Reconcile(ctx context.Context, request reconcile.Req ObjectMeta: metav1.ObjectMeta{ Namespace: request.Namespace, Name: request.Name, - }}) + }, + }) return reconcile.Result{}, nil } diff --git a/internal/controller/gatewayclass.go b/internal/controller/gatewayclass.go index 429fc375481..bf2220f0485 100644 --- a/internal/controller/gatewayclass.go +++ b/internal/controller/gatewayclass.go @@ -162,7 +162,8 @@ func (r *gatewayClassReconciler) Reconcile(ctx context.Context, request reconcil ObjectMeta: metav1.ObjectMeta{ Namespace: request.Namespace, Name: request.Name, - }}) + }, + }) return reconcile.Result{}, nil } diff --git a/internal/controller/grpcroute.go b/internal/controller/grpcroute.go index 8d57689726d..044e0ca863b 100644 --- a/internal/controller/grpcroute.go +++ b/internal/controller/grpcroute.go @@ -56,7 +56,6 @@ func RegisterGRPCRouteController(log logrus.FieldLogger, mgr manager.Manager, ev } func (r *grpcRouteReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { - // Fetch the GRPCRoute from the cache. grpcRoute := &gatewayapi_v1alpha2.GRPCRoute{} err := r.client.Get(ctx, request.NamespacedName, grpcRoute) diff --git a/internal/controller/httproute.go b/internal/controller/httproute.go index 27cb193b710..b0e758de1ae 100644 --- a/internal/controller/httproute.go +++ b/internal/controller/httproute.go @@ -56,7 +56,6 @@ func RegisterHTTPRouteController(log logrus.FieldLogger, mgr manager.Manager, ev } func (r *httpRouteReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { - // Fetch the HTTPRoute from the cache. httpRoute := &gatewayapi_v1beta1.HTTPRoute{} err := r.client.Get(ctx, request.NamespacedName, httpRoute) diff --git a/internal/controller/tcproute.go b/internal/controller/tcproute.go index 2d30640b714..507e6c9d134 100644 --- a/internal/controller/tcproute.go +++ b/internal/controller/tcproute.go @@ -56,7 +56,6 @@ func RegisterTCPRouteController(log logrus.FieldLogger, mgr manager.Manager, eve } func (r *tcpRouteReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { - // Fetch the TCPRoute from the cache. tcpRoute := &gatewayapi_v1alpha2.TCPRoute{} err := r.client.Get(ctx, request.NamespacedName, tcpRoute) diff --git a/internal/controller/tlsroute.go b/internal/controller/tlsroute.go index 7eff1534ec8..558dcb60f2b 100644 --- a/internal/controller/tlsroute.go +++ b/internal/controller/tlsroute.go @@ -56,7 +56,6 @@ func RegisterTLSRouteController(log logrus.FieldLogger, mgr manager.Manager, eve } func (r *tlsRouteReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { - // Fetch the TLSRoute from the cache. tlsroute := &gatewayapi_v1alpha2.TLSRoute{} err := r.client.Get(ctx, request.NamespacedName, tlsroute) diff --git a/internal/dag/accessors.go b/internal/dag/accessors.go index 3aff82c8c7a..bea91f36a3c 100644 --- a/internal/dag/accessors.go +++ b/internal/dag/accessors.go @@ -28,7 +28,7 @@ import ( // EnsureService looks for a Kubernetes service in the cache matching the provided // namespace, name and port, and returns a DAG service for it. If a matching service // cannot be found in the cache, an error is returned. -func (d *DAG) EnsureService(meta types.NamespacedName, port int, healthPort int, cache *KubernetesCache, enableExternalNameSvc bool) (*Service, error) { +func (d *DAG) EnsureService(meta types.NamespacedName, port, healthPort int, cache *KubernetesCache, enableExternalNameSvc bool) (*Service, error) { svc, svcPort, err := cache.LookupService(meta, intstr.FromInt(port)) if err != nil { return nil, err @@ -73,7 +73,6 @@ func (d *DAG) EnsureService(meta types.NamespacedName, port int, healthPort int, } func validateExternalName(svc *v1.Service, enableExternalNameSvc bool) error { - // If this isn't an ExternalName Service, we're all good here. en := externalName(svc) if en == "" { @@ -118,6 +117,7 @@ func toContourProtocol(appProtocol string) (string, bool) { }[appProtocol] return proto, ok } + func upstreamProtocol(svc *v1.Service, port v1.ServicePort) string { // if appProtocol is not nil, check it only if port.AppProtocol != nil { diff --git a/internal/dag/accessors_test.go b/internal/dag/accessors_test.go index ca9be59d39d..1312a9191fb 100644 --- a/internal/dag/accessors_test.go +++ b/internal/dag/accessors_test.go @@ -44,8 +44,8 @@ func makeServicePort(name string, protocol v1.Protocol, port int32, extras ...an } return p - } + func TestBuilderLookupService(t *testing.T) { s1 := &v1.Service{ ObjectMeta: metav1.ObjectMeta{ diff --git a/internal/dag/builder.go b/internal/dag/builder.go index e73223b3cb4..7c2afff54d0 100644 --- a/internal/dag/builder.go +++ b/internal/dag/builder.go @@ -56,7 +56,6 @@ type Builder struct { // Build builds and returns a new DAG by running the // configured DAG processors, in order. func (b *Builder) Build() *DAG { - gatewayNSName := types.NamespacedName{} if b.Source.gateway != nil { gatewayNSName = k8s.NamespacedNameOf(b.Source.gateway) diff --git a/internal/dag/builder_test.go b/internal/dag/builder_test.go index a0a15db5e27..5709a3d9450 100644 --- a/internal/dag/builder_test.go +++ b/internal/dag/builder_test.go @@ -1383,15 +1383,16 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }, Rules: []gatewayapi_v1beta1.HTTPRouteRule{{ Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), - BackendRefs: []gatewayapi_v1beta1.HTTPBackendRef{{ - BackendRef: gatewayapi_v1beta1.BackendRef{ - BackendObjectReference: gatewayapi_v1beta1.BackendObjectReference{ - Kind: ref.To(gatewayapi_v1beta1.Kind("Service")), - Name: "kuard", + BackendRefs: []gatewayapi_v1beta1.HTTPBackendRef{ + { + BackendRef: gatewayapi_v1beta1.BackendRef{ + BackendObjectReference: gatewayapi_v1beta1.BackendObjectReference{ + Kind: ref.To(gatewayapi_v1beta1.Kind("Service")), + Name: "kuard", + }, }, }, }, - }, }}, }, }, @@ -2443,7 +2444,6 @@ func TestDAGInsertGatewayAPI(t *testing.T) { Namespace: "projectcontour", }, Spec: gatewayapi_v1beta1.HTTPRouteSpec{ - CommonRouteSpec: gatewayapi_v1beta1.CommonRouteSpec{ ParentRefs: []gatewayapi_v1beta1.ParentReference{ gatewayapi.GatewayListenerParentRef("projectcontour", "contour", "https-listener", 0), @@ -2559,7 +2559,8 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }, }, BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), - }}, + }, + }, }, }, }, @@ -3391,7 +3392,8 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }, }, }}, - }}, + }, + }, }, }, }, @@ -3452,7 +3454,8 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }}, }, }, - }}, + }, + }, }, }, }, @@ -3508,7 +3511,8 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }}, }, }, - }}, + }, + }, }, }, }, @@ -4991,7 +4995,6 @@ func TestDAGInsertGatewayAPI(t *testing.T) { Name: "tcp.projectcontour.io", }, TCPProxy: &TCPProxy{ - Clusters: clustersWeight( weightedService(kuardService, 1), weightedService(kuardService2, 2), @@ -5039,7 +5042,6 @@ func TestDAGInsertGatewayAPI(t *testing.T) { Name: "tcp.projectcontour.io", }, TCPProxy: &TCPProxy{ - Clusters: clustersWeight( weightedService(kuardService, 1), weightedService(kuardService2, 0), @@ -5087,7 +5089,6 @@ func TestDAGInsertGatewayAPI(t *testing.T) { Name: "tcp.projectcontour.io", }, TCPProxy: &TCPProxy{ - Clusters: clustersWeight( weightedService(kuardService, 1), weightedService(kuardService2, 1), @@ -5509,7 +5510,6 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }, }, { - // Second instance of filter should be ignored. Type: gatewayapi_v1alpha2.GRPCRouteFilterRequestHeaderModifier, RequestHeaderModifier: &gatewayapi_v1alpha2.HTTPHeaderFilter{ @@ -5662,7 +5662,8 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }, }, }}, - }}, + }, + }, }, }, }, @@ -5725,7 +5726,8 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }}, }, }, - }}, + }, + }, }, }, }, @@ -5891,7 +5893,6 @@ func TestDAGInsertGatewayAPI(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { - builder := Builder{ Source: KubernetesCache{ gatewayclass: tc.gatewayclass, @@ -6432,11 +6433,16 @@ func TestDAGInsert(t *testing.T) { }, Spec: networking_v1.IngressSpec{ Rules: []networking_v1.IngressRule{{ - IngressRuleValue: networking_v1.IngressRuleValue{HTTP: &networking_v1.HTTPIngressRuleValue{ - Paths: []networking_v1.HTTPIngressPath{{Path: "/", - Backend: *backendv1("kuard", intstr.FromString("http")), - }}}, - }}}}, + IngressRuleValue: networking_v1.IngressRuleValue{ + HTTP: &networking_v1.HTTPIngressRuleValue{ + Paths: []networking_v1.HTTPIngressPath{{ + Path: "/", + Backend: *backendv1("kuard", intstr.FromString("http")), + }}, + }, + }, + }}, + }, } i12dV1 := &networking_v1.Ingress{ @@ -6493,11 +6499,16 @@ func TestDAGInsert(t *testing.T) { }, Spec: networking_v1.IngressSpec{ Rules: []networking_v1.IngressRule{{ - IngressRuleValue: networking_v1.IngressRuleValue{HTTP: &networking_v1.HTTPIngressRuleValue{ - Paths: []networking_v1.HTTPIngressPath{{Path: "/", - Backend: *backendv1("kuard", intstr.FromString("http")), - }}}, - }}}}, + IngressRuleValue: networking_v1.IngressRuleValue{ + HTTP: &networking_v1.HTTPIngressRuleValue{ + Paths: []networking_v1.HTTPIngressPath{{ + Path: "/", + Backend: *backendv1("kuard", intstr.FromString("http")), + }}, + }, + }, + }}, + }, } // i13_v1 a and b are a pair of ingressesv1 for the same vhost @@ -11912,18 +11923,19 @@ func TestDAGInsert(t *testing.T) { ), &Route{ PathMatchCondition: prefixString("/blog/infotech"), - Clusters: []*Cluster{{ - Upstream: &Service{ - Weighted: WeightedService{ - Weight: 1, - ServiceName: s4.Name, - ServiceNamespace: s4.Namespace, - ServicePort: s4.Spec.Ports[0], - HealthPort: s4.Spec.Ports[0], + Clusters: []*Cluster{ + { + Upstream: &Service{ + Weighted: WeightedService{ + Weight: 1, + ServiceName: s4.Name, + ServiceNamespace: s4.Namespace, + ServicePort: s4.Spec.Ports[0], + HealthPort: s4.Spec.Ports[0], + }, }, }, }, - }, }, ), ), @@ -12851,34 +12863,35 @@ func TestDAGInsert(t *testing.T) { VirtualHost: &contour_api_v1.VirtualHost{ Fqdn: "projectcontour.io", }, - Routes: []contour_api_v1.Route{{ - Conditions: []contour_api_v1.MatchCondition{{ - Prefix: "/", - }}, - Services: []contour_api_v1.Service{{ - Name: s1.Name, - Port: 8080, - }}, - }, { - Conditions: []contour_api_v1.MatchCondition{{ - Prefix: "/direct", - }}, - DirectResponsePolicy: &contour_api_v1.HTTPDirectResponsePolicy{ - StatusCode: 404, - Body: "page not found", - }, - }, { - Conditions: []contour_api_v1.MatchCondition{{ - Prefix: "/redirect", - }}, - RequestRedirectPolicy: &contour_api_v1.HTTPRequestRedirectPolicy{ - Scheme: ref.To("https"), - Hostname: ref.To("envoyproxy.io"), - Port: ref.To(int32(443)), - StatusCode: ref.To(301), + Routes: []contour_api_v1.Route{ + { + Conditions: []contour_api_v1.MatchCondition{{ + Prefix: "/", + }}, + Services: []contour_api_v1.Service{{ + Name: s1.Name, + Port: 8080, + }}, + }, { + Conditions: []contour_api_v1.MatchCondition{{ + Prefix: "/direct", + }}, + DirectResponsePolicy: &contour_api_v1.HTTPDirectResponsePolicy{ + StatusCode: 404, + Body: "page not found", + }, + }, { + Conditions: []contour_api_v1.MatchCondition{{ + Prefix: "/redirect", + }}, + RequestRedirectPolicy: &contour_api_v1.HTTPRequestRedirectPolicy{ + Scheme: ref.To("https"), + Hostname: ref.To("envoyproxy.io"), + Port: ref.To(int32(443)), + StatusCode: ref.To(301), + }, }, }, - }, }, }, }, @@ -15140,7 +15153,6 @@ func TestGatewayWithHTTPProxyAndIngress(t *testing.T) { } func backendv1(name string, port intstr.IntOrString) *networking_v1.IngressBackend { - var v1port networking_v1.ServiceBackendPort switch port.Type { @@ -15495,17 +15507,20 @@ func TestHTTPProxyConficts(t *testing.T) { VirtualHost: &contour_api_v1.VirtualHost{ Fqdn: "example.com", }, - Routes: []contour_api_v1.Route{{ - Conditions: []contour_api_v1.MatchCondition{{Prefix: "/"}}, - Services: []contour_api_v1.Service{{ - Name: "missing-service", - Port: 8080, - }}}, { - Conditions: []contour_api_v1.MatchCondition{{Prefix: "/valid"}}, - Services: []contour_api_v1.Service{{ - Name: "existing-service-1", - Port: 8080, - }}}, + Routes: []contour_api_v1.Route{ + { + Conditions: []contour_api_v1.MatchCondition{{Prefix: "/"}}, + Services: []contour_api_v1.Service{{ + Name: "missing-service", + Port: 8080, + }}, + }, { + Conditions: []contour_api_v1.MatchCondition{{Prefix: "/valid"}}, + Services: []contour_api_v1.Service{{ + Name: "existing-service-1", + Port: 8080, + }}, + }, }, }, }, @@ -15539,21 +15554,23 @@ func TestHTTPProxyConficts(t *testing.T) { VirtualHost: &contour_api_v1.VirtualHost{ Fqdn: "example.com", }, - Routes: []contour_api_v1.Route{{ - Conditions: []contour_api_v1.MatchCondition{{Prefix: "/"}}, - Services: []contour_api_v1.Service{{ - Name: "missing-service", - Port: 8080, - Weight: 50, - }, { - Name: "existing-service-1", - Port: 8080, - Weight: 30, - }, { - Name: "existing-service-2", - Port: 8080, - Weight: 20, - }}}, + Routes: []contour_api_v1.Route{ + { + Conditions: []contour_api_v1.MatchCondition{{Prefix: "/"}}, + Services: []contour_api_v1.Service{{ + Name: "missing-service", + Port: 8080, + Weight: 50, + }, { + Name: "existing-service-1", + Port: 8080, + Weight: 30, + }, { + Name: "existing-service-2", + Port: 8080, + Weight: 20, + }}, + }, }, }, }, @@ -15677,7 +15694,8 @@ func TestHTTPProxyConficts(t *testing.T) { }}, }}, }, - }}, + }, + }, wantListeners: listeners( &Listener{ Name: HTTP_LISTENER_NAME, @@ -15834,86 +15852,87 @@ func TestDefaultHeadersPolicies(t *testing.T) { httpProxyReqHp *HeadersPolicy httpProxyRespHp *HeadersPolicy wantErr error - }{{ - name: "empty is fine", - }, { - name: "ingressv1: insert ingress w/ single unnamed backend", - objs: []any{ - i2V1, - s1, - }, - want: listeners( - &Listener{ - Name: HTTP_LISTENER_NAME, - Port: 8080, - VirtualHosts: virtualhosts( - virtualhost("*", &Route{ - PathMatchCondition: prefixString("/"), - Clusters: clusterHeadersUnweighted(map[string]string{"Custom-Header-Set": "foo-bar"}, nil, []string{"K-Nada"}, "", service(s1)), - }, - ), - ), + }{ + { + name: "empty is fine", + }, { + name: "ingressv1: insert ingress w/ single unnamed backend", + objs: []any{ + i2V1, + s1, }, - ), - ingressReqHp: &HeadersPolicy{ - // Add not currently siupported - // Add: map[string]string{ - // "Custom-Header-Add": "foo-bar", - // }, - Set: map[string]string{ - "Custom-Header-Set": "foo-bar", - }, - Remove: []string{"K-Nada"}, - }, - ingressRespHp: &HeadersPolicy{ - // Add not currently siupported - // Add: map[string]string{ - // "Custom-Header-Add": "foo-bar", - // }, - Set: map[string]string{ - "Custom-Header-Set": "foo-bar", - }, - Remove: []string{"K-Nada"}, - }, - }, { - name: "insert httpproxy referencing two backends", - objs: []any{ - proxyMultipleBackends, s1, s2, - }, - want: listeners( - &Listener{ - Name: HTTP_LISTENER_NAME, - Port: 8080, - VirtualHosts: virtualhosts( - virtualhost("example.com", &Route{ - PathMatchCondition: prefixString("/"), - Clusters: clusterHeadersUnweighted(map[string]string{"Custom-Header-Set": "foo-bar"}, nil, []string{"K-Nada"}, "", service(s1), service(s2)), - }, + want: listeners( + &Listener{ + Name: HTTP_LISTENER_NAME, + Port: 8080, + VirtualHosts: virtualhosts( + virtualhost("*", &Route{ + PathMatchCondition: prefixString("/"), + Clusters: clusterHeadersUnweighted(map[string]string{"Custom-Header-Set": "foo-bar"}, nil, []string{"K-Nada"}, "", service(s1)), + }, + ), ), - ), + }, + ), + ingressReqHp: &HeadersPolicy{ + // Add not currently siupported + // Add: map[string]string{ + // "Custom-Header-Add": "foo-bar", + // }, + Set: map[string]string{ + "Custom-Header-Set": "foo-bar", + }, + Remove: []string{"K-Nada"}, }, - ), - httpProxyReqHp: &HeadersPolicy{ - // Add not currently siupported - // Add: map[string]string{ - // "Custom-Header-Add": "foo-bar", - // }, - Set: map[string]string{ - "Custom-Header-Set": "foo-bar", + ingressRespHp: &HeadersPolicy{ + // Add not currently siupported + // Add: map[string]string{ + // "Custom-Header-Add": "foo-bar", + // }, + Set: map[string]string{ + "Custom-Header-Set": "foo-bar", + }, + Remove: []string{"K-Nada"}, }, - Remove: []string{"K-Nada"}, - }, - httpProxyRespHp: &HeadersPolicy{ - // Add not currently siupported - // Add: map[string]string{ - // "Custom-Header-Add": "foo-bar", - // }, - Set: map[string]string{ - "Custom-Header-Set": "foo-bar", + }, { + name: "insert httpproxy referencing two backends", + objs: []any{ + proxyMultipleBackends, s1, s2, + }, + want: listeners( + &Listener{ + Name: HTTP_LISTENER_NAME, + Port: 8080, + VirtualHosts: virtualhosts( + virtualhost("example.com", &Route{ + PathMatchCondition: prefixString("/"), + Clusters: clusterHeadersUnweighted(map[string]string{"Custom-Header-Set": "foo-bar"}, nil, []string{"K-Nada"}, "", service(s1), service(s2)), + }, + ), + ), + }, + ), + httpProxyReqHp: &HeadersPolicy{ + // Add not currently siupported + // Add: map[string]string{ + // "Custom-Header-Add": "foo-bar", + // }, + Set: map[string]string{ + "Custom-Header-Set": "foo-bar", + }, + Remove: []string{"K-Nada"}, + }, + httpProxyRespHp: &HeadersPolicy{ + // Add not currently siupported + // Add: map[string]string{ + // "Custom-Header-Add": "foo-bar", + // }, + Set: map[string]string{ + "Custom-Header-Set": "foo-bar", + }, + Remove: []string{"K-Nada"}, }, - Remove: []string{"K-Nada"}, }, - }, } for _, tc := range tests { @@ -16026,7 +16045,7 @@ func exactrouteGRPCRoute(path string, first *Service, rest ...*Service) *Route { return exactrouteHTTPRoute(path, first, rest...) } -func routeProtocol(prefix string, protocol string, first *Service, rest ...*Service) *Route { +func routeProtocol(prefix, protocol string, first *Service, rest ...*Service) *Route { services := append([]*Service{first}, rest...) cs := clusters(services...) @@ -16085,7 +16104,7 @@ func routeHeaders(prefix string, requestSet map[string]string, requestRemove []s return r } -func clusterHeaders(requestSet map[string]string, requestAdd map[string]string, requestRemove []string, hostRewrite string, responseSet map[string]string, responseAdd map[string]string, responseRemove []string, services ...*Service) (c []*Cluster) { +func clusterHeaders(requestSet, requestAdd map[string]string, requestRemove []string, hostRewrite string, responseSet, responseAdd map[string]string, responseRemove []string, services ...*Service) (c []*Cluster) { var requestHeadersPolicy *HeadersPolicy if requestSet != nil || requestAdd != nil || requestRemove != nil || hostRewrite != "" { requestHeadersPolicy = &HeadersPolicy{ @@ -16115,7 +16134,7 @@ func clusterHeaders(requestSet map[string]string, requestAdd map[string]string, return c } -func clusterHeadersUnweighted(headersSet map[string]string, headersAdd map[string]string, headersRemove []string, hostRewrite string, services ...*Service) (c []*Cluster) { +func clusterHeadersUnweighted(headersSet, headersAdd map[string]string, headersRemove []string, hostRewrite string, services ...*Service) (c []*Cluster) { for _, s := range services { c = append(c, &Cluster{ Upstream: s, @@ -16310,6 +16329,7 @@ func listeners(ls ...*Listener) []*Listener { func prefixString(prefix string) MatchCondition { return &PrefixMatchCondition{Prefix: prefix, PrefixMatchType: PrefixMatchString} } + func prefixSegment(prefix string) MatchCondition { return &PrefixMatchCondition{Prefix: prefix, PrefixMatchType: PrefixMatchSegment} } diff --git a/internal/dag/cache_test.go b/internal/dag/cache_test.go index b29ac815756..61f6cf74741 100644 --- a/internal/dag/cache_test.go +++ b/internal/dag/cache_test.go @@ -720,7 +720,8 @@ func TestKubernetesCacheInsert(t *testing.T) { TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ Name: "tlsroute", - Namespace: "default"}, + Namespace: "default", + }, Spec: gatewayapi_v1alpha2.TLSRouteSpec{ CommonRouteSpec: gatewayapi_v1alpha2.CommonRouteSpec{ ParentRefs: []gatewayapi_v1alpha2.ParentReference{ @@ -748,7 +749,8 @@ func TestKubernetesCacheInsert(t *testing.T) { TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ Name: "tlsroute", - Namespace: "tlsroute"}, + Namespace: "tlsroute", + }, Spec: gatewayapi_v1alpha2.TLSRouteSpec{ CommonRouteSpec: gatewayapi_v1alpha2.CommonRouteSpec{ ParentRefs: []gatewayapi_v1alpha2.ParentReference{ @@ -776,7 +778,8 @@ func TestKubernetesCacheInsert(t *testing.T) { TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ Name: "tlsroute", - Namespace: "default"}, + Namespace: "default", + }, Spec: gatewayapi_v1alpha2.TLSRouteSpec{ CommonRouteSpec: gatewayapi_v1alpha2.CommonRouteSpec{ ParentRefs: []gatewayapi_v1alpha2.ParentReference{ @@ -1125,7 +1128,8 @@ func TestKubernetesCacheInsert(t *testing.T) { cache := KubernetesCache{ ConfiguredGatewayToCache: tc.cacheGateway, ConfiguredSecretRefs: []*types.NamespacedName{ - {Name: "secretReferredByConfigFile", Namespace: "default"}}, + {Name: "secretReferredByConfigFile", Namespace: "default"}, + }, FieldLogger: fixture.NewTestLogger(t), Client: new(fakeReader), } @@ -1218,7 +1222,8 @@ func TestKubernetesCacheRemove(t *testing.T) { TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ Name: "tlsroute", - Namespace: "default"}, + Namespace: "default", + }, Spec: gatewayapi_v1alpha2.TLSRouteSpec{ CommonRouteSpec: gatewayapi_v1alpha2.CommonRouteSpec{ ParentRefs: []gatewayapi_v1alpha2.ParentReference{ @@ -1252,7 +1257,8 @@ func TestKubernetesCacheRemove(t *testing.T) { TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ Name: "tlsroute", - Namespace: "default"}, + Namespace: "default", + }, Spec: gatewayapi_v1alpha2.TLSRouteSpec{ CommonRouteSpec: gatewayapi_v1alpha2.CommonRouteSpec{ ParentRefs: []gatewayapi_v1alpha2.ParentReference{ @@ -1410,7 +1416,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "Gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1beta1.HTTPRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "httproute", @@ -1431,7 +1438,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1beta1.HTTPRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "httproute", @@ -1466,7 +1474,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "Gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1alpha2.TLSRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "tlsroute", @@ -1486,7 +1495,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1alpha2.TLSRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "tlsroute", @@ -1521,7 +1531,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "Gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1alpha2.GRPCRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcroute", @@ -1541,7 +1552,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1alpha2.GRPCRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcroute", @@ -1576,7 +1588,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "Gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1alpha2.TCPRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "tcproute", @@ -1596,7 +1609,8 @@ func TestKubernetesCacheRemove(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "gateway", Namespace: "default", - }}, + }, + }, &gatewayapi_v1alpha2.TCPRoute{ ObjectMeta: metav1.ObjectMeta{ Name: "tcproute", @@ -1846,7 +1860,6 @@ func TestLookupService(t *testing.T) { } func TestServiceTriggersRebuild(t *testing.T) { - cache := func(objs ...any) *KubernetesCache { cache := KubernetesCache{ FieldLogger: fixture.NewTestLogger(t), @@ -2184,7 +2197,6 @@ func TestServiceTriggersRebuild(t *testing.T) { } func TestSecretTriggersRebuild(t *testing.T) { - secret := func(namespace, name string) *v1.Secret { return &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ @@ -2221,7 +2233,7 @@ func TestSecretTriggersRebuild(t *testing.T) { } } - ingress := func(namespace, name, secretName string, secretNamespace string) *networking_v1.Ingress { + ingress := func(namespace, name, secretName, secretNamespace string) *networking_v1.Ingress { i := &networking_v1.Ingress{ ObjectMeta: metav1.ObjectMeta{ Name: name, @@ -2484,7 +2496,6 @@ func TestSecretTriggersRebuild(t *testing.T) { } func TestRouteTriggersRebuild(t *testing.T) { - cache := func(objs ...any) *KubernetesCache { cache := KubernetesCache{ FieldLogger: fixture.NewTestLogger(t), diff --git a/internal/dag/conditions_test.go b/internal/dag/conditions_test.go index cc4a586349b..d9c9231959f 100644 --- a/internal/dag/conditions_test.go +++ b/internal/dag/conditions_test.go @@ -105,12 +105,14 @@ func TestPathMatchCondition(t *testing.T) { want: &ExactMatchCondition{Path: "/a/"}, }, "trailing slash on second prefix condition": { - matchconditions: []contour_api_v1.MatchCondition{{ - Prefix: "/a", - }, + matchconditions: []contour_api_v1.MatchCondition{ + { + Prefix: "/a", + }, { Prefix: "/b/", - }}, + }, + }, want: &PrefixMatchCondition{Prefix: "/a/b/"}, }, "nothing but slashes prefix": { @@ -120,14 +122,16 @@ func TestPathMatchCondition(t *testing.T) { }, { Prefix: "/", - }}, + }, + }, want: &PrefixMatchCondition{Prefix: "/"}, }, "nothing but slashes one exact": { matchconditions: []contour_api_v1.MatchCondition{ { Exact: "///", - }}, + }, + }, want: &ExactMatchCondition{Path: "/"}, }, "nothing but slashes mixed": { @@ -137,7 +141,8 @@ func TestPathMatchCondition(t *testing.T) { }, { Exact: "/", - }}, + }, + }, want: &ExactMatchCondition{Path: "/"}, }, "regex": { diff --git a/internal/dag/dag_test.go b/internal/dag/dag_test.go index 55f00e01773..f57a931d846 100644 --- a/internal/dag/dag_test.go +++ b/internal/dag/dag_test.go @@ -23,7 +23,6 @@ import ( ) func TestVirtualHostValid(t *testing.T) { - vh := VirtualHost{} assert.False(t, vh.Valid()) @@ -36,7 +35,6 @@ func TestVirtualHostValid(t *testing.T) { } func TestSecureVirtualHostValid(t *testing.T) { - vh := SecureVirtualHost{} assert.False(t, vh.Valid()) @@ -232,5 +230,4 @@ func TestServiceClusterRebalance(t *testing.T) { assert.Equal(t, c.want, s) }) } - } diff --git a/internal/dag/gatewayapi_processor.go b/internal/dag/gatewayapi_processor.go index 3b685bdc438..eeeb4bfb579 100644 --- a/internal/dag/gatewayapi_processor.go +++ b/internal/dag/gatewayapi_processor.go @@ -309,7 +309,6 @@ func (p *GatewayAPIProcessor) getListenersForRouteParentRef( attachedRoutes map[string]int, routeParentStatusAccessor *status.RouteParentStatusUpdate, ) []*listenerInfo { - // Find the set of valid listeners that are relevant given this // parent ref (either all of them, if the ref is to the entire // gateway, or one of them, if the ref is to a specific listener, @@ -434,7 +433,6 @@ func (p *GatewayAPIProcessor) computeListener( gwAccessor *status.GatewayStatusUpdate, validateListenersResult gatewayapi.ValidateListenersResult, ) *listenerInfo { - info := &listenerInfo{ listener: listener, dagListenerName: validateListenersResult.ListenerNames[string(listener.Name)], @@ -613,7 +611,6 @@ func (p *GatewayAPIProcessor) computeListener( info.tlsSecret = listenerSecret info.ready = true return info - } // getListenerRouteKinds gets a list of the valid route kinds that @@ -926,7 +923,6 @@ func (p *GatewayAPIProcessor) namespaceMatches(namespaces *gatewayapi_v1beta1.Ro case gatewayapi_v1.NamespacesFromSelector: // Look up the route's namespace in the list of cached namespaces. if ns := p.source.namespaces[routeNamespace]; ns != nil { - // Check that the route's namespace is included in the Gateway's // namespace selector. return namespaceSelector.Matches(labels.Set(ns.Labels)) @@ -1142,12 +1138,13 @@ func parseHTTPRouteTimeouts(httpRouteTimeouts *gatewayapi_v1.HTTPRouteTimeouts) ResponseTimeout: requestTimeout, }, nil } + func (p *GatewayAPIProcessor) computeHTTPRouteForListener( route *gatewayapi_v1beta1.HTTPRoute, routeAccessor *status.RouteParentStatusUpdate, listener *listenerInfo, - hosts sets.Set[string]) { - + hosts sets.Set[string], +) { for ruleIndex, rule := range route.Spec.Rules { // Get match conditions for the rule. var matchconditions []*matchConditions @@ -1764,8 +1761,8 @@ func (p *GatewayAPIProcessor) validateBackendObjectRef( backendObjectRef gatewayapi_v1beta1.BackendObjectReference, field string, routeKind string, - routeNamespace string) (*Service, *metav1.Condition) { - + routeNamespace string, +) (*Service, *metav1.Condition) { if !(backendObjectRef.Group == nil || *backendObjectRef.Group == "") { return nil, ref.To(resolvedRefsFalse(gatewayapi_v1beta1.RouteReasonInvalidKind, fmt.Sprintf("%s.Group must be \"\"", field))) } @@ -2147,7 +2144,6 @@ func (p *GatewayAPIProcessor) clusterRoutes( pathRewritePolicy *PathRewritePolicy, timeoutPolicy *RouteTimeoutPolicy, ) []*Route { - var routes []*Route // Per Gateway API: "Each match is independent, diff --git a/internal/dag/gatewayapi_processor_test.go b/internal/dag/gatewayapi_processor_test.go index a1cd47da0cb..2fe5db99e11 100644 --- a/internal/dag/gatewayapi_processor_test.go +++ b/internal/dag/gatewayapi_processor_test.go @@ -232,7 +232,6 @@ func TestComputeHosts(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { - processor := &GatewayAPIProcessor{ FieldLogger: fixture.NewTestLogger(t), } @@ -389,7 +388,6 @@ func TestNamespaceMatches(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { - processor := &GatewayAPIProcessor{ FieldLogger: fixture.NewTestLogger(t), source: &KubernetesCache{ @@ -738,7 +736,6 @@ func TestGetListenersForRouteParentRef(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { - processor := &GatewayAPIProcessor{ FieldLogger: fixture.NewTestLogger(t), source: &KubernetesCache{ diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 29278ea5328..f6a43c57a93 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -42,7 +42,6 @@ const defaultMaxRequestBytes uint32 = 1024 func defaultExtensionRef(ref contour_api_v1.ExtensionServiceReference) contour_api_v1.ExtensionServiceReference { if ref.APIVersion == "" { ref.APIVersion = contour_api_v1alpha1.GroupVersion.String() - } return ref @@ -1365,7 +1364,7 @@ func (p *HTTPProxyProcessor) computeVirtualHostAuthorization(auth *contour_api_v } if auth.WithRequestBody != nil { - var maxRequestBytes = defaultMaxRequestBytes + maxRequestBytes := defaultMaxRequestBytes if auth.WithRequestBody.MaxRequestBytes != 0 { maxRequestBytes = auth.WithRequestBody.MaxRequestBytes } @@ -1602,8 +1601,7 @@ func getProtocol(service contour_api_v1.Service, s *Service) (string, error) { // determineSNI decides what the SNI should be on the request. It is configured via RequestHeadersPolicy.Host key. // Policies set on service are used before policies set on a route. Otherwise the value of the externalService // is used if the route is configured to proxy to an externalService type. -func determineSNI(routeRequestHeaders *HeadersPolicy, clusterRequestHeaders *HeadersPolicy, service *Service) string { - +func determineSNI(routeRequestHeaders, clusterRequestHeaders *HeadersPolicy, service *Service) string { // Service RequestHeadersPolicy take precedence if clusterRequestHeaders != nil { if clusterRequestHeaders.HostRewrite != "" { diff --git a/internal/dag/httpproxy_processor_test.go b/internal/dag/httpproxy_processor_test.go index af345290514..a9e7cf66783 100644 --- a/internal/dag/httpproxy_processor_test.go +++ b/internal/dag/httpproxy_processor_test.go @@ -294,7 +294,6 @@ func TestToCORSPolicy(t *testing.T) { require.Equal(t, tc.want, got) }) } - } func TestSlowStart(t *testing.T) { diff --git a/internal/dag/ingress_processor.go b/internal/dag/ingress_processor.go index c15a1d8ae4c..efee9e4ef83 100644 --- a/internal/dag/ingress_processor.go +++ b/internal/dag/ingress_processor.go @@ -267,7 +267,7 @@ func (p *IngressProcessor) computeIngressRule(ing *networking_v1.Ingress, rule n } // route builds a dag.Route for the supplied Ingress. -func (p *IngressProcessor) route(ingress *networking_v1.Ingress, host string, path string, pathType networking_v1.PathType, service *Service, clientCertSecret *Secret, serviceName string, servicePort int32, log logrus.FieldLogger) (*Route, error) { +func (p *IngressProcessor) route(ingress *networking_v1.Ingress, host, path string, pathType networking_v1.PathType, service *Service, clientCertSecret *Secret, serviceName string, servicePort int32, log logrus.FieldLogger) (*Route, error) { log = log.WithFields(logrus.Fields{ "name": ingress.Name, "namespace": ingress.Namespace, diff --git a/internal/dag/policy.go b/internal/dag/policy.go index 4c237b96a5f..a03d4f2fea9 100644 --- a/internal/dag/policy.go +++ b/internal/dag/policy.go @@ -340,7 +340,7 @@ func escapeHeaderValue(value string, dynamicHeaders map[string]string) string { escapedValue = strings.ReplaceAll(escapedValue, "%%"+envoyVar+"%%", "%"+envoyVar+"%") } // REQ(header-name) - var validReqEnvoyVar = regexp.MustCompile(`%(%REQ\(:?[\w-]+(\?:?[\w-]+)?\)(:\d+)?%)%`) + validReqEnvoyVar := regexp.MustCompile(`%(%REQ\(:?[\w-]+(\?:?[\w-]+)?\)(:\d+)?%)%`) escapedValue = validReqEnvoyVar.ReplaceAllString(escapedValue, "$1") return escapedValue } @@ -808,7 +808,6 @@ func loadBalancerRequestHashPolicies(lbp *contour_api_v1.LoadBalancerPolicy, val default: return nil, strategy } - } func serviceCircuitBreakerPolicy(s *Service, cb *contour_api_v1alpha1.GlobalCircuitBreakerDefaults) *Service { diff --git a/internal/dag/policy_test.go b/internal/dag/policy_test.go index f1c5992e097..667a716efb2 100644 --- a/internal/dag/policy_test.go +++ b/internal/dag/policy_test.go @@ -282,7 +282,6 @@ func TestTimeoutPolicy(t *testing.T) { assert.Equal(t, tc.wantClusterTimeoutPolicy, gotClusterTimeoutPolicy) require.NoError(t, gotErr) } - }) } } diff --git a/internal/dag/secret_test.go b/internal/dag/secret_test.go index f2b1c24a477..9b38c65ebe4 100644 --- a/internal/dag/secret_test.go +++ b/internal/dag/secret_test.go @@ -286,9 +286,11 @@ func pemBundle(cert ...string) string { return data } + func makeTLSSecret(data map[string][]byte) *v1.Secret { return &v1.Secret{Type: v1.SecretTypeTLS, Data: data} } + func makeOpaqueSecret(data map[string][]byte) *v1.Secret { return &v1.Secret{Type: v1.SecretTypeOpaque, Data: data} } diff --git a/internal/dag/status.go b/internal/dag/status.go index 7649ded33c8..5098dc9c0db 100644 --- a/internal/dag/status.go +++ b/internal/dag/status.go @@ -78,6 +78,7 @@ func (sw *StatusWriter) commit(osw *ObjectStatusWriter) { } } } + func (osw *ObjectStatusWriter) WithValue(key, val string) *ObjectStatusWriter { osw.values[key] = val return osw diff --git a/internal/dag/status_test.go b/internal/dag/status_test.go index 659da1a04cb..13d55b31540 100644 --- a/internal/dag/status_test.go +++ b/internal/dag/status_test.go @@ -38,7 +38,6 @@ import ( ) func TestDAGStatus(t *testing.T) { - type testcase struct { objs []any fallbackCertificate *types.NamespacedName @@ -1310,11 +1309,15 @@ func TestDAGStatus(t *testing.T) { run(t, "duplicate include condition headers", testcase{ objs: []any{proxyInvalidDuplicateIncludeCondtionHeaders, proxyValidDelegatedRoots, fixture.ServiceRootsHome}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyInvalidDuplicateIncludeCondtionHeaders.Name, - Namespace: proxyInvalidDuplicateIncludeCondtionHeaders.Namespace}: fixture.NewValidCondition(). + { + Name: proxyInvalidDuplicateIncludeCondtionHeaders.Name, + Namespace: proxyInvalidDuplicateIncludeCondtionHeaders.Namespace, + }: fixture.NewValidCondition(). WithGeneration(proxyInvalidDuplicateIncludeCondtionHeaders.Generation).WithError(contour_api_v1.ConditionTypeRouteError, "HeaderMatchConditionsNotValid", "cannot specify duplicate header 'exact match' conditions in the same route"), - {Name: proxyValidDelegatedRoots.Name, - Namespace: proxyValidDelegatedRoots.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidDelegatedRoots.Name, + Namespace: proxyValidDelegatedRoots.Namespace, + }: fixture.NewValidCondition(). WithGeneration(proxyValidDelegatedRoots.Generation).Orphaned(), }, }) @@ -1733,8 +1736,10 @@ func TestDAGStatus(t *testing.T) { Valid(), // Valid since there is a valid include preceding an invalid one. {Name: proxyValidBlogTeamB.Name, Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). Orphaned(), // Orphaned because the include pointing to this condition is a duplicate so the route is not programmed. - {Name: proxyInvalidConflictingIncludeConditionsSimple.Name, - Namespace: proxyInvalidConflictingIncludeConditionsSimple.Namespace}: fixture.NewValidCondition(). + { + Name: proxyInvalidConflictingIncludeConditionsSimple.Name, + Namespace: proxyInvalidConflictingIncludeConditionsSimple.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), }, }) @@ -1765,8 +1770,10 @@ func TestDAGStatus(t *testing.T) { Valid(), {Name: proxyValidBlogTeamB.Name, Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). Valid(), - {Name: proxyIncludeConditionsEmpty.Name, - Namespace: proxyIncludeConditionsEmpty.Namespace}: fixture.NewValidCondition(). + { + Name: proxyIncludeConditionsEmpty.Name, + Namespace: proxyIncludeConditionsEmpty.Namespace, + }: fixture.NewValidCondition(). Valid(), }, }) @@ -1806,8 +1813,10 @@ func TestDAGStatus(t *testing.T) { Valid(), {Name: proxyValidBlogTeamB.Name, Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). Valid(), - {Name: proxyIncludeConditionsPrefixRoot.Name, - Namespace: proxyIncludeConditionsPrefixRoot.Namespace}: fixture.NewValidCondition(). + { + Name: proxyIncludeConditionsPrefixRoot.Name, + Namespace: proxyIncludeConditionsPrefixRoot.Namespace, + }: fixture.NewValidCondition(). Valid(), }, }) @@ -1859,8 +1868,10 @@ func TestDAGStatus(t *testing.T) { Valid(), // Valid since there is a valid include preceding an invalid one. {Name: proxyValidBlogTeamB.Name, Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyInvalidConflictingIncludeConditions.Name, - Namespace: proxyInvalidConflictingIncludeConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyInvalidConflictingIncludeConditions.Name, + Namespace: proxyInvalidConflictingIncludeConditions.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), }, }) @@ -1917,14 +1928,20 @@ func TestDAGStatus(t *testing.T) { run(t, "duplicate header conditions on an include", testcase{ objs: []any{proxyInvalidConflictHeaderConditions, proxyValidBlogTeamA, proxyValidBlogTeamB, fixture.ServiceRootsHome, fixture.ServiceTeamAKuard, fixture.ServiceTeamBKuard}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyValidBlogTeamA.Name, - Namespace: proxyValidBlogTeamA.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyValidBlogTeamB.Name, - Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyInvalidConflictHeaderConditions.Name, - Namespace: proxyInvalidConflictHeaderConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidBlogTeamA.Name, + Namespace: proxyValidBlogTeamA.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyValidBlogTeamB.Name, + Namespace: proxyValidBlogTeamB.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyInvalidConflictHeaderConditions.Name, + Namespace: proxyInvalidConflictHeaderConditions.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), }, }) @@ -1988,14 +2005,20 @@ func TestDAGStatus(t *testing.T) { run(t, "duplicate header conditions on an include mismatched order", testcase{ objs: []any{proxyInvalidDuplicateMultiHeaderConditions, proxyValidBlogTeamA, proxyValidBlogTeamB, fixture.ServiceRootsHome, fixture.ServiceTeamAKuard, fixture.ServiceTeamBKuard}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyValidBlogTeamA.Name, - Namespace: proxyValidBlogTeamA.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyValidBlogTeamB.Name, - Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidBlogTeamA.Name, + Namespace: proxyValidBlogTeamA.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyValidBlogTeamB.Name, + Namespace: proxyValidBlogTeamB.Namespace, + }: fixture.NewValidCondition(). Orphaned(), - {Name: proxyInvalidDuplicateMultiHeaderConditions.Name, - Namespace: proxyInvalidDuplicateMultiHeaderConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyInvalidDuplicateMultiHeaderConditions.Name, + Namespace: proxyInvalidDuplicateMultiHeaderConditions.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), }, }) @@ -2066,14 +2089,20 @@ func TestDAGStatus(t *testing.T) { run(t, "duplicate header conditions on an include with same path", testcase{ objs: []any{proxyInvalidDuplicateIncludeSamePathDiffHeaders, proxyValidBlogTeamA, proxyValidBlogTeamB, fixture.ServiceRootsHome, fixture.ServiceTeamAKuard, fixture.ServiceTeamBKuard}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyValidBlogTeamA.Name, - Namespace: proxyValidBlogTeamA.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyValidBlogTeamB.Name, - Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyInvalidDuplicateMultiHeaderConditions.Name, - Namespace: proxyInvalidDuplicateMultiHeaderConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidBlogTeamA.Name, + Namespace: proxyValidBlogTeamA.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyValidBlogTeamB.Name, + Namespace: proxyValidBlogTeamB.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyInvalidDuplicateMultiHeaderConditions.Name, + Namespace: proxyInvalidDuplicateMultiHeaderConditions.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), }, }) @@ -2123,14 +2152,20 @@ func TestDAGStatus(t *testing.T) { run(t, "duplicate header+path conditions on an include", testcase{ objs: []any{proxyInvalidDuplicateHeaderAndPathConditions, proxyValidBlogTeamA, proxyValidBlogTeamB, fixture.ServiceRootsHome, fixture.ServiceTeamAKuard, fixture.ServiceTeamBKuard}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyValidBlogTeamA.Name, - Namespace: proxyValidBlogTeamA.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyValidBlogTeamB.Name, - Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidBlogTeamA.Name, + Namespace: proxyValidBlogTeamA.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyValidBlogTeamB.Name, + Namespace: proxyValidBlogTeamB.Namespace, + }: fixture.NewValidCondition(). Orphaned(), - {Name: proxyInvalidDuplicateHeaderAndPathConditions.Name, - Namespace: proxyInvalidDuplicateHeaderAndPathConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyInvalidDuplicateHeaderAndPathConditions.Name, + Namespace: proxyInvalidDuplicateHeaderAndPathConditions.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), }, }) @@ -2215,15 +2250,21 @@ func TestDAGStatus(t *testing.T) { run(t, "duplicate query param conditions on an include", testcase{ objs: []any{proxyInvalidConflictQueryConditions, proxyValidBlogTeamA, proxyValidBlogTeamB, fixture.ServiceRootsHome, fixture.ServiceTeamAKuard, fixture.ServiceTeamBKuard}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyInvalidConflictQueryConditions.Name, - Namespace: proxyInvalidConflictQueryConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyInvalidConflictQueryConditions.Name, + Namespace: proxyInvalidConflictQueryConditions.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), - {Name: proxyValidBlogTeamA.Name, - Namespace: proxyValidBlogTeamA.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyValidBlogTeamB.Name, - Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyValidBlogTeamA.Name, + Namespace: proxyValidBlogTeamA.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyValidBlogTeamB.Name, + Namespace: proxyValidBlogTeamB.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. }, }) @@ -2285,15 +2326,21 @@ func TestDAGStatus(t *testing.T) { run(t, "duplicate query param+header conditions on an include", testcase{ objs: []any{proxyInvalidConflictQueryHeaderConditions, proxyValidBlogTeamA, proxyValidBlogTeamB, fixture.ServiceRootsHome, fixture.ServiceTeamAKuard, fixture.ServiceTeamBKuard}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyInvalidConflictQueryHeaderConditions.Name, - Namespace: proxyInvalidConflictQueryHeaderConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyInvalidConflictQueryHeaderConditions.Name, + Namespace: proxyInvalidConflictQueryHeaderConditions.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeIncludeError, "DuplicateMatchConditions", "duplicate conditions defined on an include"), - {Name: proxyValidBlogTeamA.Name, - Namespace: proxyValidBlogTeamA.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include preceding an invalid one. - {Name: proxyValidBlogTeamB.Name, - Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). - Valid(), // Valid since there is a valid include. + { + Name: proxyValidBlogTeamA.Name, + Namespace: proxyValidBlogTeamA.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include preceding an invalid one. + { + Name: proxyValidBlogTeamB.Name, + Namespace: proxyValidBlogTeamB.Namespace, + }: fixture.NewValidCondition(). + Valid(), // Valid since there is a valid include. }, }) @@ -2345,14 +2392,20 @@ func TestDAGStatus(t *testing.T) { run(t, "query param+header conditions on an include should not be duplicate", testcase{ objs: []any{proxyValidQueryHeaderConditions, proxyValidBlogTeamA, proxyValidBlogTeamB, fixture.ServiceRootsHome, fixture.ServiceTeamAKuard, fixture.ServiceTeamBKuard}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyValidBlogTeamA.Name, - Namespace: proxyValidBlogTeamA.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidBlogTeamA.Name, + Namespace: proxyValidBlogTeamA.Namespace, + }: fixture.NewValidCondition(). Valid(), - {Name: proxyValidBlogTeamB.Name, - Namespace: proxyValidBlogTeamB.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidBlogTeamB.Name, + Namespace: proxyValidBlogTeamB.Namespace, + }: fixture.NewValidCondition(). Valid(), - {Name: proxyValidQueryHeaderConditions.Name, - Namespace: proxyValidQueryHeaderConditions.Namespace}: fixture.NewValidCondition(). + { + Name: proxyValidQueryHeaderConditions.Name, + Namespace: proxyValidQueryHeaderConditions.Namespace, + }: fixture.NewValidCondition(). Valid(), }, }) @@ -2592,20 +2645,28 @@ func TestDAGStatus(t *testing.T) { run(t, "valid HTTPProxy.TCPProxy - plural", testcase{ objs: []any{proxyTCPValidIncludesChild, proxyTCPValidChild, fixture.ServiceRootsKuard, fixture.SecretRootsCert}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyTCPValidIncludesChild.Name, - Namespace: proxyTCPValidIncludesChild.Namespace}: fixture.NewValidCondition().Valid(), - {Name: proxyTCPValidChild.Name, - Namespace: proxyTCPValidChild.Namespace}: fixture.NewValidCondition().Valid(), + { + Name: proxyTCPValidIncludesChild.Name, + Namespace: proxyTCPValidIncludesChild.Namespace, + }: fixture.NewValidCondition().Valid(), + { + Name: proxyTCPValidChild.Name, + Namespace: proxyTCPValidChild.Namespace, + }: fixture.NewValidCondition().Valid(), }, }) run(t, "valid HTTPProxy.TCPProxy", testcase{ objs: []any{proxyTCPValidIncludeChild, proxyTCPValidChild, fixture.ServiceRootsKuard, fixture.SecretRootsCert}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: proxyTCPValidIncludeChild.Name, - Namespace: proxyTCPValidIncludeChild.Namespace}: fixture.NewValidCondition().Valid(), - {Name: proxyTCPValidChild.Name, - Namespace: proxyTCPValidChild.Namespace}: fixture.NewValidCondition().Valid(), + { + Name: proxyTCPValidIncludeChild.Name, + Namespace: proxyTCPValidIncludeChild.Namespace, + }: fixture.NewValidCondition().Valid(), + { + Name: proxyTCPValidChild.Name, + Namespace: proxyTCPValidChild.Namespace, + }: fixture.NewValidCondition().Valid(), }, }) @@ -2683,8 +2744,10 @@ func TestDAGStatus(t *testing.T) { }, objs: []any{fallbackCertificate, fallbackCertDelegation, fixture.SecretRootsFallback, fixture.SecretRootsCert, fixture.ServiceRootsHome}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificate.Name, - Namespace: fallbackCertificate.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificate.Name, + Namespace: fallbackCertificate.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "FallbackNotValid", `Spec.Virtualhost.TLS Secret "non-existing/non-existing" fallback certificate is invalid: Secret not found`), }, }) @@ -2696,8 +2759,10 @@ func TestDAGStatus(t *testing.T) { }, objs: []any{fallbackCertificate, fixture.SecretRootsFallback, fixture.SecretRootsCert, fixture.ServiceRootsHome}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificate.Name, - Namespace: fallbackCertificate.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificate.Name, + Namespace: fallbackCertificate.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "FallbackNotDelegated", `Spec.VirtualHost.TLS Secret "not-delegated/not-delegated" is not configured for certificate delegation`), }, }) @@ -2705,8 +2770,10 @@ func TestDAGStatus(t *testing.T) { run(t, "fallback certificate requested but cert not configured in contour", testcase{ objs: []any{fallbackCertificate, fixture.SecretRootsFallback, fixture.SecretRootsCert, fixture.ServiceRootsHome}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificate.Name, - Namespace: fallbackCertificate.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificate.Name, + Namespace: fallbackCertificate.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "FallbackNotPresent", "Spec.Virtualhost.TLS enabled fallback but the fallback Certificate Secret is not configured in Contour configuration file"), }, }) @@ -2739,8 +2806,10 @@ func TestDAGStatus(t *testing.T) { run(t, "clientValidation missing CA", testcase{ objs: []any{fallbackCertificateWithClientValidationNoCA, fixture.SecretRootsFallback, fixture.SecretRootsCert, fixture.ServiceRootsHome}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificateWithClientValidationNoCA.Name, - Namespace: fallbackCertificateWithClientValidationNoCA.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificateWithClientValidationNoCA.Name, + Namespace: fallbackCertificateWithClientValidationNoCA.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "ClientValidationInvalid", "Spec.VirtualHost.TLS client validation is invalid: CA Secret must be specified"), }, }) @@ -2776,8 +2845,10 @@ func TestDAGStatus(t *testing.T) { run(t, "fallback certificate requested and clientValidation also configured", testcase{ objs: []any{fallbackCertificateWithClientValidation, fixture.SecretRootsFallback, fixture.SecretRootsCert, fixture.ServiceRootsHome}, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificateWithClientValidation.Name, - Namespace: fallbackCertificateWithClientValidation.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificateWithClientValidation.Name, + Namespace: fallbackCertificateWithClientValidation.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "TLSIncompatibleFeatures", "Spec.Virtualhost.TLS fallback & client validation are incompatible"), }, }) @@ -4865,8 +4936,10 @@ func TestDAGStatus(t *testing.T) { clientValidationWithDelegatedCA, }, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificate.Name, - Namespace: fallbackCertificate.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificate.Name, + Namespace: fallbackCertificate.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "DelegationNotPermitted", `Spec.VirtualHost.TLS CA Secret "delegated/delegated" is invalid: Certificate delegation not permitted`), }, }) @@ -4891,8 +4964,10 @@ func TestDAGStatus(t *testing.T) { }, }, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificate.Name, - Namespace: fallbackCertificate.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificate.Name, + Namespace: fallbackCertificate.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "ClientValidationInvalid", `Spec.VirtualHost.TLS client validation is invalid: invalid CA Secret "delegated/delegated": Secret not found`), }, }) @@ -4943,8 +5018,10 @@ func TestDAGStatus(t *testing.T) { clientValidationWithDelegatedCRL, }, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificate.Name, - Namespace: fallbackCertificate.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificate.Name, + Namespace: fallbackCertificate.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "DelegationNotPermitted", `Spec.VirtualHost.TLS CRL Secret "delegated/delegated" is invalid: Certificate delegation not permitted`), }, }) @@ -4970,8 +5047,10 @@ func TestDAGStatus(t *testing.T) { }, }, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ - {Name: fallbackCertificate.Name, - Namespace: fallbackCertificate.Namespace}: fixture.NewValidCondition(). + { + Name: fallbackCertificate.Name, + Namespace: fallbackCertificate.Namespace, + }: fixture.NewValidCondition(). WithError(contour_api_v1.ConditionTypeTLSError, "ClientValidationInvalid", `Spec.VirtualHost.TLS client validation is invalid: invalid CRL Secret "delegated/delegated": Secret not found`), }, }) @@ -5074,7 +5153,8 @@ func TestDAGStatus(t *testing.T) { ingressSharedService, tlsProtocolVersion, fixture.ServiceRootsHome, - fixture.SecretRootsCert}, + fixture.SecretRootsCert, + }, want: map[types.NamespacedName]contour_api_v1.DetailedCondition{ {Name: tlsProtocolVersion.Name, Namespace: tlsProtocolVersion.Namespace}: fixture.NewValidCondition(). WithGeneration(tlsProtocolVersion.Generation). @@ -5084,7 +5164,6 @@ func TestDAGStatus(t *testing.T) { ), }, }) - } func validGatewayStatusUpdate(listenerName string, listenerProtocol gatewayapi_v1beta1.ProtocolType, attachedRoutes int) []*status.GatewayStatusUpdate { @@ -5333,7 +5412,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5381,7 +5461,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{{ @@ -5433,7 +5514,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{ { FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, @@ -5488,7 +5570,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5534,7 +5617,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5576,7 +5660,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5623,7 +5708,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5670,7 +5756,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5717,7 +5804,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5765,7 +5853,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5813,7 +5902,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5861,7 +5951,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5914,7 +6005,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -5962,7 +6054,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6007,7 +6100,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6056,7 +6150,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("invalid-two", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6102,7 +6197,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6138,7 +6234,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6185,7 +6282,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6898,7 +6996,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6940,7 +7039,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -6982,7 +7082,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -7021,7 +7122,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, gateway: &gatewayapi_v1beta1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "contour", @@ -7132,7 +7234,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, gateway: &gatewayapi_v1beta1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "contour", @@ -7248,7 +7351,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, gateway: &gatewayapi_v1beta1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "contour", @@ -7338,7 +7442,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, gateway: &gatewayapi_v1beta1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "contour", @@ -7652,20 +7757,23 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { Rules: []gatewayapi_v1beta1.HTTPRouteRule{{ Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), - Filters: []gatewayapi_v1.HTTPRouteFilter{{ - Type: gatewayapi_v1.HTTPRouteFilterRequestMirror, - RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ - BackendRef: gatewayapi.ServiceBackendObjectRef("kuard2", 8080), + Filters: []gatewayapi_v1.HTTPRouteFilter{ + { + Type: gatewayapi_v1.HTTPRouteFilterRequestMirror, + RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ + BackendRef: gatewayapi.ServiceBackendObjectRef("kuard2", 8080), + }, + }, { + Type: gatewayapi_v1.HTTPRouteFilterRequestMirror, + RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ + BackendRef: gatewayapi.ServiceBackendObjectRef("kuard3", 8080), + }, }, - }, { - Type: gatewayapi_v1.HTTPRouteFilterRequestMirror, - RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ - BackendRef: gatewayapi.ServiceBackendObjectRef("kuard3", 8080), - }}, }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -7712,7 +7820,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -7760,7 +7869,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -7823,7 +7933,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -7875,7 +7986,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -7896,7 +8008,6 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { run(t, "HTTPRouteFilterRequestMirror not yet supported for httproute backendref", testcase{ objs: []any{ - kuardService, &gatewayapi_v1beta1.HTTPRoute{ ObjectMeta: metav1.ObjectMeta{ @@ -7924,7 +8035,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -7969,7 +8081,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -8015,7 +8128,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -8066,7 +8180,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -8114,7 +8229,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -8165,7 +8281,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -8207,7 +8324,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -8977,7 +9095,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { Selector: nil, }, }, - }}, + }, + }, }, }, wantGatewayStatusUpdate: []*status.GatewayStatusUpdate{{ @@ -9044,7 +9163,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }, - }}, + }, + }, }, }, wantGatewayStatusUpdate: []*status.GatewayStatusUpdate{{ @@ -9105,7 +9225,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { Selector: &metav1.LabelSelector{}, }, }, - }}, + }, + }, }, }, wantGatewayStatusUpdate: []*status.GatewayStatusUpdate{{ @@ -9169,7 +9290,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9207,7 +9329,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9241,7 +9364,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, gateway: &gatewayapi_v1beta1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "contour", @@ -9343,13 +9467,13 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ { - ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), @@ -9387,7 +9511,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9425,7 +9550,8 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9440,11 +9566,9 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }}, wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) - } func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { - type testcase struct { objs []any gateway *gatewayapi_v1beta1.Gateway @@ -9533,7 +9657,6 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { if diff := cmp.Diff(tc.wantGatewayStatusUpdate, gotGatewayUpdates, ops...); diff != "" { t.Fatalf("expected gateway status: %v, got %v", tc.wantGatewayStatusUpdate, diff) } - }) } @@ -9596,7 +9719,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9637,7 +9761,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { {BackendRefs: gatewayapi.TLSRouteBackendRef("invalid-two", 8080, nil)}, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9687,7 +9812,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9728,7 +9854,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, Hostnames: []gatewayapi_v1alpha2.Hostname{"test.projectcontour.io"}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9769,7 +9896,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.TLSRouteBackendRef("kuard", 8080, nil), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9812,7 +9940,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.TLSRouteBackendRef("kuard", 8080, nil), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9855,7 +9984,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.TLSRouteBackendRef("kuard", 8080, nil), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9896,7 +10026,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.TLSRouteBackendRef(kuardService.Name, 8080, ref.To(int32(0))), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -9944,7 +10075,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.TLSRouteBackendRef("invalid-one", 8080, nil), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -10010,7 +10142,8 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.TLSRouteBackendRef("kuard", 8080, nil), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -10235,7 +10368,8 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.GRPCRouteBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -10274,7 +10408,8 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.GRPCRouteBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -10317,7 +10452,8 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.GRPCRouteBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -10360,7 +10496,8 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { BackendRefs: gatewayapi.GRPCRouteBackendRef("kuard", 8080, 1), }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -10612,16 +10749,18 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { Method: gatewayapi.GRPCMethodMatch(gatewayapi_v1alpha2.GRPCMethodMatchExact, "com.example.service", "Login"), }}, BackendRefs: gatewayapi.GRPCRouteBackendRef("kuard", 8080, 1), - Filters: []gatewayapi_v1alpha2.GRPCRouteFilter{{ - Type: gatewayapi_v1alpha2.GRPCRouteFilterRequestMirror, - RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ - BackendRef: gatewayapi.ServiceBackendObjectRef("kuard2", 8080), + Filters: []gatewayapi_v1alpha2.GRPCRouteFilter{ + { + Type: gatewayapi_v1alpha2.GRPCRouteFilterRequestMirror, + RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ + BackendRef: gatewayapi.ServiceBackendObjectRef("kuard2", 8080), + }, + }, { + Type: gatewayapi_v1alpha2.GRPCRouteFilterRequestMirror, + RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ + BackendRef: gatewayapi.ServiceBackendObjectRef("kuard3", 8080), + }, }, - }, { - Type: gatewayapi_v1alpha2.GRPCRouteFilterRequestMirror, - RequestMirror: &gatewayapi_v1beta1.HTTPRequestMirrorFilter{ - BackendRef: gatewayapi.ServiceBackendObjectRef("kuard3", 8080), - }}, }, }}, }, @@ -10718,7 +10857,8 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { }}, }}, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -10755,11 +10895,13 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { Hostnames: []gatewayapi_v1beta1.Hostname{ "test.projectcontour.io", }, - Rules: []gatewayapi_v1alpha2.GRPCRouteRule{{ - Matches: []gatewayapi_v1alpha2.GRPCRouteMatch{{ - Method: gatewayapi.GRPCMethodMatch(gatewayapi_v1alpha2.GRPCMethodMatchExact, "com.example.service", "Login"), - }}, - BackendRefs: []gatewayapi_v1alpha2.GRPCBackendRef{}}, + Rules: []gatewayapi_v1alpha2.GRPCRouteRule{ + { + Matches: []gatewayapi_v1alpha2.GRPCRouteMatch{{ + Method: gatewayapi.GRPCMethodMatch(gatewayapi_v1alpha2.GRPCMethodMatchExact, "com.example.service", "Login"), + }}, + BackendRefs: []gatewayapi_v1alpha2.GRPCBackendRef{}, + }, }, }, }, @@ -10846,26 +10988,28 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { Hostnames: []gatewayapi_v1beta1.Hostname{ "test.projectcontour.io", }, - Rules: []gatewayapi_v1alpha2.GRPCRouteRule{{ - Matches: []gatewayapi_v1alpha2.GRPCRouteMatch{{ - Method: gatewayapi.GRPCMethodMatch(gatewayapi_v1alpha2.GRPCMethodMatchExact, "com.example.service", "Login"), - }}, - BackendRefs: []gatewayapi_v1alpha2.GRPCBackendRef{ - { - BackendRef: gatewayapi_v1beta1.BackendRef{ - BackendObjectReference: gatewayapi.ServiceBackendObjectRef("kuard", 8080), - }, - Filters: []gatewayapi_v1alpha2.GRPCRouteFilter{{ - Type: gatewayapi_v1alpha2.GRPCRouteFilterRequestHeaderModifier, - RequestHeaderModifier: &gatewayapi_v1beta1.HTTPHeaderFilter{ - Set: []gatewayapi_v1beta1.HTTPHeader{ - {Name: "custom", Value: "duplicated"}, - {Name: "Custom", Value: "duplicated"}, - }, + Rules: []gatewayapi_v1alpha2.GRPCRouteRule{ + { + Matches: []gatewayapi_v1alpha2.GRPCRouteMatch{{ + Method: gatewayapi.GRPCMethodMatch(gatewayapi_v1alpha2.GRPCMethodMatchExact, "com.example.service", "Login"), + }}, + BackendRefs: []gatewayapi_v1alpha2.GRPCBackendRef{ + { + BackendRef: gatewayapi_v1beta1.BackendRef{ + BackendObjectReference: gatewayapi.ServiceBackendObjectRef("kuard", 8080), }, - }}, + Filters: []gatewayapi_v1alpha2.GRPCRouteFilter{{ + Type: gatewayapi_v1alpha2.GRPCRouteFilterRequestHeaderModifier, + RequestHeaderModifier: &gatewayapi_v1beta1.HTTPHeaderFilter{ + Set: []gatewayapi_v1beta1.HTTPHeader{ + {Name: "custom", Value: "duplicated"}, + {Name: "Custom", Value: "duplicated"}, + }, + }, + }}, + }, }, - }}, + }, }, }, }, @@ -11157,7 +11301,8 @@ func TestGatewayAPITCPRouteDAGStatus(t *testing.T) { }, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -11193,7 +11338,8 @@ func TestGatewayAPITCPRouteDAGStatus(t *testing.T) { {}, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -11226,7 +11372,8 @@ func TestGatewayAPITCPRouteDAGStatus(t *testing.T) { }, }, }, - }}, + }, + }, wantRouteConditions: []*status.RouteStatusUpdate{{ FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ @@ -11269,6 +11416,7 @@ func routeAcceptedHTTPRouteCondition() metav1.Condition { Message: "Accepted HTTPRoute", } } + func routeAcceptedFalse(reason gatewayapi_v1.RouteConditionReason, message string) metav1.Condition { return metav1.Condition{ Type: string(gatewayapi_v1.RouteConditionAccepted), diff --git a/internal/debug/dot.go b/internal/debug/dot.go index d173e521279..95bd3a8db24 100644 --- a/internal/debug/dot.go +++ b/internal/debug/dot.go @@ -38,8 +38,10 @@ type pair struct { a, b any } -type nodeCollection map[any]bool -type edgeCollection map[pair]bool +type ( + nodeCollection map[any]bool + edgeCollection map[pair]bool +) func (dw *dotWriter) writeDot(w io.Writer) { nodes, edges := collectDag(dw.Builder) diff --git a/internal/envoy/bootstrap_test.go b/internal/envoy/bootstrap_test.go index 84c838d83eb..987058daea6 100644 --- a/internal/envoy/bootstrap_test.go +++ b/internal/envoy/bootstrap_test.go @@ -21,7 +21,6 @@ import ( ) func TestValidAdminAddress(t *testing.T) { - tests := []struct { name string address string diff --git a/internal/envoy/v3/accesslog.go b/internal/envoy/v3/accesslog.go index 7639eaf8872..094c911222c 100644 --- a/internal/envoy/v3/accesslog.go +++ b/internal/envoy/v3/accesslog.go @@ -26,7 +26,7 @@ import ( ) // FileAccessLogEnvoy returns a new file based access log filter -func FileAccessLogEnvoy(path string, format string, extensions []string, level contour_api_v1alpha1.AccessLogLevel) []*envoy_accesslog_v3.AccessLog { +func FileAccessLogEnvoy(path, format string, extensions []string, level contour_api_v1alpha1.AccessLogLevel) []*envoy_accesslog_v3.AccessLog { if level == contour_api_v1alpha1.LogLevelDisabled { return nil } @@ -164,7 +164,8 @@ func filterOnlyErrors(respCodeMin uint32) *envoy_accesslog_v3.AccessLogFilter { FilterSpecifier: &envoy_accesslog_v3.AccessLogFilter_ResponseFlagFilter{ ResponseFlagFilter: &envoy_accesslog_v3.ResponseFlagFilter{ // Left empty to match all response flags, they all represent errors. - }}, + }, + }, }, }, }, diff --git a/internal/envoy/v3/accesslog_test.go b/internal/envoy/v3/accesslog_test.go index 8b5738a4dfe..bc6534758d2 100644 --- a/internal/envoy/v3/accesslog_test.go +++ b/internal/envoy/v3/accesslog_test.go @@ -114,26 +114,27 @@ func TestJSONFileAccessLog(t *testing.T) { "only timestamp": { path: "/dev/stdout", headers: contour_api_v1alpha1.AccessLogJSONFields([]string{"@timestamp"}), - want: []*envoy_accesslog_v3.AccessLog{{ - Name: wellknown.FileAccessLog, - ConfigType: &envoy_accesslog_v3.AccessLog_TypedConfig{ - TypedConfig: protobuf.MustMarshalAny(&envoy_file_v3.FileAccessLog{ - Path: "/dev/stdout", - AccessLogFormat: &envoy_file_v3.FileAccessLog_LogFormat{ - LogFormat: &envoy_config_core_v3.SubstitutionFormatString{ - Format: &envoy_config_core_v3.SubstitutionFormatString_JsonFormat{ - JsonFormat: &structpb.Struct{ - Fields: map[string]*structpb.Value{ - "@timestamp": sv("%START_TIME%"), + want: []*envoy_accesslog_v3.AccessLog{ + { + Name: wellknown.FileAccessLog, + ConfigType: &envoy_accesslog_v3.AccessLog_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(&envoy_file_v3.FileAccessLog{ + Path: "/dev/stdout", + AccessLogFormat: &envoy_file_v3.FileAccessLog_LogFormat{ + LogFormat: &envoy_config_core_v3.SubstitutionFormatString{ + Format: &envoy_config_core_v3.SubstitutionFormatString_JsonFormat{ + JsonFormat: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "@timestamp": sv("%START_TIME%"), + }, }, }, }, }, - }, - }), + }), + }, }, }, - }, }, "custom fields should appear": { path: "/dev/stdout", @@ -144,30 +145,31 @@ func TestJSONFileAccessLog(t *testing.T) { "custom2=%DURATION%.0", "custom3=ST=%START_TIME(%s.%6f)%", }), - want: []*envoy_accesslog_v3.AccessLog{{ - Name: wellknown.FileAccessLog, - ConfigType: &envoy_accesslog_v3.AccessLog_TypedConfig{ - TypedConfig: protobuf.MustMarshalAny(&envoy_file_v3.FileAccessLog{ - Path: "/dev/stdout", - AccessLogFormat: &envoy_file_v3.FileAccessLog_LogFormat{ - LogFormat: &envoy_config_core_v3.SubstitutionFormatString{ - Format: &envoy_config_core_v3.SubstitutionFormatString_JsonFormat{ - JsonFormat: &structpb.Struct{ - Fields: map[string]*structpb.Value{ - "@timestamp": sv("%START_TIME%"), - "method": sv("%REQ(:METHOD)%"), - "custom1": sv("%REQ(X-CUSTOM-HEADER)%"), - "custom2": sv("%DURATION%.0"), - "custom3": sv("ST=%START_TIME(%s.%6f)%"), + want: []*envoy_accesslog_v3.AccessLog{ + { + Name: wellknown.FileAccessLog, + ConfigType: &envoy_accesslog_v3.AccessLog_TypedConfig{ + TypedConfig: protobuf.MustMarshalAny(&envoy_file_v3.FileAccessLog{ + Path: "/dev/stdout", + AccessLogFormat: &envoy_file_v3.FileAccessLog_LogFormat{ + LogFormat: &envoy_config_core_v3.SubstitutionFormatString{ + Format: &envoy_config_core_v3.SubstitutionFormatString_JsonFormat{ + JsonFormat: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "@timestamp": sv("%START_TIME%"), + "method": sv("%REQ(:METHOD)%"), + "custom1": sv("%REQ(X-CUSTOM-HEADER)%"), + "custom2": sv("%DURATION%.0"), + "custom3": sv("ST=%START_TIME(%s.%6f)%"), + }, }, }, }, }, - }, - }), + }), + }, }, }, - }, }, } for name, tc := range tests { @@ -179,7 +181,6 @@ func TestJSONFileAccessLog(t *testing.T) { } func TestAccessLogLevel(t *testing.T) { - tests := map[string]struct { level contour_api_v1alpha1.AccessLogLevel wantRespStatus uint32 @@ -229,7 +230,6 @@ func TestAccessLogLevel(t *testing.T) { }, }} protobuf.ExpectEqual(t, want, got) - }) } diff --git a/internal/envoy/v3/bootstrap.go b/internal/envoy/v3/bootstrap.go index 8ede43a630c..37a102f7490 100644 --- a/internal/envoy/v3/bootstrap.go +++ b/internal/envoy/v3/bootstrap.go @@ -58,7 +58,7 @@ func WriteBootstrap(c *envoy.BootstrapConfig) error { // Refer Issue: https://github.com/projectcontour/contour/issues/3264 // The secrets in this directory are "pointers" to actual secrets // mounted from Kubernetes secrets; that means the actual secrets aren't 0777 - if err := os.MkdirAll(path.Join(c.ResourcesDir, "sds"), 0777); err != nil { + if err := os.MkdirAll(path.Join(c.ResourcesDir, "sds"), 0o777); err != nil { return err } } diff --git a/internal/envoy/v3/bootstrap_test.go b/internal/envoy/v3/bootstrap_test.go index 1c5083df515..92bbb54be16 100644 --- a/internal/envoy/v3/bootstrap_test.go +++ b/internal/envoy/v3/bootstrap_test.go @@ -37,7 +37,8 @@ func TestBootstrap(t *testing.T) { "default configuration": { config: envoy.BootstrapConfig{ Path: "envoy.json", - Namespace: "testing-ns"}, + Namespace: "testing-ns", + }, wantedBootstrapConfig: `{ "static_resources": { "clusters": [ @@ -1981,7 +1982,8 @@ func TestBootstrap(t *testing.T) { } ] } - }`}, + }`, + }, } for name, tc := range tests { diff --git a/internal/envoy/v3/cluster.go b/internal/envoy/v3/cluster.go index 49811ba4c1d..515f353955f 100644 --- a/internal/envoy/v3/cluster.go +++ b/internal/envoy/v3/cluster.go @@ -304,7 +304,6 @@ func ClusterDiscoveryTypeForAddress(address string, t envoy_cluster_v3.Cluster_D // parseDNSLookupFamily parses the dnsLookupFamily string into a envoy_cluster_v3.Cluster_DnsLookupFamily func parseDNSLookupFamily(value string) envoy_cluster_v3.Cluster_DnsLookupFamily { - switch value { case "v4": return envoy_cluster_v3.Cluster_V4_ONLY diff --git a/internal/envoy/v3/cluster_test.go b/internal/envoy/v3/cluster_test.go index d5986704fda..bfedbc7924e 100644 --- a/internal/envoy/v3/cluster_test.go +++ b/internal/envoy/v3/cluster_test.go @@ -250,7 +250,7 @@ func TestCluster(t *testing.T) { "externalName service - dns-lookup-family not defined": { cluster: &dag.Cluster{ Upstream: service(s2), - //DNSLookupFamily: "auto", + // DNSLookupFamily: "auto", }, want: &envoy_cluster_v3.Cluster{ Name: "default/kuard/443/da39a3ee5e", @@ -1124,7 +1124,6 @@ func TestClustername(t *testing.T) { cluster: cluster1, want: "default/backend/80/50abc1400c", }) - } func TestLBPolicy(t *testing.T) { diff --git a/internal/envoy/v3/healthcheck_test.go b/internal/envoy/v3/healthcheck_test.go index 61099812c4b..7154a2d7f95 100644 --- a/internal/envoy/v3/healthcheck_test.go +++ b/internal/envoy/v3/healthcheck_test.go @@ -135,7 +135,6 @@ func TestHealthCheck(t *testing.T) { t.Run(name, func(t *testing.T) { got := httpHealthCheck(tc.cluster) protobuf.ExpectEqual(t, tc.want, got) - }) } } diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go index efd18cef12e..b2b910ff4ca 100644 --- a/internal/envoy/v3/listener.go +++ b/internal/envoy/v3/listener.go @@ -291,7 +291,6 @@ func (b *httpConnectionManagerBuilder) HTTP2MaxConcurrentStreams(http2MaxConcurr } func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBuilder { - // Add a default set of ordered http filters. // The names are not required to match anything and are // identified by the TypeURL of each filter. @@ -442,7 +441,6 @@ func (b *httpConnectionManagerBuilder) Tracing(tracing *http.HttpConnectionManag // Validate runs builtin validation rules against the current builder state. func (b *httpConnectionManagerBuilder) Validate() error { - // It's not OK for the filters to be empty. if len(b.filters) == 0 { return errors.New("filter list is empty") @@ -665,7 +663,7 @@ func UnixSocketAddress(address string) *envoy_core_v3.Address { Address: &envoy_core_v3.Address_Pipe{ Pipe: &envoy_core_v3.Pipe{ Path: address, - Mode: 0644, + Mode: 0o644, }, }, } @@ -804,7 +802,6 @@ func FilterExternalAuthz(externalAuthorization *dag.ExternalAuthorization) *http AllowPartialMessage: externalAuthorization.AuthorizationServerWithRequestBody.AllowPartialMessage, PackAsBytes: externalAuthorization.AuthorizationServerWithRequestBody.PackAsBytes, } - } return &http.HttpFilter{ @@ -895,7 +892,6 @@ func FilterChainTLS(domain string, downstream *envoy_tls_v3.DownstreamTlsContext // Attach TLS data to this listener if provided. if downstream != nil { fc.TransportSocket = DownstreamTLSTransportSocket(downstream) - } return fc } diff --git a/internal/envoy/v3/listener_test.go b/internal/envoy/v3/listener_test.go index e6d97a5d01a..01a4854ac0b 100644 --- a/internal/envoy/v3/listener_test.go +++ b/internal/envoy/v3/listener_test.go @@ -1673,7 +1673,6 @@ func TestTCPProxy(t *testing.T) { } func TestFilterChainTLS_Match(t *testing.T) { - tests := map[string]struct { domain string downstream *envoy_tls_v3.DownstreamTlsContext @@ -1709,7 +1708,6 @@ func TestFilterChainTLS_Match(t *testing.T) { // TestBuilderValidation tests that validation checks that // DefaultFilters adds the required HTTP connection manager filters. func TestBuilderValidation(t *testing.T) { - require.Error(t, HTTPConnectionManagerBuilder().Validate(), "ConnectionManager with no filters should not pass validation") diff --git a/internal/envoy/v3/ratelimit_test.go b/internal/envoy/v3/ratelimit_test.go index e07c96d9913..20eb6ae6df9 100644 --- a/internal/envoy/v3/ratelimit_test.go +++ b/internal/envoy/v3/ratelimit_test.go @@ -241,7 +241,6 @@ func TestGlobalRateLimits(t *testing.T) { assert.Equal(t, tc.want, got) }) } - } func TestGlobalRateLimitFilter(t *testing.T) { diff --git a/internal/envoy/v3/route_test.go b/internal/envoy/v3/route_test.go index 75e826d9c10..3d0841732df 100644 --- a/internal/envoy/v3/route_test.go +++ b/internal/envoy/v3/route_test.go @@ -154,7 +154,6 @@ func TestRouteRoute(t *testing.T) { route: &dag.Route{ Websocket: true, Clusters: []*dag.Cluster{{ - Upstream: &dag.Service{ Weighted: dag.WeightedService{ Weight: 1, @@ -706,7 +705,8 @@ func TestRouteRoute(t *testing.T) { }, Weight: 100, }, - }}, + }, + }, want: &envoy_route_v3.Route_Route{ Route: &envoy_route_v3.RouteAction{ ClusterSpecifier: &envoy_route_v3.RouteAction_Cluster{ @@ -719,7 +719,8 @@ func TestRouteRoute(t *testing.T) { Numerator: 100, Denominator: envoy_type_v3.FractionalPercent_HUNDRED, }, - }}}, + }, + }}, }, }, }, @@ -763,7 +764,8 @@ func TestRouteRoute(t *testing.T) { }, Weight: 100, }, - }}, + }, + }, want: &envoy_route_v3.Route_Route{ Route: &envoy_route_v3.RouteAction{ ClusterSpecifier: &envoy_route_v3.RouteAction_Cluster{ @@ -1138,7 +1140,6 @@ func TestRouteConfiguration(t *testing.T) { virtualhosts []*envoy_route_v3.VirtualHost want *envoy_route_v3.RouteConfiguration }{ - "empty": { name: "ingress_http", want: &envoy_route_v3.RouteConfiguration{ @@ -1245,7 +1246,8 @@ func TestCORSVirtualHost(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowMethods: "GET,POST,PUT", }, want: &envoy_route_v3.VirtualHost{ @@ -1259,7 +1261,8 @@ func TestCORSVirtualHost(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowMethods: "GET,POST,PUT", }), }, @@ -1291,7 +1294,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowCredentials: wrapperspb.Bool(false), AllowPrivateNetworkAccess: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", @@ -1339,7 +1343,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowCredentials: wrapperspb.Bool(true), AllowPrivateNetworkAccess: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", @@ -1358,7 +1363,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowCredentials: wrapperspb.Bool(false), AllowPrivateNetworkAccess: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", @@ -1378,7 +1384,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowCredentials: wrapperspb.Bool(false), AllowPrivateNetworkAccess: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", @@ -1398,7 +1405,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowCredentials: wrapperspb.Bool(false), AllowPrivateNetworkAccess: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", @@ -1418,7 +1426,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowCredentials: wrapperspb.Bool(false), AllowPrivateNetworkAccess: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", @@ -1437,7 +1446,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowCredentials: wrapperspb.Bool(false), AllowPrivateNetworkAccess: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", @@ -1457,7 +1467,8 @@ func TestCORSPolicy(t *testing.T) { Exact: "*", }, IgnoreCase: true, - }}, + }, + }, AllowPrivateNetworkAccess: wrapperspb.Bool(true), AllowCredentials: wrapperspb.Bool(false), AllowMethods: "GET,POST,PUT", diff --git a/internal/envoy/v3/stats.go b/internal/envoy/v3/stats.go index a6395e82491..ee9ba681bcf 100644 --- a/internal/envoy/v3/stats.go +++ b/internal/envoy/v3/stats.go @@ -26,8 +26,10 @@ import ( "google.golang.org/protobuf/types/known/wrapperspb" ) -const metricsServerCertSDSName = "metrics-tls-certificate" -const metricsCaBundleSDSName = "metrics-ca-certificate" +const ( + metricsServerCertSDSName = "metrics-tls-certificate" + metricsCaBundleSDSName = "metrics-ca-certificate" +) // StatsListeners returns an array of *envoy_listener_v3.Listeners, // either single HTTP listener or HTTP and HTTPS listeners depending on config. diff --git a/internal/envoy/v3/stats_test.go b/internal/envoy/v3/stats_test.go index 9fea6e9f02f..d48a69a8690 100644 --- a/internal/envoy/v3/stats_test.go +++ b/internal/envoy/v3/stats_test.go @@ -107,7 +107,8 @@ func TestStatsListeners(t *testing.T) { }, ), SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - }}}) + }}, + }) run(t, "stats-over-https-and-health-over-http", testcase{ metrics: contour_api_v1alpha1.MetricsConfig{ @@ -120,7 +121,8 @@ func TestStatsListeners(t *testing.T) { }, health: contour_api_v1alpha1.HealthConfig{ Address: "127.0.0.127", - Port: 8124}, + Port: 8124, + }, want: []*envoy_listener_v3.Listener{{ Name: "stats", Address: SocketAddress("127.0.0.127", 8123), @@ -195,7 +197,8 @@ func TestStatsListeners(t *testing.T) { }, ), SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - }}}) + }}, + }) run(t, "stats-over-https-with-client-auth-and-health-over-http", testcase{ metrics: contour_api_v1alpha1.MetricsConfig{ @@ -209,7 +212,8 @@ func TestStatsListeners(t *testing.T) { }, health: contour_api_v1alpha1.HealthConfig{ Address: "127.0.0.127", - Port: 8124}, + Port: 8124, + }, want: []*envoy_listener_v3.Listener{{ Name: "stats", Address: SocketAddress("127.0.0.127", 8123), @@ -291,7 +295,8 @@ func TestStatsListeners(t *testing.T) { }, ), SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - }}}) + }}, + }) run(t, "stats-and-health-over-http-but-different-listeners", testcase{ metrics: contour_api_v1alpha1.MetricsConfig{ @@ -300,7 +305,8 @@ func TestStatsListeners(t *testing.T) { }, health: contour_api_v1alpha1.HealthConfig{ Address: "127.0.0.128", - Port: 8124}, + Port: 8124, + }, want: []*envoy_listener_v3.Listener{{ Name: "stats", Address: SocketAddress("127.0.0.127", 8123), @@ -361,8 +367,8 @@ func TestStatsListeners(t *testing.T) { }, ), SocketOptions: NewSocketOptions().TCPKeepalive().Build(), - }}}) - + }}, + }) } func TestStatsTLSSecrets(t *testing.T) { diff --git a/internal/featuretests/v3/authorization_test.go b/internal/featuretests/v3/authorization_test.go index 3e51070cba2..9388bb904fa 100644 --- a/internal/featuretests/v3/authorization_test.go +++ b/internal/featuretests/v3/authorization_test.go @@ -229,7 +229,7 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont const enabled = "enabled.projectcontour.io" const disabled = "disabled.projectcontour.io" - var extensionRef = contour_api_v1.ExtensionServiceReference{ + extensionRef := contour_api_v1.ExtensionServiceReference{ Namespace: "auth", Name: "extension", } diff --git a/internal/featuretests/v3/backendcavalidation_test.go b/internal/featuretests/v3/backendcavalidation_test.go index 0c779ac577e..ba2f6f5805c 100644 --- a/internal/featuretests/v3/backendcavalidation_test.go +++ b/internal/featuretests/v3/backendcavalidation_test.go @@ -174,5 +174,4 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { Resources: nil, TypeUrl: secretType, }) - } diff --git a/internal/featuretests/v3/backendclientauth_test.go b/internal/featuretests/v3/backendclientauth_test.go index 0cbe4d28e90..5b2f066b150 100644 --- a/internal/featuretests/v3/backendclientauth_test.go +++ b/internal/featuretests/v3/backendclientauth_test.go @@ -132,7 +132,6 @@ func TestBackendClientAuthenticationWithHTTPProxy(t *testing.T) { Resources: nil, TypeUrl: clusterType, }) - } func TestBackendClientAuthenticationWithIngress(t *testing.T) { @@ -211,7 +210,8 @@ func TestBackendClientAuthenticationWithExtensionService(t *testing.T) { Type: "kubernetes.io/tls", Data: map[string][]byte{dag.CACertificateKey: []byte(featuretests.CERTIFICATE)}, }}, - SubjectNames: []string{"subjname"}}, + SubjectNames: []string{"subjname"}, + }, "subjname", &dag.Secret{Object: sec1}, nil, diff --git a/internal/featuretests/v3/corspolicy_test.go b/internal/featuretests/v3/corspolicy_test.go index 54f025484ea..11adda20ddf 100644 --- a/internal/featuretests/v3/corspolicy_test.go +++ b/internal/featuretests/v3/corspolicy_test.go @@ -285,12 +285,13 @@ func TestCorsPolicy(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.CORSVirtualHost("hello.world", &envoy_cors_v3.CorsPolicy{ - AllowOriginStringMatch: []*matcher.StringMatcher{{ - MatchPattern: &matcher.StringMatcher_Exact{ - Exact: "*", + AllowOriginStringMatch: []*matcher.StringMatcher{ + { + MatchPattern: &matcher.StringMatcher_Exact{ + Exact: "*", + }, + IgnoreCase: true, }, - IgnoreCase: true, - }, }, AllowCredentials: &wrapperspb.BoolValue{Value: true}, AllowPrivateNetworkAccess: &wrapperspb.BoolValue{Value: false}, @@ -466,5 +467,4 @@ func TestCorsPolicy(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http")), TypeUrl: routeType, }).Status(invvhost).IsInvalid() - } diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go index 139a8c18803..1f3bf079b2c 100644 --- a/internal/featuretests/v3/envoy.go +++ b/internal/featuretests/v3/envoy.go @@ -184,7 +184,7 @@ func cluster(name, servicename, statName string) *envoy_cluster_v3.Cluster { }) } -func tlsCluster(c *envoy_cluster_v3.Cluster, ca []byte, subjectName string, sni string, clientSecret *v1.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_cluster_v3.Cluster { +func tlsCluster(c *envoy_cluster_v3.Cluster, ca []byte, subjectName, sni string, clientSecret *v1.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_cluster_v3.Cluster { var secret *dag.Secret if clientSecret != nil { secret = &dag.Secret{Object: clientSecret} @@ -201,7 +201,8 @@ func tlsCluster(c *envoy_cluster_v3.Cluster, ca []byte, subjectName string, sni Type: "kubernetes.io/tls", Data: map[string][]byte{dag.CACertificateKey: ca}, }}, - SubjectNames: []string{subjectName}}, + SubjectNames: []string{subjectName}, + }, sni, secret, upstreamTLS, @@ -295,7 +296,8 @@ func withMirrorPolicy(route *envoy_route_v3.Route_Route, mirror string, weight i Numerator: uint32(weight), Denominator: envoy_type_v3.FractionalPercent_HUNDRED, }, - }}} + }, + }} return route } diff --git a/internal/featuretests/v3/externalname_test.go b/internal/featuretests/v3/externalname_test.go index 917a1753cb1..a8e28dfb898 100644 --- a/internal/featuretests/v3/externalname_test.go +++ b/internal/featuretests/v3/externalname_test.go @@ -322,7 +322,6 @@ func TestExternalNameService(t *testing.T) { func enableExternalNameService(t *testing.T) func(*dag.Builder) { return func(b *dag.Builder) { - log := fixture.NewTestLogger(t) log.SetLevel(logrus.DebugLevel) diff --git a/internal/featuretests/v3/featuretests.go b/internal/featuretests/v3/featuretests.go index 30f0bd72183..fe3f2b1548f 100644 --- a/internal/featuretests/v3/featuretests.go +++ b/internal/featuretests/v3/featuretests.go @@ -354,7 +354,7 @@ func (s *StatusResult) Like(want contour_api_v1.HTTPProxyStatus) *Contour { // HasError asserts that there is an error on the Valid Condition in the proxy // that matches the given values. -func (s *StatusResult) HasError(condType string, reason, message string) *Contour { +func (s *StatusResult) HasError(condType, reason, message string) *Contour { assert.Equal(s.T, string(status.ProxyStatusInvalid), s.Have.CurrentStatus) assert.Equal(s.T, "At least one error present, see Errors for details", s.Have.Description) validCond := s.Have.GetConditionFor(contour_api_v1.ValidConditionType) diff --git a/internal/featuretests/v3/global_authorization_test.go b/internal/featuretests/v3/global_authorization_test.go index d928bc2057e..a02d3a58b11 100644 --- a/internal/featuretests/v3/global_authorization_test.go +++ b/internal/featuretests/v3/global_authorization_test.go @@ -63,7 +63,7 @@ func globalExternalAuthorizationFilterExists(t *testing.T, rh ResourceEventHandl } rh.OnAdd(p) - var httpListener = defaultHTTPListener() + httpListener := defaultHTTPListener() // replace the default filter chains with an HCM that includes the global // extAuthz filter. @@ -101,7 +101,7 @@ func globalExternalAuthorizationFilterExistsTLS(t *testing.T, rh ResourceEventHa rh.OnAdd(p) - var httpListener = defaultHTTPListener() + httpListener := defaultHTTPListener() // replace the default filter chains with an HCM that includes the global // extAuthz filter. @@ -175,7 +175,7 @@ func globalExternalAuthorizationWithTLSGlobalAuthDisabled(t *testing.T, rh Resou rh.OnAdd(p) - var httpListener = defaultHTTPListener() + httpListener := defaultHTTPListener() // replace the default filter chains with an HCM that includes the global // extAuthz filter. @@ -239,7 +239,7 @@ func globalExternalAuthorizationWithMergedAuthPolicy(t *testing.T, rh ResourceEv } rh.OnAdd(p) - var httpListener = defaultHTTPListener() + httpListener := defaultHTTPListener() // replace the default filter chains with an HCM that includes the global // extAuthz filter. @@ -313,7 +313,7 @@ func globalExternalAuthorizationWithMergedAuthPolicyTLS(t *testing.T, rh Resourc rh.OnAdd(p) - var httpListener = defaultHTTPListener() + httpListener := defaultHTTPListener() // replace the default filter chains with an HCM that includes the global // extAuthz filter. @@ -434,7 +434,7 @@ func globalExternalAuthorizationWithTLSAuthOverride(t *testing.T, rh ResourceEve rh.OnAdd(p) - var httpListener = defaultHTTPListener() + httpListener := defaultHTTPListener() // replace the default filter chains with an HCM that includes the global // extAuthz filter. diff --git a/internal/featuretests/v3/globalratelimit_test.go b/internal/featuretests/v3/globalratelimit_test.go index 216d2c46ab5..121ba521e07 100644 --- a/internal/featuretests/v3/globalratelimit_test.go +++ b/internal/featuretests/v3/globalratelimit_test.go @@ -703,7 +703,8 @@ func globalRateLimitMultipleDescriptorsAndEntries(t *testing.T, rh ResourceEvent ActionSpecifier: &envoy_route_v3.RateLimit_Action_GenericKey_{ GenericKey: &envoy_route_v3.RateLimit_Action_GenericKey{ DescriptorKey: "generic-key-key", - DescriptorValue: "generic-key-value-2"}, + DescriptorValue: "generic-key-value-2", + }, }, }, }, @@ -716,7 +717,6 @@ func globalRateLimitMultipleDescriptorsAndEntries(t *testing.T, rh ResourceEvent TypeUrl: routeType, Resources: resources(t, envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("foo.com", route))), }) - } type tlsConfig struct { diff --git a/internal/featuretests/v3/headercondition_test.go b/internal/featuretests/v3/headercondition_test.go index 13ec7289152..4c4eca82724 100644 --- a/internal/featuretests/v3/headercondition_test.go +++ b/internal/featuretests/v3/headercondition_test.go @@ -50,12 +50,13 @@ func TestConditions_ContainsHeader_HTTProxy(t *testing.T) { }, Spec: contour_api_v1.HTTPProxySpec{ VirtualHost: &contour_api_v1.VirtualHost{Fqdn: "hello.world"}, - Routes: []contour_api_v1.Route{{ - Services: []contour_api_v1.Service{{ - Name: "svc1", - Port: 80, - }}, - }, + Routes: []contour_api_v1.Route{ + { + Services: []contour_api_v1.Service{{ + Name: "svc1", + Port: 80, + }}, + }, { Conditions: matchconditions( prefixMatchCondition("/"), @@ -428,7 +429,8 @@ func TestConditions_ContainsHeader_HTTProxy(t *testing.T) { Name: "svc2", Port: 80, }}, - }}, + }, + }, }, ) @@ -487,7 +489,8 @@ func TestConditions_ContainsHeader_HTTProxy(t *testing.T) { Name: "svc2", Port: 80, }}, - }}, + }, + }, }, ) @@ -582,5 +585,4 @@ func TestConditions_ContainsHeader_HTTProxy(t *testing.T) { ), TypeUrl: routeType, }) - } diff --git a/internal/featuretests/v3/httpproxy.go b/internal/featuretests/v3/httpproxy.go index d46ed1a1ba9..ad55286f5c1 100644 --- a/internal/featuretests/v3/httpproxy.go +++ b/internal/featuretests/v3/httpproxy.go @@ -60,7 +60,7 @@ func headerExactMatchCondition(name, value string, ignoreCase bool) contour_api_ } } -func headerNotExactMatchCondition(name, value string, ignoreCase bool, treatMissingAsEmpty bool) contour_api_v1.MatchCondition { +func headerNotExactMatchCondition(name, value string, ignoreCase, treatMissingAsEmpty bool) contour_api_v1.MatchCondition { return contour_api_v1.MatchCondition{ Header: &contour_api_v1.HeaderMatchCondition{ Name: name, diff --git a/internal/featuretests/v3/internalredirectpolicy_test.go b/internal/featuretests/v3/internalredirectpolicy_test.go index e57f8ea9934..6eb1924637d 100644 --- a/internal/featuretests/v3/internalredirectpolicy_test.go +++ b/internal/featuretests/v3/internalredirectpolicy_test.go @@ -192,5 +192,4 @@ func TestInternalRedirectPolicy_HTTProxy(t *testing.T) { ), TypeUrl: routeType, }) - } diff --git a/internal/featuretests/v3/listeners_test.go b/internal/featuretests/v3/listeners_test.go index 85cf01e54e9..da83cc20a9a 100644 --- a/internal/featuretests/v3/listeners_test.go +++ b/internal/featuretests/v3/listeners_test.go @@ -99,7 +99,8 @@ func TestNonTLSListener(t *testing.T) { // i2 is the same as i1 but has the kubernetes.io/ingress.allow-http: "false" annotation i2 := &networking_v1.Ingress{ ObjectMeta: fixture.ObjectMetaWithAnnotations("default/simple", map[string]string{ - "kubernetes.io/ingress.allow-http": "false"}), + "kubernetes.io/ingress.allow-http": "false", + }), Spec: networking_v1.IngressSpec{ DefaultBackend: featuretests.IngressBackend(svc1), }, diff --git a/internal/featuretests/v3/queryparametercondition_test.go b/internal/featuretests/v3/queryparametercondition_test.go index 409688467c9..f9f83a8564a 100644 --- a/internal/featuretests/v3/queryparametercondition_test.go +++ b/internal/featuretests/v3/queryparametercondition_test.go @@ -444,7 +444,8 @@ func TestConditions_ContainsQueryParameter_HTTProxy(t *testing.T) { Name: "svc2", Port: 80, }}, - }}, + }, + }, }, ) diff --git a/internal/featuretests/v3/replaceprefix_test.go b/internal/featuretests/v3/replaceprefix_test.go index 5b6989ad44b..4578134c159 100644 --- a/internal/featuretests/v3/replaceprefix_test.go +++ b/internal/featuretests/v3/replaceprefix_test.go @@ -87,11 +87,10 @@ func basic(t *testing.T) { // Update the vhost to make the replacement ambiguous. This should remove the generated config. vhost = update(rh, vhost, func(vhost *contour_api_v1.HTTPProxy) { - vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = - []contour_api_v1.ReplacePrefix{ - {Replacement: "/api/v1"}, - {Replacement: "/api/v2"}, - } + vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = []contour_api_v1.ReplacePrefix{ + {Replacement: "/api/v1"}, + {Replacement: "/api/v2"}, + } }) c.Request(routeType).Equals(&envoy_discovery_v3.DiscoveryResponse{ @@ -104,11 +103,10 @@ func basic(t *testing.T) { // The replacement isn't ambiguous any more because only one of the prefixes matches. vhost = update(rh, vhost, func(vhost *contour_api_v1.HTTPProxy) { - vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = - []contour_api_v1.ReplacePrefix{ - {Prefix: "/foo", Replacement: "/api/v1"}, - {Prefix: "/api", Replacement: "/api/v2"}, - } + vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = []contour_api_v1.ReplacePrefix{ + {Prefix: "/foo", Replacement: "/api/v1"}, + {Prefix: "/api", Replacement: "/api/v2"}, + } }) c.Request(routeType).Equals(&envoy_discovery_v3.DiscoveryResponse{ @@ -133,11 +131,10 @@ func basic(t *testing.T) { // it ambiguous again. vhost = update(rh, vhost, func(vhost *contour_api_v1.HTTPProxy) { - vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = - []contour_api_v1.ReplacePrefix{ - {Prefix: "/foo", Replacement: "/api/v1"}, - {Prefix: "/foo", Replacement: "/api/v2"}, - } + vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = []contour_api_v1.ReplacePrefix{ + {Prefix: "/foo", Replacement: "/api/v1"}, + {Prefix: "/foo", Replacement: "/api/v2"}, + } }) c.Request(routeType).Equals(&envoy_discovery_v3.DiscoveryResponse{ @@ -150,11 +147,10 @@ func basic(t *testing.T) { // The "/api" prefix should have precedence over the empty prefix. vhost = update(rh, vhost, func(vhost *contour_api_v1.HTTPProxy) { - vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = - []contour_api_v1.ReplacePrefix{ - {Prefix: "/api", Replacement: "/api/full"}, - {Prefix: "", Replacement: "/api/empty"}, - } + vhost.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = []contour_api_v1.ReplacePrefix{ + {Prefix: "/api", Replacement: "/api/full"}, + {Prefix: "", Replacement: "/api/empty"}, + } }) c.Request(routeType).Equals(&envoy_discovery_v3.DiscoveryResponse{ @@ -280,10 +276,9 @@ func multiInclude(t *testing.T) { // Remove one of the replacements, and one cluster loses the rewrite. update(rh, app, func(app *contour_api_v1.HTTPProxy) { - app.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = - []contour_api_v1.ReplacePrefix{ - {Prefix: "/v1", Replacement: "/api/v1"}, - } + app.Spec.Routes[0].PathRewritePolicy.ReplacePrefix = []contour_api_v1.ReplacePrefix{ + {Prefix: "/v1", Replacement: "/api/v1"}, + } }) c.Request(routeType).Equals(&envoy_discovery_v3.DiscoveryResponse{ diff --git a/internal/featuretests/v3/route_test.go b/internal/featuretests/v3/route_test.go index 1e92c0f1d71..3dc5f5702ca 100644 --- a/internal/featuretests/v3/route_test.go +++ b/internal/featuretests/v3/route_test.go @@ -283,7 +283,8 @@ func TestEditIngressInPlace(t *testing.T) { // i3 is like i2, but adds the ingress.kubernetes.io/force-ssl-redirect: "true" annotation i3 := &networking_v1.Ingress{ ObjectMeta: fixture.ObjectMetaWithAnnotations("default/hello", map[string]string{ - "ingress.kubernetes.io/force-ssl-redirect": "true"}), + "ingress.kubernetes.io/force-ssl-redirect": "true", + }), Spec: networking_v1.IngressSpec{ Rules: []networking_v1.IngressRule{{ Host: "hello.example.com", @@ -338,7 +339,8 @@ func TestEditIngressInPlace(t *testing.T) { Name: "hello", Namespace: "default", Annotations: map[string]string{ - "ingress.kubernetes.io/force-ssl-redirect": "true"}, + "ingress.kubernetes.io/force-ssl-redirect": "true", + }, }, Spec: networking_v1.IngressSpec{ TLS: []networking_v1.IngressTLS{{ @@ -753,7 +755,6 @@ func TestRDSFilter(t *testing.T) { TypeUrl: routeType, Nonce: "5", }) - } // issue 404 @@ -1214,7 +1215,8 @@ func TestRouteWithTLS_InsecurePaths(t *testing.T) { Prefix: "/insecure", }}, PermitInsecure: true, - Services: []contour_api_v1.Service{{Name: "kuard", + Services: []contour_api_v1.Service{{ + Name: "kuard", Port: 80, }}, }, { @@ -1588,7 +1590,8 @@ func TestHTTPProxyRouteWithTLS_InsecurePaths(t *testing.T) { Routes: []contour_api_v1.Route{{ Conditions: conditions(prefixCondition("/insecure")), PermitInsecure: true, - Services: []contour_api_v1.Service{{Name: "kuard", + Services: []contour_api_v1.Service{{ + Name: "kuard", Port: 80, }}, }, { diff --git a/internal/featuretests/v3/timeoutpolicy_test.go b/internal/featuretests/v3/timeoutpolicy_test.go index a8cd9286294..422ef376099 100644 --- a/internal/featuretests/v3/timeoutpolicy_test.go +++ b/internal/featuretests/v3/timeoutpolicy_test.go @@ -234,7 +234,6 @@ func TestTimeoutPolicyIdleStreamTimeout(t *testing.T) { ), TypeUrl: routeType, }) - } func TestTimeoutPolicyIdleConnectionTimeout(t *testing.T) { diff --git a/internal/featuretests/v3/tlsprotocolversion_test.go b/internal/featuretests/v3/tlsprotocolversion_test.go index b05334ffb5e..14a9d09f0da 100644 --- a/internal/featuretests/v3/tlsprotocolversion_test.go +++ b/internal/featuretests/v3/tlsprotocolversion_test.go @@ -190,5 +190,4 @@ func TestTLSProtocolVersion(t *testing.T) { Resources: nil, TypeUrl: listenerType, }) - } diff --git a/internal/featuretests/v3/upstreamtls_test.go b/internal/featuretests/v3/upstreamtls_test.go index e6a67d69efe..6e10562decf 100644 --- a/internal/featuretests/v3/upstreamtls_test.go +++ b/internal/featuretests/v3/upstreamtls_test.go @@ -92,7 +92,6 @@ func TestUpstreamTLSWithHTTPProxy(t *testing.T) { ), TypeUrl: clusterType, }) - } func TestUpstreamTLSWithIngress(t *testing.T) { @@ -143,7 +142,6 @@ func TestUpstreamTLSWithIngress(t *testing.T) { } func TestUpstreamTLSWithExtensionService(t *testing.T) { - rh, c, done := setup(t, func(b *dag.Builder) { for _, processor := range b.Processors { if extensionServiceProcessor, ok := processor.(*dag.ExtensionServiceProcessor); ok { diff --git a/internal/featuretests/v3/websockets_test.go b/internal/featuretests/v3/websockets_test.go index 22cd3cda7eb..000a9b2a5cd 100644 --- a/internal/featuretests/v3/websockets_test.go +++ b/internal/featuretests/v3/websockets_test.go @@ -190,5 +190,4 @@ func TestWebsocketHTTPProxy(t *testing.T) { ), TypeUrl: routeType, }) - } diff --git a/internal/fixture/detailedcondition.go b/internal/fixture/detailedcondition.go index df3a5117567..8cbe5fdcf57 100644 --- a/internal/fixture/detailedcondition.go +++ b/internal/fixture/detailedcondition.go @@ -37,7 +37,6 @@ func (dcb *DetailedConditionBuilder) WithGeneration(gen int64) *DetailedConditio } func (dcb *DetailedConditionBuilder) Valid() v1.DetailedCondition { - dc := (*v1.DetailedCondition)(dcb) dc.Status = v1.ConditionTrue dc.Reason = "Valid" @@ -47,45 +46,36 @@ func (dcb *DetailedConditionBuilder) Valid() v1.DetailedCondition { } func (dcb *DetailedConditionBuilder) Orphaned() v1.DetailedCondition { - dc := (*v1.DetailedCondition)(dcb) dc.AddError(v1.ConditionTypeOrphanedError, "Orphaned", "this HTTPProxy is not part of a delegation chain from a root HTTPProxy") return *dc } -func (dcb *DetailedConditionBuilder) WithError(errorType string, reason, message string) v1.DetailedCondition { - +func (dcb *DetailedConditionBuilder) WithError(errorType, reason, message string) v1.DetailedCondition { dc := (*v1.DetailedCondition)(dcb) dc.AddError(errorType, reason, message) return *dc - } -func (dcb *DetailedConditionBuilder) WithErrorf(errorType string, reason, formatmsg string, args ...any) v1.DetailedCondition { - +func (dcb *DetailedConditionBuilder) WithErrorf(errorType, reason, formatmsg string, args ...any) v1.DetailedCondition { dc := (*v1.DetailedCondition)(dcb) dc.AddErrorf(errorType, reason, formatmsg, args...) return *dc - } func (dcb *DetailedConditionBuilder) WithWarning(errorType, reason, message string) v1.DetailedCondition { - dc := (*v1.DetailedCondition)(dcb) dc.AddWarning(errorType, reason, message) return *dc - } func (dcb *DetailedConditionBuilder) WithWarningf(warnType, reason, formatmsg string, args ...any) v1.DetailedCondition { - dc := (*v1.DetailedCondition)(dcb) dc.AddWarningf(warnType, reason, formatmsg, args...) return *dc - } diff --git a/internal/fixture/httpproxy.go b/internal/fixture/httpproxy.go index bb28a189c59..a1cebd1a681 100644 --- a/internal/fixture/httpproxy.go +++ b/internal/fixture/httpproxy.go @@ -46,13 +46,13 @@ func (b *ProxyBuilder) ensureTLS() { } // Annotate adds the given values as metadata annotations. -func (b *ProxyBuilder) Annotate(k string, v string) *ProxyBuilder { +func (b *ProxyBuilder) Annotate(k, v string) *ProxyBuilder { b.ObjectMeta.Annotations[k] = v return b } // Label adds the given values as metadata labels. -func (b *ProxyBuilder) Label(k string, v string) *ProxyBuilder { +func (b *ProxyBuilder) Label(k, v string) *ProxyBuilder { b.ObjectMeta.Labels[k] = v return b } diff --git a/internal/fixture/service.go b/internal/fixture/service.go index dbd0703d583..dbc5932cae6 100644 --- a/internal/fixture/service.go +++ b/internal/fixture/service.go @@ -30,7 +30,7 @@ func NewService(name string) *ServiceBuilder { } // Annotate adds the given values as metadata annotations. -func (s *ServiceBuilder) Annotate(k string, v string) *ServiceBuilder { +func (s *ServiceBuilder) Annotate(k, v string) *ServiceBuilder { s.ObjectMeta.Annotations[k] = v return s } diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 27297a3a711..a5366ccd0bd 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -160,13 +160,14 @@ func GRPCRouteBackendRef(serviceName string, port int, weight int32) []gatewayap Name: gatewayapi_v1alpha2.ObjectName(serviceName), Port: ref.To(gatewayapi_v1beta1.PortNumber(port)), }, - Weight: &weight}, + Weight: &weight, + }, Filters: []gatewayapi_v1alpha2.GRPCRouteFilter{}, }, } } -func GRPCMethodMatch(matchType gatewayapi_v1alpha2.GRPCMethodMatchType, service string, method string) *gatewayapi_v1alpha2.GRPCMethodMatch { +func GRPCMethodMatch(matchType gatewayapi_v1alpha2.GRPCMethodMatchType, service, method string) *gatewayapi_v1alpha2.GRPCMethodMatch { return &gatewayapi_v1alpha2.GRPCMethodMatch{ Type: ref.To(matchType), Service: ref.To(service), diff --git a/internal/k8s/filter.go b/internal/k8s/filter.go index 53af86bfbdf..2cc3c5a8ee5 100644 --- a/internal/k8s/filter.go +++ b/internal/k8s/filter.go @@ -50,7 +50,6 @@ func (e *namespaceFilter) allowed(obj any) bool { } return true - } func (e *namespaceFilter) OnAdd(obj any, isInInitialList bool) { diff --git a/internal/k8s/filter_test.go b/internal/k8s/filter_test.go index 724131d2482..573d1e87295 100644 --- a/internal/k8s/filter_test.go +++ b/internal/k8s/filter_test.go @@ -66,5 +66,4 @@ func TestNamespaceFilter(t *testing.T) { filter.OnDelete(fixture.NewProxy("ns1/proxy")) assert.Equal(t, 1, counter.deleted) - } diff --git a/internal/k8s/helpers.go b/internal/k8s/helpers.go index a0ac86baddc..5356c8a2149 100644 --- a/internal/k8s/helpers.go +++ b/internal/k8s/helpers.go @@ -95,7 +95,6 @@ func isStatusEqual(objA, objB any) bool { // Make an attempt to avoid comparing full objects since it can be very CPU intensive. // Prefer comparing Generation when only interested in spec changes. func IsObjectEqual(oldObj, newObj client.Object) (bool, error) { - // Fast path for any object: when ResourceVersions are equal, the objects are equal. // NOTE: This optimizes the case when controller-runtime executes full sync and sends updates for all objects. if isResourceVersionEqual(oldObj, newObj) { diff --git a/internal/k8s/kind_test.go b/internal/k8s/kind_test.go index 39cd91d0a8b..027aa370bc0 100644 --- a/internal/k8s/kind_test.go +++ b/internal/k8s/kind_test.go @@ -49,11 +49,13 @@ func TestKindOf(t *testing.T) { {"Gateway", &gatewayapi_v1beta1.Gateway{}}, {"GatewayClass", &gatewayapi_v1beta1.GatewayClass{}}, {"ReferenceGrant", &gatewayapi_v1beta1.ReferenceGrant{}}, - {"Foo", &unstructured.Unstructured{ - Object: map[string]any{ - "apiVersion": "test.projectcontour.io/v1", - "kind": "Foo", - }}, + { + "Foo", &unstructured.Unstructured{ + Object: map[string]any{ + "apiVersion": "test.projectcontour.io/v1", + "kind": "Foo", + }, + }, }, } @@ -74,11 +76,13 @@ func TestVersionOf(t *testing.T) { {"projectcontour.io/v1", &contour_api_v1.HTTPProxy{}}, {"projectcontour.io/v1", &contour_api_v1.TLSCertificateDelegation{}}, {"projectcontour.io/v1alpha1", &v1alpha1.ExtensionService{}}, - {"test.projectcontour.io/v1", &unstructured.Unstructured{ - Object: map[string]any{ - "apiVersion": "test.projectcontour.io/v1", - "kind": "Foo", - }}, + { + "test.projectcontour.io/v1", &unstructured.Unstructured{ + Object: map[string]any{ + "apiVersion": "test.projectcontour.io/v1", + "kind": "Foo", + }, + }, }, } diff --git a/internal/k8s/objectmeta_test.go b/internal/k8s/objectmeta_test.go index 8b4b0c193b4..015856001e6 100644 --- a/internal/k8s/objectmeta_test.go +++ b/internal/k8s/objectmeta_test.go @@ -21,7 +21,7 @@ import ( ) func TestNamespacedNameFrom(t *testing.T) { - run := func(testName string, got types.NamespacedName, want types.NamespacedName) { + run := func(testName string, got, want types.NamespacedName) { t.Helper() t.Run(testName, func(t *testing.T) { t.Helper() diff --git a/internal/k8s/status.go b/internal/k8s/status.go index f1e137b215a..7f17bf6b586 100644 --- a/internal/k8s/status.go +++ b/internal/k8s/status.go @@ -161,9 +161,7 @@ func (suh *StatusUpdateHandler) Start(ctx context.Context) error { suh.apply(upd) } - } - } // Writer retrieves the interface that should be used to write to the StatusUpdateHandler. diff --git a/internal/k8s/statusaddress.go b/internal/k8s/statusaddress.go index 82cefcd066c..f06b9e5c69b 100644 --- a/internal/k8s/statusaddress.go +++ b/internal/k8s/statusaddress.go @@ -193,11 +193,9 @@ func (s *StatusAddressUpdater) OnAdd(obj any, _ bool) { } func (s *StatusAddressUpdater) OnUpdate(_, newObj any) { - // We only care about the new object, because we're only updating its status. // So, we can get away with just passing this call to OnAdd. s.OnAdd(newObj, false) - } func (s *StatusAddressUpdater) OnDelete(_ any) { diff --git a/internal/k8s/statuscache.go b/internal/k8s/statuscache.go index 77fcf9e6744..1272c9899f7 100644 --- a/internal/k8s/statuscache.go +++ b/internal/k8s/statuscache.go @@ -45,7 +45,6 @@ func (suc *StatusUpdateCacher) OnDelete(obj any) { default: panic(fmt.Sprintf("status caching not supported for object type %T", obj)) } - } } @@ -61,12 +60,10 @@ func (suc *StatusUpdateCacher) OnAdd(obj any) { default: panic(fmt.Sprintf("status caching not supported for object type %T", obj)) } - } // Get allows retrieval of objects from the cache. func (suc *StatusUpdateCacher) Get(name, namespace string) any { - if suc.objectCache == nil { suc.objectCache = make(map[string]client.Object) } @@ -76,7 +73,6 @@ func (suc *StatusUpdateCacher) Get(name, namespace string) any { return obj } return nil - } func (suc *StatusUpdateCacher) Add(name, namespace string, obj client.Object) bool { @@ -93,7 +89,6 @@ func (suc *StatusUpdateCacher) Add(name, namespace string, obj client.Object) bo suc.objectCache[prefix] = obj return true - } func (suc *StatusUpdateCacher) GetStatus(obj any) (*contour_api_v1.HTTPProxyStatus, error) { @@ -113,7 +108,6 @@ func (suc *StatusUpdateCacher) GetStatus(obj any) (*contour_api_v1.HTTPProxyStat } func (suc *StatusUpdateCacher) objKey(name, namespace string) string { - return fmt.Sprintf("%s/%s", namespace, name) } diff --git a/internal/protobuf/helpers.go b/internal/protobuf/helpers.go index 837d839ae26..eda795c7322 100644 --- a/internal/protobuf/helpers.go +++ b/internal/protobuf/helpers.go @@ -23,7 +23,7 @@ import ( ) // UInt32OrDefault returns a wrapped UInt32Value. If val is 0, def is wrapped and returned. -func UInt32OrDefault(val uint32, def uint32) *wrapperspb.UInt32Value { +func UInt32OrDefault(val, def uint32) *wrapperspb.UInt32Value { switch val { case 0: return wrapperspb.UInt32(def) diff --git a/internal/provisioner/controller/gateway.go b/internal/provisioner/controller/gateway.go index 310c73ab6a8..8907dbea37c 100644 --- a/internal/provisioner/controller/gateway.go +++ b/internal/provisioner/controller/gateway.go @@ -494,5 +494,4 @@ func (r *gatewayReconciler) getGatewayClassParams(ctx context.Context, gatewayCl } return gcParams, nil - } diff --git a/internal/provisioner/equality/equality_test.go b/internal/provisioner/equality/equality_test.go index 69d83973b5c..1f60ec92eb7 100644 --- a/internal/provisioner/equality/equality_test.go +++ b/internal/provisioner/equality/equality_test.go @@ -84,7 +84,8 @@ func TestDaemonSetConfigChanged(t *testing.T) { Path: "/foo", }, }, - }} + }, + } }, expect: true, }, @@ -179,7 +180,8 @@ func TestDeploymentConfigChanged(t *testing.T) { Path: "/foo", }, }, - }} + }, + } }, expect: true, }, diff --git a/internal/provisioner/objects/contourconfig/contourconfig.go b/internal/provisioner/objects/contourconfig/contourconfig.go index a3f5318f71f..7356129d577 100644 --- a/internal/provisioner/objects/contourconfig/contourconfig.go +++ b/internal/provisioner/objects/contourconfig/contourconfig.go @@ -85,5 +85,4 @@ func EnsureContourConfigDeleted(ctx context.Context, cli client.Client, contour } return objects.EnsureObjectDeleted(ctx, cli, obj, contour) - } diff --git a/internal/provisioner/objects/contourconfig/contourconfig_test.go b/internal/provisioner/objects/contourconfig/contourconfig_test.go index 428d55323c9..89188993c36 100644 --- a/internal/provisioner/objects/contourconfig/contourconfig_test.go +++ b/internal/provisioner/objects/contourconfig/contourconfig_test.go @@ -337,6 +337,5 @@ func TestEnsureContourConfigDeleted(t *testing.T) { require.NoError(t, err) } }) - } } diff --git a/internal/provisioner/objects/dataplane/dataplane.go b/internal/provisioner/objects/dataplane/dataplane.go index 765919aba98..a34e02fcc30 100644 --- a/internal/provisioner/objects/dataplane/dataplane.go +++ b/internal/provisioner/objects/dataplane/dataplane.go @@ -76,7 +76,6 @@ var defContainerResources = corev1.ResourceRequirements{ // EnsureDataPlane ensures an Envoy data plane (daemonset or deployment) exists for the given contour. func EnsureDataPlane(ctx context.Context, cli client.Client, contour *model.Contour, contourImage, envoyImage string) error { - switch contour.Spec.EnvoyWorkloadType { // If a Deployment was specified, provision a Deployment. case model.WorkloadTypeDeployment: @@ -151,7 +150,6 @@ func desiredContainers(contour *model.Contour, contourImage, envoyImage string) if contour.Spec.RuntimeSettings.Envoy.Metrics != nil && contour.Spec.RuntimeSettings.Envoy.Metrics.Port > 0 { metricsPort = int32(contour.Spec.RuntimeSettings.Envoy.Metrics.Port) - } if contour.Spec.RuntimeSettings.Envoy.Health != nil && diff --git a/internal/provisioner/objects/dataplane/dataplane_test.go b/internal/provisioner/objects/dataplane/dataplane_test.go index beb9dd8f6da..09d2579ad49 100644 --- a/internal/provisioner/objects/dataplane/dataplane_test.go +++ b/internal/provisioner/objects/dataplane/dataplane_test.go @@ -174,7 +174,6 @@ func checkDaemonSetHasVolume(t *testing.T, ds *appsv1.DaemonSet, vol corev1.Volu if !(hasVol && hasVolMount) { t.Errorf("daemonset has not found volume or volumeMount") } - } func checkDaemonSetHasResourceRequirements(t *testing.T, ds *appsv1.DaemonSet, expected corev1.ResourceRequirements) { @@ -185,6 +184,7 @@ func checkDaemonSetHasResourceRequirements(t *testing.T, ds *appsv1.DaemonSet, e } t.Errorf("daemonset has unexpected resource requirements %v", expected) } + func checkDaemonSetHasUpdateStrategy(t *testing.T, ds *appsv1.DaemonSet, expected appsv1.DaemonSetUpdateStrategy) { t.Helper() @@ -360,7 +360,6 @@ func TestDesiredDeployment(t *testing.T) { testEnvoyImage := "docker.io/envoyproxy/envoy:test" deploy := desiredDeployment(cntr, testContourImage, testEnvoyImage) checkDeploymentHasStrategy(t, deploy, cntr.Spec.EnvoyDeploymentStrategy) - } func TestNodePlacementDaemonSet(t *testing.T) { diff --git a/internal/provisioner/objects/deployment/deployment_test.go b/internal/provisioner/objects/deployment/deployment_test.go index c53fc85a189..ab5843ce9ff 100644 --- a/internal/provisioner/objects/deployment/deployment_test.go +++ b/internal/provisioner/objects/deployment/deployment_test.go @@ -76,7 +76,6 @@ func checkPodHasAnnotations(t *testing.T, tmpl *corev1.PodTemplateSpec, annotati t.Errorf("pod template has unexpected %q annotations", tmpl.Annotations) } } - } func checkContainerHasArg(t *testing.T, container *corev1.Container, arg string) { @@ -238,5 +237,4 @@ func TestNodePlacementDeployment(t *testing.T) { checkDeploymentHasNodeSelector(t, deploy, selectors) checkDeploymentHasTolerations(t, deploy, tolerations) - } diff --git a/internal/provisioner/objects/service/service.go b/internal/provisioner/objects/service/service.go index f74a8273291..71d972934e6 100644 --- a/internal/provisioner/objects/service/service.go +++ b/internal/provisioner/objects/service/service.go @@ -86,26 +86,24 @@ const ( EnvoyNodePortHTTPSPort = int32(30443) ) -var ( - // InternalLBAnnotations maps cloud providers to the provider's annotation - // key/value pair used for managing an internal load balancer. For additional - // details see: - // https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - // - InternalLBAnnotations = map[model.LoadBalancerProviderType]map[string]string{ - model.AWSLoadBalancerProvider: { - awsInternalLBAnnotation: "true", - }, - model.AzureLoadBalancerProvider: { - // Azure load balancers are not customizable and are set to (2 fail @ 5s interval, 2 healthy) - azureInternalLBAnnotation: "true", - }, - model.GCPLoadBalancerProvider: { - gcpLBTypeAnnotation: "Internal", - gcpLBTypeAnnotationLegacy: "Internal", - }, - } -) +// InternalLBAnnotations maps cloud providers to the provider's annotation +// key/value pair used for managing an internal load balancer. For additional +// details see: +// +// https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer +var InternalLBAnnotations = map[model.LoadBalancerProviderType]map[string]string{ + model.AWSLoadBalancerProvider: { + awsInternalLBAnnotation: "true", + }, + model.AzureLoadBalancerProvider: { + // Azure load balancers are not customizable and are set to (2 fail @ 5s interval, 2 healthy) + azureInternalLBAnnotation: "true", + }, + model.GCPLoadBalancerProvider: { + gcpLBTypeAnnotation: "Internal", + gcpLBTypeAnnotationLegacy: "Internal", + }, +} // EnsureContourService ensures that a Contour Service exists for the given contour. func EnsureContourService(ctx context.Context, cli client.Client, contour *model.Contour) error { @@ -317,7 +315,6 @@ func updateContourServiceIfNeeded(ctx context.Context, cli client.Client, contou } return nil - } // updateEnvoyServiceIfNeeded updates an Envoy Service if current does not match desired, diff --git a/internal/sorter/sorter.go b/internal/sorter/sorter.go index 133273c5cd2..ae02c649de9 100644 --- a/internal/sorter/sorter.go +++ b/internal/sorter/sorter.go @@ -47,7 +47,7 @@ type headerMatchConditionSorter []dag.HeaderMatchCondition func (s headerMatchConditionSorter) Len() int { return len(s) } func (s headerMatchConditionSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } func (s headerMatchConditionSorter) Less(i, j int) bool { - compareValue := func(a dag.HeaderMatchCondition, b dag.HeaderMatchCondition) bool { + compareValue := func(a, b dag.HeaderMatchCondition) bool { switch strings.Compare(a.Value, b.Value) { case -1: return true @@ -119,7 +119,7 @@ type queryParamMatchConditionSorter []dag.QueryParamMatchCondition func (s queryParamMatchConditionSorter) Len() int { return len(s) } func (s queryParamMatchConditionSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } func (s queryParamMatchConditionSorter) Less(i, j int) bool { - compareValue := func(a dag.QueryParamMatchCondition, b dag.QueryParamMatchCondition) bool { + compareValue := func(a, b dag.QueryParamMatchCondition) bool { switch strings.Compare(a.Value, b.Value) { case -1: return true @@ -419,7 +419,6 @@ type filterChainSorter []*envoy_listener_v3.FilterChain func (s filterChainSorter) Len() int { return len(s) } func (s filterChainSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] } func (s filterChainSorter) Less(i, j int) bool { - // If i's ServerNames aren't defined, then it should not swap if len(s[i].FilterChainMatch.ServerNames) == 0 { return false diff --git a/internal/sorter/sorter_test.go b/internal/sorter/sorter_test.go index b28e61afa8d..a362a824c55 100644 --- a/internal/sorter/sorter_test.go +++ b/internal/sorter/sorter_test.go @@ -116,7 +116,7 @@ func invertHeaderMatch(h dag.HeaderMatchCondition) dag.HeaderMatchCondition { return h } -func regexHeader(name string, value string) dag.HeaderMatchCondition { +func regexHeader(name, value string) dag.HeaderMatchCondition { return dag.HeaderMatchCondition{ Name: name, MatchType: dag.HeaderMatchTypeRegex, @@ -124,7 +124,7 @@ func regexHeader(name string, value string) dag.HeaderMatchCondition { } } -func exactHeader(name string, value string) dag.HeaderMatchCondition { +func exactHeader(name, value string) dag.HeaderMatchCondition { return dag.HeaderMatchCondition{ Name: name, MatchType: dag.HeaderMatchTypeExact, @@ -132,7 +132,7 @@ func exactHeader(name string, value string) dag.HeaderMatchCondition { } } -func containsHeader(name string, value string) dag.HeaderMatchCondition { +func containsHeader(name, value string) dag.HeaderMatchCondition { return dag.HeaderMatchCondition{ Name: name, MatchType: dag.HeaderMatchTypeContains, @@ -152,7 +152,7 @@ func ignoreCaseQueryParam(h dag.QueryParamMatchCondition) dag.QueryParamMatchCon return h } -func exactQueryParam(name string, value string) dag.QueryParamMatchCondition { +func exactQueryParam(name, value string) dag.QueryParamMatchCondition { return dag.QueryParamMatchCondition{ Name: name, MatchType: dag.QueryParamMatchTypeExact, @@ -160,7 +160,7 @@ func exactQueryParam(name string, value string) dag.QueryParamMatchCondition { } } -func prefixQueryParam(name string, value string) dag.QueryParamMatchCondition { +func prefixQueryParam(name, value string) dag.QueryParamMatchCondition { return dag.QueryParamMatchCondition{ Name: name, MatchType: dag.QueryParamMatchTypePrefix, @@ -168,7 +168,7 @@ func prefixQueryParam(name string, value string) dag.QueryParamMatchCondition { } } -func suffixQueryParam(name string, value string) dag.QueryParamMatchCondition { +func suffixQueryParam(name, value string) dag.QueryParamMatchCondition { return dag.QueryParamMatchCondition{ Name: name, MatchType: dag.QueryParamMatchTypeSuffix, @@ -176,7 +176,7 @@ func suffixQueryParam(name string, value string) dag.QueryParamMatchCondition { } } -func regexQueryParam(name string, value string) dag.QueryParamMatchCondition { +func regexQueryParam(name, value string) dag.QueryParamMatchCondition { return dag.QueryParamMatchCondition{ Name: name, MatchType: dag.QueryParamMatchTypeRegex, @@ -184,7 +184,7 @@ func regexQueryParam(name string, value string) dag.QueryParamMatchCondition { } } -func containsQueryParam(name string, value string) dag.QueryParamMatchCondition { +func containsQueryParam(name, value string) dag.QueryParamMatchCondition { return dag.QueryParamMatchCondition{ Name: name, MatchType: dag.QueryParamMatchTypeContains, @@ -344,7 +344,6 @@ func TestSortRoutesMethod(t *testing.T) { }, } shuffleAndCheckSort(t, want) - } func TestSortRoutesLongestHeaders(t *testing.T) { diff --git a/internal/status/gatewaystatus.go b/internal/status/gatewaystatus.go index 38a63987eab..9e18444871f 100644 --- a/internal/status/gatewaystatus.go +++ b/internal/status/gatewaystatus.go @@ -44,7 +44,6 @@ func (gatewayUpdate *GatewayStatusUpdate) AddCondition( reason gatewayapi_v1beta1.GatewayConditionReason, message string, ) metav1.Condition { - if c, ok := gatewayUpdate.Conditions[cond]; ok { message = fmt.Sprintf("%s, %s", c.Message, message) } diff --git a/internal/status/proxystatus.go b/internal/status/proxystatus.go index dec24fd60ae..7d2457dd4d2 100644 --- a/internal/status/proxystatus.go +++ b/internal/status/proxystatus.go @@ -62,7 +62,6 @@ func (pu *ProxyUpdate) ConditionFor(cond ConditionType) *projectcontour.Detailed return newDc } return dc - } func (pu *ProxyUpdate) Mutate(obj client.Object) client.Object { @@ -116,5 +115,4 @@ func (pu *ProxyUpdate) Mutate(obj client.Object) client.Object { } return proxy - } diff --git a/internal/status/proxystatus_test.go b/internal/status/proxystatus_test.go index 70164d9bc42..447591b6e5c 100644 --- a/internal/status/proxystatus_test.go +++ b/internal/status/proxystatus_test.go @@ -56,7 +56,6 @@ func TestConditionFor(t *testing.T) { } gotEmpty := emptyProxyUpdate.ConditionFor(ValidCondition) assert.Equal(t, newDc, *gotEmpty) - } func TestStatusMutator(t *testing.T) { diff --git a/internal/xdscache/v3/endpointstranslator.go b/internal/xdscache/v3/endpointstranslator.go index 4c31b82c334..497bddd25e2 100644 --- a/internal/xdscache/v3/endpointstranslator.go +++ b/internal/xdscache/v3/endpointstranslator.go @@ -33,8 +33,10 @@ import ( "k8s.io/client-go/tools/cache" ) -type LocalityEndpoints = envoy_endpoint_v3.LocalityLbEndpoints -type LoadBalancingEndpoint = envoy_endpoint_v3.LbEndpoint +type ( + LocalityEndpoints = envoy_endpoint_v3.LocalityLbEndpoints + LoadBalancingEndpoint = envoy_endpoint_v3.LbEndpoint +) // RecalculateEndpoints generates a slice of LoadBalancingEndpoint // resources by matching the given service port to the given v1.Endpoints. diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go index 3cba5ee2aa5..635d797bca0 100644 --- a/internal/xdscache/v3/listener.go +++ b/internal/xdscache/v3/listener.go @@ -612,7 +612,6 @@ func httpGlobalExternalAuthConfig(config *GlobalExternalAuthConfig) *http.HttpFi AuthorizationResponseTimeout: config.ExtensionServiceConfig.Timeout, AuthorizationServerWithRequestBody: config.WithRequestBody, }) - } func envoyGlobalRateLimitConfig(config *RateLimitConfig) *envoy_v3.GlobalRateLimitConfig { @@ -651,7 +650,7 @@ func envoyTracingConfigCustomTag(tags []*CustomTag) []*envoy_v3.CustomTag { if tags == nil { return nil } - var customTags = make([]*envoy_v3.CustomTag, len(tags)) + customTags := make([]*envoy_v3.CustomTag, len(tags)) for i, tag := range tags { customTags[i] = &envoy_v3.CustomTag{ TagName: tag.TagName, diff --git a/internal/xdscache/v3/listener_test.go b/internal/xdscache/v3/listener_test.go index c50baa84f52..d72ddc56814 100644 --- a/internal/xdscache/v3/listener_test.go +++ b/internal/xdscache/v3/listener_test.go @@ -212,7 +212,6 @@ func TestListenerVisit(t *testing.T) { objs []any want map[string]*envoy_listener_v3.Listener }{ - "nothing": { objs: nil, want: map[string]*envoy_listener_v3.Listener{}, @@ -1619,7 +1618,8 @@ func TestListenerVisit(t *testing.T) { TransportSocket: transportSocket("fallbacksecret", envoy_tls_v3.TlsParameters_TLSv1_2, envoy_tls_v3.TlsParameters_TLSv1_3, nil, "h2", "http/1.1"), Filters: envoy_v3.Filters(fallbackCertFilter), Name: "fallback-certificate", - }}, + }, + }, ListenerFilters: envoy_v3.ListenerFilters( envoy_v3.TLSInspector(), ), @@ -3237,7 +3237,6 @@ func TestListenerVisit(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { - lc := ListenerCache{ Config: tc.ListenerConfig, } diff --git a/internal/xdscache/v3/route_test.go b/internal/xdscache/v3/route_test.go index ff167ff4ee8..daaeeff228d 100644 --- a/internal/xdscache/v3/route_test.go +++ b/internal/xdscache/v3/route_test.go @@ -3978,7 +3978,6 @@ func routecluster(cluster string) *envoy_route_v3.Route_Route { }, }, } - } func websocketroute(c string) *envoy_route_v3.Route_Route { @@ -3997,7 +3996,7 @@ func routetimeout(cluster string, timeout time.Duration) *envoy_route_v3.Route_R return r } -func routeretry(cluster string, retryOn string, numRetries uint32, perTryTimeout time.Duration) *envoy_route_v3.Route_Route { +func routeretry(cluster, retryOn string, numRetries uint32, perTryTimeout time.Duration) *envoy_route_v3.Route_Route { r := routecluster(cluster) r.Route.RetryPolicy = &envoy_route_v3.RetryPolicy{ RetryOn: retryOn, diff --git a/internal/xdscache/v3/server_test.go b/internal/xdscache/v3/server_test.go index e22e0d250c2..33f8d1d2d72 100644 --- a/internal/xdscache/v3/server_test.go +++ b/internal/xdscache/v3/server_test.go @@ -280,7 +280,8 @@ func TestGRPC(t *testing.T) { func sendreq(t *testing.T, stream interface { Send(*discovery.DiscoveryRequest) error -}, typeurl string) { +}, typeurl string, +) { t.Helper() err := stream.Send(&discovery.DiscoveryRequest{ TypeUrl: typeurl, @@ -290,7 +291,8 @@ func sendreq(t *testing.T, stream interface { func checkrecv(t *testing.T, stream interface { Recv() (*discovery.DiscoveryResponse, error) -}) { +}, +) { t.Helper() _, err := stream.Recv() require.NoError(t, err) @@ -298,7 +300,8 @@ func checkrecv(t *testing.T, stream interface { func checktimeout(t *testing.T, stream interface { Recv() (*discovery.DiscoveryResponse, error) -}) { +}, +) { t.Helper() _, err := stream.Recv() require.Errorf(t, err, "expected timeout") diff --git a/pkg/certs/certgen.go b/pkg/certs/certgen.go index eb9556ac8a1..6120358d48e 100644 --- a/pkg/certs/certgen.go +++ b/pkg/certs/certgen.go @@ -57,7 +57,6 @@ const ( // Configuration holds config parameters used for generating certificates. type Configuration struct { - // Lifetime is the number of days for which certificates will be valid. Lifetime uint @@ -90,7 +89,6 @@ type Certificates struct { // GenerateCerts generates a CA Certificate along with certificates for // Contour & Envoy returning them as a *Certificates struct or error if encountered. func GenerateCerts(config *Configuration) (*Certificates, error) { - // Check if the config is not passed, then default. if config == nil { config = &Configuration{} @@ -139,7 +137,6 @@ func GenerateCerts(config *Configuration) (*Certificates, error) { // of the Kubernetes DNS schema.) // The return values are cert, key, err. func newCert(caCertPEM, caKeyPEM []byte, expiry time.Time, service, namespace, dnsname string) ([]byte, []byte, error) { - caKeyPair, err := tls.X509KeyPair(caCertPEM, caKeyPEM) if err != nil { return nil, nil, err @@ -187,13 +184,11 @@ func newCert(caCertPEM, caKeyPEM []byte, expiry time.Time, service, namespace, d Bytes: newCert, }) return newCertPEM, newKeyPEM, nil - } // newCA generates a new CA, given the CA's CN and an expiry time. // The return order is cacert, cakey, error. func newCA(cn string, expiry time.Time) ([]byte, []byte, error) { - key, err := rsa.GenerateKey(rand.Reader, keySize) if err != nil { return nil, nil, err @@ -256,14 +251,14 @@ func serviceNames(service, namespace, dnsname string) []string { } } -func stringOrDefault(val string, defaultval string) string { +func stringOrDefault(val, defaultval string) string { if len(val) > 0 { return val } return defaultval } -func uint32OrDefault(val uint, defaultval uint) uint { +func uint32OrDefault(val, defaultval uint) uint { if val != 0 { return val } diff --git a/pkg/certs/certgen_test.go b/pkg/certs/certgen_test.go index 969e5410e30..0fb0c2b07ee 100644 --- a/pkg/certs/certgen_test.go +++ b/pkg/certs/certgen_test.go @@ -114,7 +114,6 @@ func TestGenerateCerts(t *testing.T) { } func TestGeneratedCertsValid(t *testing.T) { - now := time.Now() expiry := now.Add(24 * 365 * time.Hour) @@ -151,7 +150,6 @@ func TestGeneratedCertsValid(t *testing.T) { require.NoErrorf(t, err, "Validating %s failed", name) }) } - } func verifyCert(certPEM []byte, roots *x509.CertPool, dnsname string, currentTime time.Time) error { diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index 7d1eca4f99a..f2ec400039b 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -31,8 +31,10 @@ import ( // ServerType is the name of a xDS server implementation. type ServerType string -const ContourServerType ServerType = "contour" -const EnvoyServerType ServerType = "envoy" +const ( + ContourServerType ServerType = "contour" + EnvoyServerType ServerType = "envoy" +) // Validate the xDS server type. func (s ServerType) Validate() error { @@ -89,10 +91,12 @@ func (c ClusterDNSFamilyType) Validate() error { } } -const AutoClusterDNSFamily ClusterDNSFamilyType = "auto" -const IPv4ClusterDNSFamily ClusterDNSFamilyType = "v4" -const IPv6ClusterDNSFamily ClusterDNSFamilyType = "v6" -const AllClusterDNSFamily ClusterDNSFamilyType = "all" +const ( + AutoClusterDNSFamily ClusterDNSFamilyType = "auto" + IPv4ClusterDNSFamily ClusterDNSFamilyType = "v4" + IPv6ClusterDNSFamily ClusterDNSFamilyType = "v6" + AllClusterDNSFamily ClusterDNSFamilyType = "all" +) // ServerHeaderTransformation defines the action to be applied to the Server header on the response path type ServerHeaderTransformationType string @@ -106,9 +110,11 @@ func (s ServerHeaderTransformationType) Validate() error { } } -const OverwriteServerHeader ServerHeaderTransformationType = "overwrite" -const AppendIfAbsentServerHeader ServerHeaderTransformationType = "append_if_absent" -const PassThroughServerHeader ServerHeaderTransformationType = "pass_through" +const ( + OverwriteServerHeader ServerHeaderTransformationType = "overwrite" + AppendIfAbsentServerHeader ServerHeaderTransformationType = "append_if_absent" + PassThroughServerHeader ServerHeaderTransformationType = "pass_through" +) // AccessLogType is the name of a supported access logging mechanism. type AccessLogType string @@ -117,8 +123,10 @@ func (a AccessLogType) Validate() error { return contour_api_v1alpha1.AccessLogType(a).Validate() } -const EnvoyAccessLog AccessLogType = "envoy" -const JSONAccessLog AccessLogType = "json" +const ( + EnvoyAccessLog AccessLogType = "envoy" + JSONAccessLog AccessLogType = "json" +) type AccessLogFields []string @@ -153,8 +161,10 @@ func (h HTTPVersionType) Validate() error { } } -const HTTPVersion1 HTTPVersionType = "http/1.1" -const HTTPVersion2 HTTPVersionType = "http/2" +const ( + HTTPVersion1 HTTPVersionType = "http/1.1" + HTTPVersion2 HTTPVersionType = "http/2" +) // NamespacedName defines the namespace/name of the Kubernetes resource referred from the configuration file. // Used for Contour configuration YAML file parsing, otherwise we could use K8s types.NamespacedName. @@ -963,10 +973,12 @@ func (a AccessLogLevel) Validate() error { return contour_api_v1alpha1.AccessLogLevel(a).Validate() } -const LogLevelInfo AccessLogLevel = "info" // Default log level. -const LogLevelError AccessLogLevel = "error" -const LogLevelCritical AccessLogLevel = "critical" -const LogLevelDisabled AccessLogLevel = "disabled" +const ( + LogLevelInfo AccessLogLevel = "info" // Default log level. + LogLevelError AccessLogLevel = "error" + LogLevelCritical AccessLogLevel = "critical" + LogLevelDisabled AccessLogLevel = "disabled" +) // Validate verifies that the parameter values do not have any syntax errors. func (p *Parameters) Validate() error { @@ -1105,7 +1117,7 @@ func Parse(in io.Reader) (*Parameters, error) { } // GetenvOr reads an environment or return a default value -func GetenvOr(key string, defaultVal string) string { +func GetenvOr(key, defaultVal string) string { if value, exists := os.LookupEnv(key); exists { return value } diff --git a/pkg/config/parameters_test.go b/pkg/config/parameters_test.go index 1984091f568..60e8dda17e7 100644 --- a/pkg/config/parameters_test.go +++ b/pkg/config/parameters_test.go @@ -235,7 +235,6 @@ func TestValidateTimeoutParams(t *testing.T) { require.Error(t, TimeoutParameters{DelayedCloseTimeout: "bebop"}.Validate()) require.Error(t, TimeoutParameters{ConnectionShutdownGracePeriod: "bong"}.Validate()) require.Error(t, TimeoutParameters{ConnectTimeout: "infinite"}.Validate()) - } func TestTLSParametersValidation(t *testing.T) { @@ -386,7 +385,6 @@ default-http-versions: listener: connection-balancer: notexact `) - } func TestConfigFileDefaultOverrideImport(t *testing.T) { @@ -508,7 +506,6 @@ cluster: max-pending-requests: 43 max-requests: 44 `) - } func TestMetricsParametersValidation(t *testing.T) { @@ -565,7 +562,6 @@ func TestMetricsParametersValidation(t *testing.T) { }, } require.Error(t, tlsCAWithoutServerCert.Validate()) - } func TestListenerValidation(t *testing.T) { diff --git a/test/e2e/deployment.go b/test/e2e/deployment.go index 16227b8cc0a..dae0fce22f9 100644 --- a/test/e2e/deployment.go +++ b/test/e2e/deployment.go @@ -375,7 +375,7 @@ func (d *Deployment) WaitForEnvoyUpdated() error { return WaitForEnvoyDeploymentUpdated(d.EnvoyDeployment, d.client, d.contourImage) } -func (d *Deployment) EnsureRateLimitResources(namespace string, configContents string) error { +func (d *Deployment) EnsureRateLimitResources(namespace, configContents string) error { setNamespace := d.Namespace.Name if len(namespace) > 0 { setNamespace = namespace @@ -606,7 +606,6 @@ func (d *Deployment) DeleteResourcesForLocalContour() error { // file. Returns running Contour command and config file so we can clean them // up. func (d *Deployment) StartLocalContour(config *config.Parameters, contourConfiguration *contour_api_v1alpha1.ContourConfiguration, additionalArgs ...string) (*gexec.Session, string, error) { - var content []byte var configReferenceName string var contourServeArgs []string @@ -651,7 +650,7 @@ func (d *Deployment) StartLocalContour(config *config.Parameters, contourConfigu if err != nil { return nil, "", err } - if err := os.WriteFile(configFile.Name(), content, 0600); err != nil { + if err := os.WriteFile(configFile.Name(), content, 0o600); err != nil { return nil, "", err } diff --git a/test/e2e/framework.go b/test/e2e/framework.go index 2fd3252f591..7ab06cb85b3 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -280,9 +280,11 @@ func (f *Framework) T() ginkgo.GinkgoTInterface { return f.t } -type NamespacedGatewayTestBody func(ns string, gw types.NamespacedName) -type NamespacedTestBody func(string) -type TestBody func() +type ( + NamespacedGatewayTestBody func(ns string, gw types.NamespacedName) + NamespacedTestBody func(string) + TestBody func() +) func (f *Framework) NamespacedTest(namespace string, body NamespacedTestBody, additionalNamespaces ...string) { ginkgo.Context("with namespace: "+namespace, func() { @@ -499,7 +501,6 @@ func UsingContourConfigCRD() bool { // HTTPProxyValid returns true if the proxy has a .status.currentStatus // of "valid". func HTTPProxyValid(proxy *contourv1.HTTPProxy) bool { - if proxy == nil { return false } @@ -510,7 +511,6 @@ func HTTPProxyValid(proxy *contourv1.HTTPProxy) bool { cond := proxy.Status.GetConditionFor("Valid") return cond.Status == "True" - } // HTTPProxyInvalid returns true if the proxy has a .status.currentStatus diff --git a/test/e2e/gateway/tls_gateway_test.go b/test/e2e/gateway/tls_gateway_test.go index 29cde85f9f6..d6ed72a3cd3 100644 --- a/test/e2e/gateway/tls_gateway_test.go +++ b/test/e2e/gateway/tls_gateway_test.go @@ -53,7 +53,6 @@ func testTLSGateway(namespace string, gateway types.NamespacedName) { }, Rules: []gatewayapi_v1beta1.HTTPRouteRule{ { - Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), BackendRefs: gatewayapi.HTTPBackendRef("echo-insecure", 80, 1), }, diff --git a/test/e2e/httpproxy/backend_tls_protocol_version_test.go b/test/e2e/httpproxy/backend_tls_protocol_version_test.go index 5575dafcf25..d3ae8a39221 100644 --- a/test/e2e/httpproxy/backend_tls_protocol_version_test.go +++ b/test/e2e/httpproxy/backend_tls_protocol_version_test.go @@ -97,6 +97,5 @@ func testBackendTLSProtocolVersion(namespace, protocolVersion string) { tlsInfo := new(responseTLSDetails) require.NoError(f.T(), json.Unmarshal(res.Body, tlsInfo)) assert.Equal(f.T(), tlsInfo.TLS.Version, protocolVersion) - }) } diff --git a/test/e2e/httpproxy/cel_validation_test.go b/test/e2e/httpproxy/cel_validation_test.go index 584af6017bf..3de95a80d92 100644 --- a/test/e2e/httpproxy/cel_validation_test.go +++ b/test/e2e/httpproxy/cel_validation_test.go @@ -64,6 +64,5 @@ func testCELValidation(namespace string) { return strings.Contains(err.Error(), "subjectNames[0] must equal subjectName if set") } assert.True(t, isExpectedErr(err)) - }) } diff --git a/test/e2e/httpproxy/client_cert_auth_test.go b/test/e2e/httpproxy/client_cert_auth_test.go index 553ca46e404..85e0f74c753 100644 --- a/test/e2e/httpproxy/client_cert_auth_test.go +++ b/test/e2e/httpproxy/client_cert_auth_test.go @@ -149,7 +149,6 @@ func testClientCertAuth(namespace string) { Name: "echo-no-auth-cert", }, Spec: certmanagerv1.CertificateSpec{ - Usages: []certmanagerv1.KeyUsage{ certmanagerv1.UsageServerAuth, }, @@ -192,7 +191,6 @@ func testClientCertAuth(namespace string) { Name: "echo-with-auth-skip-verify-cert", }, Spec: certmanagerv1.CertificateSpec{ - Usages: []certmanagerv1.KeyUsage{ certmanagerv1.UsageServerAuth, }, @@ -214,7 +212,6 @@ func testClientCertAuth(namespace string) { Name: "echo-with-auth-skip-verify-with-ca-cert", }, Spec: certmanagerv1.CertificateSpec{ - Usages: []certmanagerv1.KeyUsage{ certmanagerv1.UsageServerAuth, }, @@ -236,7 +233,6 @@ func testClientCertAuth(namespace string) { Name: "echo-with-optional-auth-cert", }, Spec: certmanagerv1.CertificateSpec{ - Usages: []certmanagerv1.KeyUsage{ certmanagerv1.UsageServerAuth, }, @@ -258,7 +254,6 @@ func testClientCertAuth(namespace string) { Name: "echo-with-optional-auth-no-ca-cert", }, Spec: certmanagerv1.CertificateSpec{ - Usages: []certmanagerv1.KeyUsage{ certmanagerv1.UsageServerAuth, }, diff --git a/test/e2e/httpproxy/client_cert_crl_test.go b/test/e2e/httpproxy/client_cert_crl_test.go index 7b2e7d1cd65..8a226b6e051 100644 --- a/test/e2e/httpproxy/client_cert_crl_test.go +++ b/test/e2e/httpproxy/client_cert_crl_test.go @@ -456,7 +456,6 @@ func testClientCertRevocation(namespace string) { require.NotNil(t, res, "expected 200 response code, request was never successful") assert.Truef(t, ok, "expected 200 response code, got %d", res.StatusCode) - }) } diff --git a/test/e2e/httpproxy/direct_response_test.go b/test/e2e/httpproxy/direct_response_test.go index 5977f7a3243..254ac4f5548 100644 --- a/test/e2e/httpproxy/direct_response_test.go +++ b/test/e2e/httpproxy/direct_response_test.go @@ -47,7 +47,6 @@ func doDirectTest(namespace string, proxy *contour_api_v1.HTTPProxy, t GinkgoTIn assertDirectResponseRequest(t, proxy.Spec.VirtualHost.Fqdn, "/directresponse-notfound", "not found", 404) - } func assertDirectResponseRequest(t GinkgoTInterface, fqdn, path, expectedBody string, expectedStatusCode int) { diff --git a/test/e2e/httpproxy/fqdn_test.go b/test/e2e/httpproxy/fqdn_test.go index cb7b2a1fbed..881fed97b09 100644 --- a/test/e2e/httpproxy/fqdn_test.go +++ b/test/e2e/httpproxy/fqdn_test.go @@ -54,11 +54,9 @@ func testWildcardFQDN(namespace string) { err := f.CreateHTTPProxy(p) require.Error(t, err, "Expected invalid wildcard to be rejected.") }) - } func testWildcardSubdomainFQDN(namespace string) { - Specify("wildcard routing works", func() { t := f.T() diff --git a/test/e2e/httpproxy/header_condition_match_test.go b/test/e2e/httpproxy/header_condition_match_test.go index ca51d8ae892..d2db431beeb 100644 --- a/test/e2e/httpproxy/header_condition_match_test.go +++ b/test/e2e/httpproxy/header_condition_match_test.go @@ -167,7 +167,6 @@ func testHeaderConditionMatch(namespace string) { { Services: []contourv1.Service{ { - Name: "echo-header-exact-case-insensitive", Port: 80, }, diff --git a/test/e2e/httpproxy/httpproxy_test.go b/test/e2e/httpproxy/httpproxy_test.go index be030dfb3a0..7fdd2264a40 100644 --- a/test/e2e/httpproxy/httpproxy_test.go +++ b/test/e2e/httpproxy/httpproxy_test.go @@ -385,7 +385,6 @@ var _ = Describe("HTTPProxy", func() { testBackendTLSProtocolVersion(namespace, expectedProtocolVersion) }) - }) f.NamespacedTest("httpproxy-external-auth", testExternalAuth) @@ -857,5 +856,4 @@ descriptors: f.NamespacedTest("httpproxy-global-ext-auth-tls-disabled", withGlobalExtAuth(testGlobalExternalAuthTLSAuthDisabled)) }) - }) diff --git a/test/e2e/httpproxy/internal_redirect_test.go b/test/e2e/httpproxy/internal_redirect_test.go index 32e5068ea79..7dfa147a75a 100644 --- a/test/e2e/httpproxy/internal_redirect_test.go +++ b/test/e2e/httpproxy/internal_redirect_test.go @@ -101,7 +101,6 @@ func testInternalRedirectPolicy(namespace string) { } func doInternalRedirectTest(namespace string, proxy *contour_api_v1.HTTPProxy, t GinkgoTInterface) { - f.Fixtures.Echo.Deploy(namespace, "echo") envoyService := &corev1.Service{ @@ -235,7 +234,8 @@ func getInternalRedirectHTTPProxy(namespace string) *contour_api_v1.HTTPProxy { InternalRedirectPolicy: &contour_api_v1.HTTPInternalRedirectPolicy{ RedirectResponseCodes: []contour_api_v1.RedirectResponseCode{301}, }, - }}, + }, + }, }, } diff --git a/test/e2e/httpproxy/request_redirect_test.go b/test/e2e/httpproxy/request_redirect_test.go index a90f63fbdfe..d95d48564fe 100644 --- a/test/e2e/httpproxy/request_redirect_test.go +++ b/test/e2e/httpproxy/request_redirect_test.go @@ -44,7 +44,6 @@ func testRequestRedirectRuleNoService(namespace string) { func testRequestRedirectRuleInvalid(namespace string) { Specify("invalid policy specified on route rule", func() { - f.Fixtures.Echo.Deploy(namespace, "echo") proxy := getRedirectHTTPProxyInvalid(namespace) @@ -53,7 +52,6 @@ func testRequestRedirectRuleInvalid(namespace string) { } func doRedirectTest(namespace string, proxy *contour_api_v1.HTTPProxy, t GinkgoTInterface) { - f.Fixtures.Echo.Deploy(namespace, "echo") f.CreateHTTPProxyAndWaitFor(proxy, e2e.HTTPProxyValid) @@ -94,7 +92,6 @@ func assertRequest(t GinkgoTInterface, fqdn, path, expectedLocation string, expe } func getRedirectHTTPProxy(namespace string, removeServices bool) *contour_api_v1.HTTPProxy { - proxy := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ Name: "redirect", @@ -177,7 +174,6 @@ func getRedirectHTTPProxy(namespace string, removeServices bool) *contour_api_v1 } func getRedirectHTTPProxyInvalid(namespace string) *contour_api_v1.HTTPProxy { - proxy := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ Name: "invalid", diff --git a/test/e2e/infra/infra_test.go b/test/e2e/infra/infra_test.go index 8753fe55d48..22726a9f21a 100644 --- a/test/e2e/infra/infra_test.go +++ b/test/e2e/infra/infra_test.go @@ -53,7 +53,8 @@ var _ = BeforeSuite(func() { VolumeSource: v1.VolumeSource{ Secret: &v1.SecretVolumeSource{ SecretName: "metrics-server", - }}, + }, + }, }} require.NoError(f.T(), f.Deployment.EnsureResourcesForLocalContour()) diff --git a/test/e2e/ingress/ingress_test.go b/test/e2e/ingress/ingress_test.go index e6a536369cc..761dea5185b 100644 --- a/test/e2e/ingress/ingress_test.go +++ b/test/e2e/ingress/ingress_test.go @@ -251,6 +251,5 @@ var _ = Describe("Ingress", func() { f.NamespacedTest("global-headers-policy-apply-to-ingress-true", testGlobalHeadersPolicy(true)) }) - }) }) diff --git a/test/e2e/poller.go b/test/e2e/poller.go index c5f845fdab7..63f92c04223 100644 --- a/test/e2e/poller.go +++ b/test/e2e/poller.go @@ -34,7 +34,7 @@ type AppPoller struct { successfulRequests uint } -func StartAppPoller(address string, hostName string, expectedStatus int, errorWriter io.Writer) (*AppPoller, error) { +func StartAppPoller(address, hostName string, expectedStatus int, errorWriter io.Writer) (*AppPoller, error) { ctx, cancel := context.WithCancel(context.Background()) poller := &AppPoller{ diff --git a/test/e2e/upgrade/upgrade_test.go b/test/e2e/upgrade/upgrade_test.go index 49f794ac3c8..8aed3611564 100644 --- a/test/e2e/upgrade/upgrade_test.go +++ b/test/e2e/upgrade/upgrade_test.go @@ -137,7 +137,7 @@ var _ = Describe("When upgrading", func() { }) }) - var _ = Describe("the Gateway provisioner", func() { + _ = Describe("the Gateway provisioner", func() { const gatewayClassName = "upgrade-gc" BeforeEach(func() { diff --git a/test/e2e/waiter.go b/test/e2e/waiter.go index f4148d72a2c..5d46c1ddcf3 100644 --- a/test/e2e/waiter.go +++ b/test/e2e/waiter.go @@ -85,7 +85,7 @@ func WaitForEnvoyDeploymentUpdated(deployment *appsv1.Deployment, cli client.Cli return wait.PollUntilContextTimeout(context.Background(), time.Millisecond*50, time.Minute*3, true, updatedPods) } -func getPodsUpdatedWithContourImage(ctx context.Context, labelSelector labels.Selector, namespace string, image string, cli client.Client) int { +func getPodsUpdatedWithContourImage(ctx context.Context, labelSelector labels.Selector, namespace, image string, cli client.Client) int { pods := new(v1.PodList) opts := &client.ListOptions{ LabelSelector: labelSelector, From 61b6fae59b3262058b666337cc1fb8d12b0fa1a6 Mon Sep 17 00:00:00 2001 From: Lubron Date: Wed, 17 Jan 2024 11:01:41 -0800 Subject: [PATCH 19/19] add flag to golangci-lint to show error line number (#6096) Closes #6095. Signed-off-by: lubronzhan Signed-off-by: Lubron Zhan --- .github/workflows/prbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index 171be9ed48c..ff4a051aa49 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -32,7 +32,7 @@ jobs: version: v1.55.2 # TODO: re-enable linting tools package once https://github.com/projectcontour/contour/issues/5077 # is resolved - args: --build-tags=e2e,conformance,gcp,oidc,none + args: --build-tags=e2e,conformance,gcp,oidc,none --out-format=colored-line-number - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }}